Fortinet black logo

Domains to add to the Allowed Domains List

Home FortiNAC-F 7.2.0 Domains to add to the Allowed Domains List

Overview

7.2.0
7.4.0
7.2.0
Copy Link
Copy Doc ID 6ada3ab3-8b91-11ed-8e6d-fa163e15d75b:811974
Download PDF

Overview

This document provides a list of domains that may need to be added to ensure appropriate IP resolution from restricted VLANs (“isolation” VLANs).

Note: Domains for the Allowed Domains List are added to new images of FortiNAC. Depending upon the image’s Engine Version when the appliance was built, any/all of the domains may already be listed.

What it Does

Provides appropriate IP resolution to restricted devices for completing actions such as updating AV/AS programs and SSL certificate authentication, this list should be updated as necessary.

How it Works

When a device is connected to an “isolation” VLAN (e.g., Isolation, Registration, Quarantine, DeadEnd), the FortiNAC Server/Application Server acts as the DNS server. Upon receipt of a DNS request from the isolated host, FortiNAC returns the IP address of the eth1 interface unless the domain is listed in the Allowed Domains page. If a request for a domain listed in the Allowed Domains page is received, FortiNAC sends a request to the customer's DNS server for resolution.

  1. Device connects to isolation VLAN and FortiNAC provides DHCP addressing, including FortiNAC eth1 IP address for the DNS Server.

  2. Device sends DNS query for domainA.com to eth1 IP address.

  3. DomainA.com is in the allowed domains list. Therefore, FortiNAC proxies the query to the production DNS server.

  4. Production DNS answers FortiNAC with IP Address 1.2.3.4.

  5. FortiNAC answers device with IP address 1.2.3.4.

For instructions on adding domains, see section Allowed domains of the appropriate Administration Guide:

Version 8.x Administration Guide

Version 9.x Administration Guide

Requirements

  • Router/firewall policies to handle traffic for devices in the “isolation” VLAN. FortiNAC does not act as a router.

  • Do not include a “.” to the start of a domain. This will cause named-chroot service to fail. In a High Availability environment, this can trigger a failover event to occur.

    Incorrect: .data.microsoft.com

    Correct: data.microsoft.com

  • Do not add domains matching that of the FortiNAC FQDN. This may cause a-symmetric routing to occur and prevent the agent from establishing a TCP connection.

    Example:

    FQDN: myFortiNAC.mydomain.com

    Do not add mydomain.com to Allowed Domains List

  • FortiNAC appliances deployed on Azure: Additional domains are required for isolated clients to properly resolve. See Azure Deployments for additional domains.

Previous
Next

Overview

This document provides a list of domains that may need to be added to ensure appropriate IP resolution from restricted VLANs (“isolation” VLANs).

Note: Domains for the Allowed Domains List are added to new images of FortiNAC. Depending upon the image’s Engine Version when the appliance was built, any/all of the domains may already be listed.

What it Does

Provides appropriate IP resolution to restricted devices for completing actions such as updating AV/AS programs and SSL certificate authentication, this list should be updated as necessary.

How it Works

When a device is connected to an “isolation” VLAN (e.g., Isolation, Registration, Quarantine, DeadEnd), the FortiNAC Server/Application Server acts as the DNS server. Upon receipt of a DNS request from the isolated host, FortiNAC returns the IP address of the eth1 interface unless the domain is listed in the Allowed Domains page. If a request for a domain listed in the Allowed Domains page is received, FortiNAC sends a request to the customer's DNS server for resolution.

  1. Device connects to isolation VLAN and FortiNAC provides DHCP addressing, including FortiNAC eth1 IP address for the DNS Server.

  2. Device sends DNS query for domainA.com to eth1 IP address.

  3. DomainA.com is in the allowed domains list. Therefore, FortiNAC proxies the query to the production DNS server.

  4. Production DNS answers FortiNAC with IP Address 1.2.3.4.

  5. FortiNAC answers device with IP address 1.2.3.4.

For instructions on adding domains, see section Allowed domains of the appropriate Administration Guide:

Version 8.x Administration Guide

Version 9.x Administration Guide

Requirements

  • Router/firewall policies to handle traffic for devices in the “isolation” VLAN. FortiNAC does not act as a router.

  • Do not include a “.” to the start of a domain. This will cause named-chroot service to fail. In a High Availability environment, this can trigger a failover event to occur.

    Incorrect: .data.microsoft.com

    Correct: data.microsoft.com

  • Do not add domains matching that of the FortiNAC FQDN. This may cause a-symmetric routing to occur and prevent the agent from establishing a TCP connection.

    Example:

    FQDN: myFortiNAC.mydomain.com

    Do not add mydomain.com to Allowed Domains List

  • FortiNAC appliances deployed on Azure: Additional domains are required for isolated clients to properly resolve. See Azure Deployments for additional domains.

Previous
Next