04-15-2019 06:10 PM
We have a client who is VERY protective of their internal address space and servers that reside therein. This causes some issues when we come to implement a guest solution for them using ISE 2.4. We have pretty much nailed down everything except DNS. The issue is in the re-direction of user traffic to the the portal - as far as we can tell this relies on DNS and our client would very much prefer that guests are only ever given access to external DNS servers.
Anyone got any ideas of how this MIGHT be achieved?
Thanks
Al
Solved! Go to Solution.
04-15-2019 06:58 PM
04-15-2019 07:20 PM
Solved.
Thanks for the suggestions guys but they all involve scenarios we were trying to avoid. However - we did come across this:-
which is perfect for our needs. Just a bit of re-configuration of rules required.
Thanks all
Al
04-16-2019 02:43 PM
If you don't want your guest portal to be internet facing (and why should it? I don't need to resolve a USA based guest portal over here in Australia! I would imagine guest portals are hosted on private address space)
In my opinion a standalone DNS server that performs conditional forwarding is the answer. Even Microsoft DNS servers can do it.
Conditional DNS forwarding does what it says: it has conditions built in with simple logic like:
1) if resolving guest.company.com then I will resolve it for you
2) for everything else I will forward your query to an external DNS service (Google, ISP, etc)
This means your guests will never be able to resolve your intranet services except the guest page
04-16-2019 10:39 PM
04-15-2019 06:58 PM
04-15-2019 07:08 PM
You have several different options:
Public DNS for guest wireless is pretty much the standard in most of my deployments. I have done all of the above across my customers.
04-15-2019 07:20 PM
Solved.
Thanks for the suggestions guys but they all involve scenarios we were trying to avoid. However - we did come across this:-
which is perfect for our needs. Just a bit of re-configuration of rules required.
Thanks all
Al
04-15-2019 07:30 PM
04-16-2019 02:43 PM
If you don't want your guest portal to be internet facing (and why should it? I don't need to resolve a USA based guest portal over here in Australia! I would imagine guest portals are hosted on private address space)
In my opinion a standalone DNS server that performs conditional forwarding is the answer. Even Microsoft DNS servers can do it.
Conditional DNS forwarding does what it says: it has conditions built in with simple logic like:
1) if resolving guest.company.com then I will resolve it for you
2) for everything else I will forward your query to an external DNS service (Google, ISP, etc)
This means your guests will never be able to resolve your intranet services except the guest page
04-16-2019 03:20 PM
Hi All,
Thanks for all the replies. I now have an interim solution for our testing purposes and a final solution once we are happy with everything. We are using the static address assignment for testing and will discuss setting up a DNS to resolve the PSN addresses and forward all other to an external DNS with the customer.
Cheers
Al
04-22-2019 07:50 AM
04-22-2019 03:28 PM
Hi All,
Our final solution to this conundrum was to use static assignment for testing purposes in our solution and accept the certificate warnings. When it comes to putting this into production we shall use a couple of specially created DNS servers which will contain two entries for our PSN nodes. All other queries will be forwarded to an external DNS.
Thanks
04-16-2019 10:39 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide