Access DNS applications with Service Discovery

Domain Name System (DNS) is the process of converting a domain name, like a web URL to an IP address for the server providing the service. This translation is done using A record (address record). In addition, DNS provides SRV (Service) and PTR (Pointer) records:

  • SRV records are used to discover services on an Enterprise server.

  • PTR records are used to do reverse look-up by translating an IP address to a domain or host name.

Enterprise applications like Microsoft Outlook use SRV and PTR queries to find the correct server for delivering services like mail and calendar. EAA Client needs to intercept these PTR and SRV queries so that they can be forwarded to the enterprise DNS server. The DNS server selects the responsible server to provide the service to the user. When EAA Client intercepts these queries, it uses the DNS applications in the Enterprise Center to resolve them.

EAA Client onboards SRV and PTR queries over Enterprise DNS if they meet the following conditions:

  • Hostname in SRV Request matches an enterprise DNS suffix configured in an EAA DNS Application.

  • IP in PTR Request matches the Destination IP of an EAA access application.

Limitations:

  • You cannot customize the enterprise DNS application URL.

  • You cannot attach an IdP to an enterprise DNS application. It is not possible to have specific DNS servers for the same search domain for users in a particular region served by an IdP. This can increase the latency for the users.

For example, if you want EAA Client to handle SRV and PTR records to Microsoft Enterprise DNS, you can provide microsoft.com as the search domain in the DNS application, allow the IdP for enabling Service discovery DNS requests, and create a wildcard tunnel-type client application with *.microsoft.com as the internal host.
Follow the below steps to create DNS applications that handles PTR and SRV records. Enable service discovery option. Allow the IdP to send DNS requests for discovering services offered by enterprise servers. The IdP also informs EAA Client to take care of handling SRV and PTR records. Finally, create and configure a wildcard tunnel-type client-access application with the relevant wildcard domains that should be intercepted by EAA Client.

Create a DNS application

Enable the DNS application to onboard SRV and PTR records from the enterprise server specified in the search domain. You can provide two DNS servers for high availability.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Enterprise DNS.

  3. Click Add Enterprise DNS Application.

  4. Enter the following data for the DNS application:

    1. Name. A name for the DNS application.

    2. Description. A description for the DNS application.

  5. Click Save.

  6. Enter the following data for the DNS information:

    1. Search Domain/s. The domain name you want EAA Client to intercept.

    2. (Optional) Click Add Domain. Enter any additional search domains you want EAA Client to intercept.

    3. Service Discovery. Enable this option to allow EAA Client to resolve PTR records and SRV records.

  7. For DNS server you can select one of these:

    • Use connector's DNS server. Uses the DNS server of the connector.

    • Custom DNS server. Provide Primary or Secondary DNS IP address and port number data.

  8. Select Connectors and in Cloud Zone select the cloud zone closest to the DNS server.

  9. Add one or more connectors to the application.

  10. Click Associate Connector, select the connector or connectors you want to assign, and click Associate. Select the connector you want to associate to this DNS application for this data center. Use the connector you created.
    To remove a connector, click Disassociate next to it.

  11. Click Save.

  12. Next, enable the identity provider to use the DNS application.

Enable the identity provider to use the DNS application

Allow EAA Client to use the DNS application to forward the service discovery DNS requests (SRV and PTR records) to the enterprise server.

Prerequisite:
Enabled EAA Client in an identity provider.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select the IdP with enabled EAA Client.

  4. In the Settings > Client select Enable Captive Portal.

  5. Select Identity > Identity Providers.

  6. Click Save.

  7. Deploy the IdP.

  8. Next, create and configure a wildcard tunnel-type client-access application.

Create and configure a wildcard tunnel-type client-access application

Create and configure a wildcard tunnel-type client-access application with a wildcard domain for the Destination.
For example, to create a wildcard tunnel-type client-access application that allows all domains under microsoft.com, enter:

  • all for both TCP and UDP types of traffic.

  • *.microsoft.com for domain name.

  • 1-65535 for all ports in the Application Identity > Destination 1.

Next, configure tunnel-type client-access application, and deploy the application.