Fortinet black logo

FortiGate VPN Integration

Home FortiNAC 9.4.0 FortiGate VPN Integration
9.4.0
9.4.0

DNS File Entry Descriptions

DNS File Entry Descriptions

/var/named/chroot/etc/domain.zone.vpn is used for managing DNS SRV records for agent communications over all VPN tunnels. This file is modified when the eth1 VPN isolation interface is configured/modified using Configuration Wizard. There is a domain.zone.* file for each FortiNAC Service interface (Isolation, Registration, Remediation, etc). For more details, see DNS Server Configuration in the Administration Guide.


> cat /var/named/chroot/etc/domain.zone.vpn

<…>

$ORIGIN example.com. b._dns-sd._udp PTR @lb._dns-sd._udp PTR @_networksentry._tcp PTR AgentConfig._networksentry._tcp;Insert agent line here; Needs to be here for BN_OTHER_HOSTNAMEAgentConfig._networksentry._tcp SRV 0 0 443 servername.domainname.com. << Mobile Agent SRV response* TXT path=/vpn/agent/config_networksentry._tcp SRV 0 0 443 servername.domainname.com. << Dissolvable Agent SRV response* TXT path=/vpn/agent/config_bradfordagent._udp SRV 0 0 4567 servername.domainname.com. << Persistent Agent SRV response*_bradfordagent._tcp SRV 0 0 4568 servername.domainname.com. << Persistent Agent SRV response**.example.com. IN A 172.16.99.6 ;*.example.com. IN AAAA BN_VPN_6IP

*Portal SSL Fully-Qualified Host Name configured in the UI under System > Settings > Security > Portal SSL

Example using Dissolvable Agent:

  1. VPN isolation interface is configured and DHCP scope created with domain example.com.

  2. Configuration Wizard writes example.com to the $ORIGIN entry in domain.zone.vpn file

  3. Endpoint connects to VPN tunnel and obtains DHCP information from VPN SERVER

  4. Dissolvable Agent is downloaded from the Captive Portal and run

  5. Agent sends SRV query for _networksentry._tcp.example.com

  6. Upon receipt of query, FortiNAC searches the domain.zone.* files for a matching domain in the $ORIGIN entry

  7. Since domain example.com matches the entry in domain.zone.vpn, FortiNAC responds to the query with the priority (0 0), port (443) and server name (servername.domainname.com) as specified in the _networksentry._tcp entry

  8. Dissolvable Agent performs certificate check comparing servername.domainname.com to the Portal SSL Certificate securing servername.domainname.com

Previous
Next

DNS File Entry Descriptions

/var/named/chroot/etc/domain.zone.vpn is used for managing DNS SRV records for agent communications over all VPN tunnels. This file is modified when the eth1 VPN isolation interface is configured/modified using Configuration Wizard. There is a domain.zone.* file for each FortiNAC Service interface (Isolation, Registration, Remediation, etc). For more details, see DNS Server Configuration in the Administration Guide.


> cat /var/named/chroot/etc/domain.zone.vpn

<…>

$ORIGIN example.com. b._dns-sd._udp PTR @lb._dns-sd._udp PTR @_networksentry._tcp PTR AgentConfig._networksentry._tcp;Insert agent line here; Needs to be here for BN_OTHER_HOSTNAMEAgentConfig._networksentry._tcp SRV 0 0 443 servername.domainname.com. << Mobile Agent SRV response* TXT path=/vpn/agent/config_networksentry._tcp SRV 0 0 443 servername.domainname.com. << Dissolvable Agent SRV response* TXT path=/vpn/agent/config_bradfordagent._udp SRV 0 0 4567 servername.domainname.com. << Persistent Agent SRV response*_bradfordagent._tcp SRV 0 0 4568 servername.domainname.com. << Persistent Agent SRV response**.example.com. IN A 172.16.99.6 ;*.example.com. IN AAAA BN_VPN_6IP

*Portal SSL Fully-Qualified Host Name configured in the UI under System > Settings > Security > Portal SSL

Example using Dissolvable Agent:

  1. VPN isolation interface is configured and DHCP scope created with domain example.com.

  2. Configuration Wizard writes example.com to the $ORIGIN entry in domain.zone.vpn file

  3. Endpoint connects to VPN tunnel and obtains DHCP information from VPN SERVER

  4. Dissolvable Agent is downloaded from the Captive Portal and run

  5. Agent sends SRV query for _networksentry._tcp.example.com

  6. Upon receipt of query, FortiNAC searches the domain.zone.* files for a matching domain in the $ORIGIN entry

  7. Since domain example.com matches the entry in domain.zone.vpn, FortiNAC responds to the query with the priority (0 0), port (443) and server name (servername.domainname.com) as specified in the _networksentry._tcp entry

  8. Dissolvable Agent performs certificate check comparing servername.domainname.com to the Portal SSL Certificate securing servername.domainname.com

Previous
Next