<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 05/04/2015 12:32 PM, Tomas Babej wrote: </div> <blockquote cite="mid:55474ABC.8010506@redhat.com" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 04/27/2015 06:06 PM, David Dimovski wrote: </div> <blockquote cite="mid:OF9F55F909.AC1AC4FA-ONC1257E34.00574BA3-C1257E34.00587210@biotronik.com" type="cite">Hi Folks, does somebody have a best practice, how to access the IPA Web-UI with different domain names? Example: Our IPA 4.1 have two different IPs (extern and intern) with two domain names. The web gui is only accessible from the domain name, which IPA was registered with (intern domain name). When trying to access with the extern domain name, IPA is rewriting to the intern domain name. After disabling the rewriting, the web ui is accessible from the two domain names, but the login is not possible from the extern domain name (only intern domain name), getting the following error: Logout session expired. Does sombody has a idea or a clue? Many thanks in advance! Best regards David <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> Hi, one possible solution would be to setup a reverse proxy with the external domain name, which would be passing the requests from the external world to the internal IPA sever. However, the proxy would need to circumvent our XSS protection and rewrite the HTTP_REFERRER header to the internal hostname. I haven't tested it, so maybe additional issues would come up. Tomas <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> For the record, Alexander pointed out that this would not work well, as connections passed by the proxy to the internal IPA instance would be encrypted using the external's server HTTP service ticket. A proper solution here would be to create an IPA replica with the external hostname. Tomas </body> </html>