ISP redundancy and reverse proxy

Similar Messages

• Trasnparent proxy and reverse proxy at the same time

  Can I have in a Content Engine v 4.2 transparent proxy and reverse proxy at the same time ?

  Yes, as long as you are not redirecting the two services on the same interface. One service takes precedence over the other and I believe transparent web-cache redirect takes precedence over reverse-proxy.

• HTTP tunneling and reverse proxy server

  We're currently using Windows Media Services (WMS) to stream
  video on our website. There is an option WMS to use the HTTP
  protocol and to specify the port you'd like to use. This has
  allowed us to stream video through our external firewall, through
  our reverse proxy server, and through our internal firewall to our
  media server. I've been trying for two days now to get Flash Media
  Server (FMS) to do the same thing. For some reason the HTTP
  tunneling (RTMPT) protocol doesn't appear to be acting like the
  HTTP protocol that WMS is using. Anyone have some tips on this
  configuration. I've scoured web resources and documentation as best
  I could. Any help would be greatly appreciated.
  Thanks.

  To give a better picture, here's a more complete description of set up and goals
  Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
  DMZ server is running IIS 8. Here are what some of the sites look like.
  jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
  email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
  media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
  other stuff like this -> 10.1.10.x port 80 or others
  All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server. 
  What do I need to do in IIS to have those sites get directed to the proper internal locations?
  Thanks!!

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Certificate and Reverse Proxy

  Hi everyone,
  I'm trying to configure a Push Mail solution with my Iphone 2 (2.1) in my company.
  The goal is to access my Exchange server through a reverse proxy with a certificate for authentication.
  FIRST TEST:
  - Set up configuration on the Iphone to connect a public IP adress as Exchange Server.
  - On the reverse proxy, this IP is forwarded to the Exchange Front-End server.
  - On the reverse proxy, NO certificate configured for authentication -> It's working fine ! I can see my e-mails&calendar on my Iphone !
  Bad solution for security reasons...
  SECOND TEST:
  - Activate certificate on the reverse proxy.
  - Install the certificate on the Iphone with Web Configuration utility: The certificate is shown in the General Tab on the Iphone.
  - Trying to connect, ERROR... I can see in the event log of my reverse proxy that no valid certificate from my Iphone were submitted.
  Any idea why the Iphone doesn't send the certificate to allow authentication on my reverse proxy ?
  Thank you,
  Stan

  Kristoffer,
  The answer will depend on how you have NGINX configured from a reverse proxy standpoint.  The certificate will need to match the hostname entered on the client in this case sapmobile.customer.com.   Since the traffic from the client will never get directly to the SMP 3 server the certificate should be installed on the NGINX installation as this is where the Agentry client will connect to and receive the certificate to validate against the hostname entered.
  NGINX will need to also be configured to validate the connection between itself and SMP 3.0 or to ignore the certificate if it doesn't trust it.
  The certificate on the SMP 3 server should be able to stay as the internal machine name assuming NGINX is acting as a true proxy and not just passing traffic through to the SMP 3 server.
  Unfortunately I am unable to open the link you included on SDN to review what it says.
  --Bill

• Lync 2013 Edge and Reverse proxy on same server with SNI

  Hello
  I cannot find information if it is possible to create a single Lync 2013 Edge server with a Reverse proxy on the same server?
  Would it not be possible to share port 443 with SNI support? That way we could use only one public IP?
  Thanks!

  Sorry, it doesn't work.  Remember that 443 isn't HTTPS for the Edge.  If you went with the single IP model for the edge, 443 would be used for the A/V role which would be STUN/TURN. 
  The edge will always want to listen on 443, it just doesn't work to collocate a reverse proxy.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• HTTP Filtering and Reverse Proxy + DMZ

  Hello all, I'm consolidating a number of my services and securing up my network.
  To give some context I have 1 static IP, several websites in the form of subdomain.domain.com where domain.com is the same but there are numerous subdomains which reside on different servers. Until recently we were just using port forwarding, etc. to access
  these remotely (subdomain.domain.com:9090, subdomain2.domain.com:9091) etc. but I would like to clean this up.
  We have a 5505 ASA which our static IP is natted to. That has a static route to an IIS server in the 'DMZ' portion of our network. I would like to find a way to have this server see 'subdomain1.domain.com' and send it to the server hosting that service, and
  so on for the other services. 
  I think I want to use Reverse-Proxy but I have never delved in to IIS 8 before and the extent of my reverse proxy experience was using nginx to host several web services for a friend. 
  If I could get any advice on 1) how to filter the url requests and direct them to the right server (some are non-windows servers) and 2) how to do this securely from the DMZ to the internal lan?
  Thanks SO much for any help!

  To give a better picture, here's a more complete description of set up and goals
  Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
  DMZ server is running IIS 8. Here are what some of the sites look like.
  jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
  email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
  media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
  other stuff like this -> 10.1.10.x port 80 or others
  All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server. 
  What do I need to do in IIS to have those sites get directed to the proper internal locations?
  Thanks!!

• VIrtual host and reverse proxy  FOR EBIZ R12.0.6

  we have 4 dev EBIZ instances on a single hp_ux itanium server on which I have to setup one instance for virtual hosting and to work behind a reverse proxy .
  any particular documents or steps for this.
  Thanks
  mn

  we have 4 dev EBIZ instances on a single hp_ux itanium server on which I have to setup one instance for virtual hosting and to work behind a reverse proxy .
  any particular documents or steps for this.Implementing Virtual Host, Concurrent Managers and EM DBconsole on Oracle Applications R12 [ID 603883.1]
  Conc-System Node Name Not Registered After Fresh Install Using Virtual Name [ID 948644.1]
  Is Auto Failover With Virtual Hostnames For Concurrent Processing Servers Supported In 11i Or R12? [ID 456540.1]
  Case History: Implementing a Reverse Proxy Alone in a DMZ Configuration - R12 [ID 726953.1]
  Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]
  Thanks,
  Hussein

• Omniportlet and reverse proxy

  I have an Oracle Portal installation behind a reverse proxy with Portal on 1 server, SSO/OID on another server, and the database on a 3rd server.
  Portal works fine, but Omniportlet and Webclipping are using the server name and port for the Portal server and not the reverse proxy URL. The Portal server name and port are, of course, not accessible to users.
  There is no proxy between the Portal and the database.

  Originally Posted by ghuertae
  Hi.. I have one server with one IP internal 10.x.x.x with reverse proxy to one ip public 159.x.x.x why ?? because we need that server can be used for public and internal users.
  For example user external had a server 200.x.x.x and they need connect to my server 159.x.x.x to diferente ports like 8020, 8000 and the port 22 (ssh)
  With the port 8000 and 8020 no problem they can connect.. but with 22 port
  I did the next filter in my border manager 3.8 (novell 6.0)
  Src Interface : ALL
  Dest Interface : ALL
  Packet Type: ssh (default 22)
  Src Port: ALL
  Protocol: TCP
  Dest Port: 22
  Src Add Type: Host
  Src IP Add: 200.X.X.X
  Dest Add Type: Host
  Dest IP Add: 159.X.X.X
  and
  Src Interface : ALL
  Dest Interface : ALL
  Packet Type: ssh2 (default 22)
  Src Port: 22
  Protocol: TCP
  Dest Port: ALL
  Src Add Type: Host
  Src IP Add: 159.X.X.X
  Dest Add Type: Host
  Dest IP Add: 200.X.X.X
  In the server BorderManager setup "Aceleration -> Http Aceleration" I put WeB server port 22 / Named IP Address ip internal and in Proxy IP Addr the ip Public.
  If i did a Tel 159.X.X.X 22 I can connect, but if use a program putty �
  ssh 159.X.X.X commad i can not connect..!!!
  Is there an error in my filter? o is there something else that i have to do ?
  thanks a lot.
  ok the solution that i find is... use the reverse proxy and Nat for the same ip and it works fine.
  I can access to ssh without problem..!

• SAPUI5 app and Reverse proxy configuration

  Hi
  Im trying to configure proxyserver for Cross origin resource sharing issue.
  The below steps i have configured in my machine.
  1. I have developed an application which consumes data through odata.
  2. Download and configured Apache server and enabled proxy module as per this url
  http://scn.sap.com/community/developer-center/front-end/blog/2013/06/29/solving-same-origin-policy-issue-in-different-ways
  3. In httpd.config file added the below reverse proxy setup
  ProxyPass /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
  ProxyPassReverse /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
  4. Changed my service url as
  var serviceUrl = "proxy/http/localhost/poodata";
  5. Also i have added java-property-utils-1.9.jar and cors-filter-1.8.jar then
  in web.xml i have added Eventhough its seems not neccessary.
    <filter>
    <display-name>CacheControlFilter</display-name>
    <filter-name>CacheControlFilter</filter-name>
    <filter-class>com.sap.ui5.resource.CacheControlFilter</filter-class>
    </filter>
    <filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
    </filter>
  6. Finally when i am executing the application throgh http://localhost:9080/SamplePO/ Its working. But Instead of localhost when im using IP address it shows NO DATA and throws the "500 internal server error - only allowed for local testing"
  also the application is trying to fetch data from 'http://10.130.41.158:9080/SamplePO/proxy/http/localhost/poodata/$metadata' where the location should be 'http/localhost/poodata/$metadata'.
  I want to access this application in my iPAD through WIFI by passing IP address followed by application name (http://10.130.41.158:9080/SamplePO).
  Please help me to fix this issue.
  Regards
  Yokesvaran Kumarasamy

  Hi Michael Herzog /  DJ Adams / Frank Welz,
  It seems you have v.good knowledge on this, can you please help with this issue.
  Thanks in Advance
  Regards
  Yokesvaran Kumarasamy

• TMG ISP Redundancy and DNS

  Hello,
  I have installed TMG with 3 NICs such as ISP1, ISP2 and Internal
  I configured the ISP1 and ISP2 interfaces with IP addresses and default gateways and
  configured internal NIC with IP address, but Default Gateway.
  I installed DNS service on TMG and configured the forwarders pointing to ISP DNS servers.
  Finally Internal NIC DNS configuration
  Primary : 127.0.0.1
  Alternative: Internal AD DNS servers
  Configured persistent routes
  =============================================================
  Persistent Routes:
    Network Address          Netmask             Gateway Address  Metric
           10.0.0.0               255.0.0.0                      10.1.2.1            1        
           ( Internal LAN)
            1.1.1.1            255.255.255.255             192.168.5.1       2                   ( ISP1 DNS Server)
             2.2.2.2           255.255.255.255             192.168.4.2       3                    ( ISP2 DNS
  Server)
             0.0.0.0                 0.0.0.0                       192.168.4.2    Default
             0.0.0.0                 0.0.0.0                       192.168.5.1  Default
  Now I am trying to join the TMG server to domain but failed. Error saying that cannot resolve domain name
  I would highly appreciate any help.
  Thanks

  So far now everything is working.
  Just a summary
  - Installed the DNS service on TMG.
  - Configured the forwarders pointing to ISP 1 & 2 DNS servers.
  - Configured the conditional forwarder to forward DNS request to internal DNS server for AD authentication.
  - Internai NIC DNS
  Primary : 127.0.0.1 ( local host TMG )
  Alternative: Internal DNS servers.

• Reverse Proxy and SLD on an Enterprise Portal 7.0

  Hi
  I need to configure SLD and Reverse Proxy on an Enterprise Portal Server.
  How do i do this...
  can you refer me to the applicable guides
  Thanks
  Kalyan

  Hello,
  Thank you to interest to my problem.
  Browser -
  SSL----
  > Firewall/DMZ (No SSL termination, all traffic forwarded to ISA Server). Yes but there is a port translation port 443 to 50201
  Firewall/DMZ -
  SSL----
  > ISA Servrer -- (SSL Termination)--. IN fact it is noit the ssl terminaison. But from this point the url is modify to reach the host with EP7.0
  ISA Server--SSL--
  > EP7.0 (port 502010) When I test my configuration I have the Message web page not found. With a capture software i have verified that the request is sent to my EP 7.0( url2). But no logon page appeares.  With the modification on line of the HTTP provider in the dispatcher, i have checked that the response contains the URL1 and the standard port. But none web page is displayed.
  Thank you for your help.
  Regards,
  Julien

• SSO Reverse Proxy and UWL error

  We have installed a portal on NW 7.01, which uses a custom SSO application and reverse proxy.  We are using the portal for an MSS application, using some standard functionality such as the MSS team viewer and the Universal Worklist.  Everything is working fine when I log in directly to the portal without the SSO application, connection to R3 (ECC 6.0) with the Team Viewer and the Universal Worklist.  When I use the Single Sign-On, I get in to the portal fine, the connection is good on our iViews including the MSS Team Viewer, but I get an error with the Universal Worklist.  I am first prompted if I want to display nonsecure items, if I click yes I get an error inside the UWL iView:
  Network Access Message: The page cannot be displayed
  Error Code: 502 Proxy Error. The host was not found.(11001)
  What settings do I need to change with UWL using SSO and reverse proxy - any ideas?
  Thanks,
  Jeff Mathieson

  We have installed a portal on NW 7.01, which uses a custom SSO application and reverse proxy.  We are using the portal for an MSS application, using some standard functionality such as the MSS team viewer and the Universal Worklist.  Everything is working fine when I log in directly to the portal without the SSO application, connection to R3 (ECC 6.0) with the Team Viewer and the Universal Worklist.  When I use the Single Sign-On, I get in to the portal fine, the connection is good on our iViews including the MSS Team Viewer, but I get an error with the Universal Worklist.  I am first prompted if I want to display nonsecure items, if I click yes I get an error inside the UWL iView:
  Network Access Message: The page cannot be displayed
  Error Code: 502 Proxy Error. The host was not found.(11001)
  What settings do I need to change with UWL using SSO and reverse proxy - any ideas?
  Thanks,
  Jeff Mathieson

• CSM, Reverse Proxy, and Sticky

  First, here is a diagram of my setup:
  CSM w/VIP for Front-End Web Servers (acting as Authorization and Reverse Proxy)
  |
  SSL Module for termination of HTTPS traffic
  |
  Front-End Web Servers
  |
  CSM w/VIP for Back-end Web Servers
  |
  Back-end Web Servers
  What I need a way to do is to ensure that users gets to the same Back-end Web Server for their entire session. The Front-End Web Servers act as a Reverse Proxy for all requests going to the Back-End Web Servers and are configured to send requests to the VIP for the Back-End Web Servers.

  Gilles,
  Thanks for the response. This is https traffic for the user, but from the Front-End to the Back-End it's just http. Unfortunately it's SAP so it's not a normal HTTP Back-end that can generate cookies. Currently I am only running 3.1(7). What is the status of the 4.1 train? Being new I am concerned about utilizing this level. What has been the experience of customers on this code level in the field?

• How do I use Sun Web Server 7.0u1 reverse proxy to change public URLs?

  Some of our installations use the Sun Web Server 7.0 (update 1, usually)
  for hosting some of the public resource and reverse-proxying other parts
  of the URI namespace from other backend servers (content, application
  and other types of servers).
  So far every type of backend server served a unique part of the namespace
  and there was no collision of names, and the backend resources were
  published in a one-to-one manner. That is, a backend resource like, say,
  http://appserver:8080/content/page.html would be published in the internet
  as http://www.publicsite.com/content/page.html
  I was recently asked to research whether we can rename some parts of
  the public URI namespace, to publish some or all resources as, say,
  http://www.publicsite.com/data/page.html while using the same backend
  resources.
  Another quest, possibly related in solution, was to make a tidy url for the
  first page the user opens of the site. That is, in the current solution when
  a visitor types the url "www.publicsite.com" in his or her browser, our web
  server returns an HTTP-302 redirect to the actual first page URL, so the
  browser sends a second request (and changes the URL in its location bar).
  One customer said that it is not "tidy". They don't want the URL to change
  right upon first rendering the page. They want the root page to be rendered
  instantly i the first HTTP request.
  So far I found that I can't solve these problems. I believe these problems
  share a solution because it relies on ability to control the actual URI strings
  requested by Sun Web Server from backend servers.
  Some details follow, now:
  It seems that the reverse proxy (Service fn="service-passthrough") takes
  only the $uri value which was originally requested by the browser. I didn't
  yet manage to override this value while processing a request, not even if
  I "restart" a request. Turning the error log up to "finest" I see that even
  when making the "service-passthrough" operation, the Sun Web Server
  still remembers that the request was for "/test" (in my test case below);
  it does indeed ask the backend server for an URI "/test" and that fails.
  [04/Mar/2009:21:45:34] finest (25095) www.publicsite.com: for host xx.xx.xx.83
  trying to GET /content/MainPage.html while trying to GET /test, func_exec reports:
  fn="service-passthrough" rewrite-host="true" rewrite-location="true"
  servers="http://10.16.2.127:8080" Directive="Service" DaemonPool="2b1348"
  returned 0 (REQ_PROCEED)My obj.conf file currently has simple clauses like this:
  # this causes /content/* to be taken from another (backend) server
  NameTrans fn="assign-name" from="/content" name="content-test" nostat="/content"
  # this causes requests to site root to be HTTP-redirected to a certain page URI
  <If $uri =~ '^/$'>
      NameTrans fn="redirect"
          url="http://www.publicsite.com/content/MainPage.html"
  </If>
  <Object name="content-test">
  ### This maps http://public/content/* to http://10.16.2.127:8080/content/*
  ### Somehow the desired solution should instead map http://public/data/* to http://10.16.2.127:8080/content/*
      Service fn="service-passthrough" rewrite-host="true" rewrite-location="true" servers="http://10.16.2.127:8080"
      Service fn="set-variable" set-srvhdrs="host=www.publicsite.com:80"
  </Object>
  I have also tried "restart"ing the request like this:
      NameTrans fn="restart" uri="/data"or desperately trying to set the new request uri like this:
      Service fn="set-variable"  uri="/magnoliaPublic/Main.html"Thanks for any ideas (including a statement whether this can be done at all
  in some version of Sun Web Server 7.0 or its opensourced siblings) ;)
  //Jim

  Some of our installations use the Sun Web Server 7.0 (update 1, usually)please plan on installing the latest service pack - 7.0 Update 4. these updates addresses potentially critical bug fixes.
  I was recently asked to research whether we can rename some parts of
  the public URI namespace, to publish some or all resources as, say,
  http://www.publicsite.com/data/page.html while using the same backend
  resources.> now, if all the resources are under say /data, then how will you know which pages need to be sent to which back end resources. i guess, you probably meant to check for /data/page.html should go to <back-end>/content/page.html
  yes, you could do something like
  - edit your corresponding obj.conf (<hostname>-obj.conf or obj.conf depending on your configuration)
  <Object name=¨default¨>
  <If $uri = ¨/page/¨>
  #move this nametrans SAF (for map directive - which is for reverse proxy within <if> clause)
  NameTrans.. fn=map
  </If
  </Object>
  and you could do https-<hostname>/bin/reconfig (dynamic reconfiguration) to check out if this is what you wanted. also, you might want to move config/server.xml <log-level> to finest and do your configuration . this way, you would get enough information on what is going on within your server logs.
  finally,when you are satisfied, you might have to run the following command to make your manual change into admin config repository.
  <install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname>
  <install-root>/bin/wadm deploy-config --user=admin <hostname>
  you might want to check out this for more info on how you could use <if> else condition to handle your requirement.
  http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
  finally, you might want to refer to this doc - which explains on ws7 request processing overview. this should provide you with some pointers as to what these different directives mean
  http://docs.sun.com/app/docs/doc/820-6599/gbysz?a=view
  >
  One customer said that it is not "tidy". They don't want the URL to change
  right upon first rendering the page. They want the root page to be rendered
  instantly i the first HTTP request.
  please check out the rewrite / restart SAF. this should help you.
  http://docs.sun.com/app/docs/doc/820-6599/gdada?a=view
  pl. understand that - like with more web servers - ordering of directives is very important within obj.conf. so, you might want to make sure that you verify the obj.conf directive ordering is what you want it to do..
  It seems that the reverse proxy (Service fn="service-passthrough") takes
  only the $uri value which was originally requested by the browser. I didn't
  yet manage to override this value while processing a request, not even if
  I "restart" a request. Turning the error log up to "finest" I see that even
  when making the "service-passthrough" operation, the Sun Web Server
  still remembers that the request was for "/test" (in my test case below);
  it does indeed ask the backend server for an URI "/test" and that fails.
  now, you are in the totally wrong direction. web server 7 includes a highly integrated reverse proxy solution compared to 6.1. unlike 6.1, you don´t have to download a separate plugin . however, you will need to manually migrate your 6.1 based reverse proxy settings into 7.0. please check out this blog link on how to set up a reverse proxy
  http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
  feel free to post to us if you need any futher help
  you are probably better off - starting fresh
  - install ws7u4
  - use gui or CLI to create a reverse proxy and map one on one - say content
  http://docs.sun.com/app/docs/doc/820-6601/create-reverse-proxy-1?a=view
  if you don´t plan on using ws7 integrated web container (ability to process jsp/servlet), then you could disable java support as well. this should reduce your server memory footprint
  <install-root>/bin/wadm disable-java user=admin config=<hostname>
  <install-root>/bin/wadm create-reverse-proxy user=admin uri-prefix=/content server=<http://your back end server/ config=<hostname> --vs=<hostname>
  <install-root>/bin/wadm deploy-config --user=admin <hostname>
  now, you can check out the regular express processing and <if> syntax from our docs and try it out within <https-<hostname>/config/<hostname>-obj.conf> file and restart the server. pl. note that once you disable java, ws7 admin server creates <vs>-obj.conf and you need to edit this file and not default obj.conf for your changes to be read by server.
  >
  I have also tried "restart"ing the request like this:
  NameTrans fn="restart" uri="/data"
  ordering is very important here... you need to do this some thing like
  <Object name=default>
  <If not $restarted>
  NameTrans fn=restart uri from=/¨ uri=/foo.
  </If>