Access Enterprise DNS applications with Service Discovery

Learn to use EAA Client for accessing enterprise DNS applications with Service Discovery.

Domain Name System (DNS) is the process of converting a domain name, like a web URL to an IP address for the server providing the service. This translation is done using A record (address record). In addition, DNS provides SRV (Service) and PTR (Pointer) records. SRV records are used to discover services on an Enterprise server. PTR records are used to do reverse look-up by translating an IP address to a domain or host name. Enterprise applications like Microsoft Outlook use SRV and PTR queries to find the correct server for delivering services like mail and calendar. EAA Client will need to intercept these PTR and SRV queries so that it can be forwarded to the enterprise DNS server. The DNS server selects the responsible server to provide the service to the user. When EAA Client intercepts these queries, it uses the DNS applications in the EAA Management portal to resolve them.

For this to work, configure these steps:

STEP 1: Create a DNS application. You can create DNS applications to handle PTR and SRV records by enabling service discovery option.

STEP 2: Enable the Enable Service Discovery DNS request in the identity provider Allow the identity provider to send DNS requests for discovering services offered by Enterprise servers. The IdP also informs EAA Client to take care of handling SRV and PTR records.

STEP 3: Create and configure a wildcard tunnel-type client-access application with the relevant wildcard domains that should be intercepted by EAA Client.

For example, if you want EAA Client to handle SRV and PTR records to Microsoft Enterprise DNS, you can provide microsoft.com as the search domain in the DNS application, allow the IdP for enabling Service discovery DNS requests, and create a wildcard tunnel-type client application with *.microsoft.com as the internal host.

Limitations:

  1. The EAA administrator cannot customize the Enterprise DNS application URL.
  2. You cannot attach an IdP to an Enterprise DNS application. It is not possible to have specific DNS servers for the same search domain for users in a particular region served by an identity provider. This can increase the latency for the users.

STEP 1: Create a DNS application

This procedure enables the DNS application to onboard SRV and PTR records from the enterprise server specified in the search domain. You can provide two DNS servers for high availability.

  1. Log into the Enterprise Application Access Management Portal.
  2. From the top menu bar, click System > DNS
  3. Click Add DNS.
  4. Provide this data for the DNS application.
    1. Name. A name for the DNS application.
    2. Description. A description for the DNS application.
  5. Click Create and configure.
  6. Provide this data for the DNS information:
    1. Search Domain/s. The domain name you want EAA Client to intercept.
    2. (Optional) Click Add Domain. Enter any additional search domains you want EAA Client to intercept.
    3. Service Discovery. Enable this option to allow EAA Client to resolve PTR records and SRV records.
    4. Application Discovery. Enable this option to allow EAA Client to resolve A records.
  7. For DNS server you can select one of these:
    1. Use connector’s DNS server. Uses the DNS server of the connector.
    2. Custom DNS server. Provide this data:

      Primary DNS. Provide as Primary DNS IP address and port number.

      Secondary DNS. Provide as Secondary DNS IP address and port number.

  8. Provide this data for the Connector:
    1. Akamai Cloud Zone. Select the cloud zone closest to the connector.
    2. Associated connectors. Click Add or remove connector. Select the connector which has the connectivity to the DNS server in step 7.
    3. Click Done.
    4. Click Save changes.

STEP 2: Enable the identity provider to use the DNS application

It allows EAA Client to use the DNS application to forward the service discovery DNS requests (SRV and PTR records) to the enterprise server.

  1. Log in to the Enterprise Application Access Management Portal.
  2. From the top menu bar click Identity > Identity Providers.
  3. Click the settings (gear) icon on the IdP card for which you have enabled EAAClient settings.
  4. Click Advanced Settings.
  5. Select Enable Service Discovery DNS request.
  6. Click Save and go to Deployment.. Then deploy the identity provider.

STEP 3: Create and configure a wildcard tunnel-type client-access application

Create and configure a wildcard tunnel-type client-access application with a wildcard domain for the Destination. For this example, to create a wildcard tunnel-type client-access application that allows all domains under microsoft.com, you will enter all for both TCP and UDP types of traffic, enter *.microsoft.com for domain name, enter 1-65535 for all ports in the Application Identity section for Destination 1. Then, do all of the other configurations for tunnel-type client-access application, and deploy the application.