Access DNS applications with Service Discovery
Domain Name System (DNS) is the process of converting a domain name, like a web URL to an IP address for the server providing the service. This translation is done using A record (address record). In addition, DNS provides SRV (Service) and PTR (Pointer) records:
-
SRV records are used to discover services on an Enterprise server.
-
PTR records are used to do reverse look-up by translating an IP address to a domain or host name.
Enterprise applications like Microsoft Outlook use SRV and PTR queries to find the correct server for delivering services like mail and calendar. EAA Client needs to intercept these PTR and SRV queries so that they can be forwarded to the enterprise DNS server. The DNS server selects the responsible server to provide the service to the user. When EAA Client intercepts these queries, it uses the DNS applications in the EAA Management Portal to resolve them.
EAA Client onboards SRV and PTR queries over Enterprise DNS if they meet the following conditions:
-
Hostname in SRV Request matches an enterprise DNS suffix configured in an EAA DNS Application.
-
IP in PTR Request matches the Destination IP of an EAA access application.
Limitations:
-
You cannot customize the enterprise DNS application URL.
-
You cannot attach an IdP to an enterprise DNS application. It is not possible to have specific DNS servers for the same search domain for users in a particular region served by an IdP. This can increase the latency for the users.
For example, if you want EAA Client to handle SRV and PTR records to Microsoft Enterprise DNS, you can provide microsoft.com
as the search domain in the DNS application, allow the IdP for enabling Service discovery DNS requests, and create a wildcard tunnel-type client application with *.microsoft.com
as the internal host.
Follow the below steps to create DNS applications that handles PTR and SRV records. Enable service discovery option. Allow the IdP to send DNS requests for discovering services offered by enterprise servers. The IdP also informs EAA Client to take care of handling SRV and PTR records. Finally, create and configure a wildcard tunnel-type client-access application with the relevant wildcard domains that should be intercepted by EAA Client.
Create a DNS application
Enable the DNS application to onboard SRV and PTR records from the enterprise server specified in the search domain. You can provide two DNS servers for high availability.
-
Log in to EAA Management Portal.
-
In the EAA Management Portal navigation menu, select System > Enterprise DNS.
-
Click Add DNS.
-
Enter the following data for the DNS application:
-
Name. A name for the DNS application.
-
Description. A description for the DNS application.
-
-
Click Create DNS and Configure.
-
Enter the following data for the DNS information:
-
Search Domain/s. The domain name you want EAA Client to intercept.
-
Optionally, click Add Domain, and enter any additional search domains you want EAA Client to intercept.
-
Service Discovery. Enable this option to allow EAA Client to resolve PTR records and SRV records.
-
Application Discovery. Enable this option to allow EAA Client to resolve A records.
-
-
For DNS server you can select one of these:
-
Use connector's DNS server. Uses the DNS server of the connector.
-
Custom DNS server. Provide Primary or Secondary DNS IP address and port number data.
-
-
Select Connectors and in Cloud Zone select the cloud zone closest to the DNS server.
-
Add one or more connectors to the application.
-
Click Add or remove connector, select the connector or connectors you want to assign, and click Done. Select the connector you want to associate to this DNS application for this data center. Use the connector you created.
-
Click Save changes.
-
Next, enable the identity provider to use the DNS application.
Enable the identity provider to use the DNS application
Allow EAA Client to use the DNS application to forward the service discovery DNS requests (SRV and PTR records) to the enterprise server.
Prerequisite:
Enabled EAA Client in an identity provider.
-
Log in to EAA Management Portal.
-
In the EAA Management Portal navigation menu, select Identity > Identity providers.
-
On the IdP with enabled EAA Client card, click Configure Identity Provider, and select ADVANCED SETTINGS.
-
Select Enable Service Discovery DNS request.
-
Click Save and go to Deployment.
-
Deploy the IdP.
-
Next, create and configure a wildcard tunnel-type client-access application.
Create and configure a wildcard tunnel-type client-access application
Create and configure a wildcard tunnel-type client-access application with a wildcard domain for the Destination.
For example, to create a wildcard tunnel-type client-access application that allows all domains under microsoft.com
, enter:
-
all
for both TCP and UDP types of traffic. -
*.microsoft.com
for domain name. -
1-65535
for all ports in the Application Identity > Destination 1.
Next, configure tunnel-type client-access application, and deploy the application.
Updated over 1 year ago