Open in app

Sign in

Write

Sign in

How Appgate routes the requests to subdomains through Appgate gateway

Kei Sugiyasu
2 min readApr 1, 2022

Introduction: How Appgate routes traffic through the Appgate gateway.

Administrators set the “entitlements” at Appgate management console for each client, and the clients download them and route the specific request whose destinations are included in entitlements through the Appgate gateway.

For example, if you are set to access specific IP addresses 10.100.0.0/16 through the Appgate gateway (local virtual NIC: 172.30.33.33), your entitlement and routing tables are like the following.

Entitlement:

allow tcp_up to 10.100.0.0/16- ports 1–65535

Network interface:

ipconfig /all

Unknown adapter Appgate SDP:
Description . . . . . . . . . . . : Appgate Tunnel
IPv4 Address. . . . . . . . . . . : 172.30.33.33(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255

Routing table:

$ route print

IPv4 Route Table
==================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
10.100.0.0 255.255.0.0 On-link 172.30.33.33 70

I think it can be understood straightforward way.

I recommend you to refer to the following video if you entirely don’t know how Appgate works. https://www.youtube.com/watch?v=HXSMtgDBj-4

Though, how about subdomains?

If we want to access subdomains such as *.console.aws.amazon.com it would be better we specify the parent domain, because there are many subdomains and it is tedious setting the subdomains one by one.

At that point, I was wondering how Appgate works for the above situations because there are some problematic points for it.

  • The results of DNS resolution are not fixed — some services answer different IP addresses depending on the client location, load-balance strategy, etc.
  • We can’t know the list of the subdomains of the parent domain. So, Appgate dynamically adds the subdomains to the internal entitlements when the client requests a subdomain that is not entitled yet.

So I thought that Appgate may route my DNS query to the Appgate gateway. If not so, Appgate can’t know the new subdomain I want to connect to and also the results of the DNS queries can’t be the same between my laptop and Appgate gateway.

How does Appgate work in such a case?

Finally, I resolved the mystery

Appgate configures the DNS server used for the specific domain.

$ Get-DnsClientNrptRule

Name : AppgateDNS (.console.aws.amazon.com)
Version : 2
Namespace : {.console.aws.amazon.com}
NameServers : XXX.XXX.XXX.XXX

So when I request a subdomain of .console.aws.amazon.com, my DNS request is destinated to the name server specified by Appgate. Then my laptop and Appgateway can share the resolved IP addresses and also Appgate detects I request the subdomain.

My assumption is right! Thew!

--

--

Kei Sugiyasu

Written by Kei Sugiyasu

0 Followers

Full-stack engineer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams