Overview
This document provides a list of domains that may need to be added to ensure appropriate IP resolution from restricted VLANs (“isolation” VLANs).
Note: Domains for the Allowed Domains List are added to new images of FortiNAC. Depending upon the image’s Engine Version when the appliance was built, any/all of the domains may already be listed.
What it Does
Provides appropriate IP resolution to restricted devices for completing actions such as updating AV/AS programs and SSL certificate authentication, this list should be updated as necessary.
How it Works
When a device is connected to an “isolation” VLAN (e.g., Isolation, Registration, Quarantine, DeadEnd), the FortiNAC Server/Application Server acts as the DNS server. Upon receipt of a DNS request from the isolated host, FortiNAC returns the IP address of the eth1 interface unless the domain is listed in the Allowed Domains page. If a request for a domain listed in the Allowed Domains page is received, FortiNAC sends a request to the customer's DNS server for resolution.
-
Device connects to isolation VLAN and FortiNAC provides DHCP addressing, including FortiNAC eth1 IP address for the DNS Server.
-
Device sends DNS query for domainA.com to eth1 IP address.
-
DomainA.com is in the allowed domains list. Therefore, FortiNAC proxies the query to the production DNS server.
-
Production DNS answers FortiNAC with IP Address 1.2.3.4.
-
FortiNAC answers device with IP address 1.2.3.4.
For instructions on adding domains, see section Allowed domains of the appropriate Administration Guide:
Version 8.x Administration Guide
Version 9.x Administration Guide
Requirements
-
Router/firewall policies to handle traffic for devices in the “isolation” VLAN. FortiNAC does not act as a router.
-
Do not include a “.” to the start of a domain. This will cause named-chroot service to fail. In a High Availability environment, this can trigger a failover event to occur.
Incorrect: .data.microsoft.com
Correct: data.microsoft.com
-
Do not add domains matching that of the FortiNAC FQDN. This may cause a-symmetric routing to occur and prevent the agent from establishing a TCP connection.
Example:
FQDN: myFortiNAC.mydomain.com
Do not add mydomain.com to Allowed Domains List
-
FortiNAC appliances deployed on Azure: Additional domains are required for isolated clients to properly resolve. See Azure Deployments for additional domains.