Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
0
Helpful
3
Replies

GSS Deployment Suggestions

Plinio Brandao
Level 1
Level 1

‎10-15-2012 08:16 AM

Hi community,

I'm deploying a GSS and I have some questions:

In my network, I have two DNS Servers, one for inside and one for outside. I have just a major domain and I don't want to delegate all functions to GSS,

1- What should I do in my outside DNS Servers?

2- What should I do in my inside DNS Servers?

3- Should I create entries in both DNS Servers fo the GSS?

4- I pretend to put the GSS in the DMZ. Is it a good ideia?

Can you help me with some others suggestions?

Thank you in advance.

Labels:
0 Helpful
3 Replies 3

sesoerensen
Level 1
Level 1

‎10-15-2012 01:52 PM

Hi Plinio,

I would create a new zone on both name servers (e.g. gss.domain.tld) and delegate that one to the GSS boxes.

Then create the answers you need on the GSS's and use CNAME's where applicable such as for 'www' within the "domain.tld" zone.

The GSS's are only good for A/AAAA records, unless they can lookup resource record information on other name servers or using Cisco CNR for resource records such as MX, TXT etc ..

I haven't seen any problems, having the GSS's in a DMZ, as long as you disable all the helpful services such as ftp server etc.

I would however, add another "outside name server" to your infrastructure, as having two GSS's wont help if the name server, which delegates is down, and the NS records for "gss.domain.tld" does not have a reasonable TTL.

Cheers,

Søren Elleby Sørensen

0 Helpful

Plinio Brandao
Level 1
Level 1
In response to sesoerensen

‎10-15-2012 02:21 PM

Hi Soren,

Thank you for your feedback.

Other question, suppose that I have this host: serviceA.domain.local. In my internal DNS server should I create a Name Server (NS) or a Host (A) pointing to GSS and at GSS I create an answer with the serviceA pointing to my VIP, I'm right?

Sory if this is a stupid question, I don't have good known at DNS configuration.

Regards again.

Plínio

0 Helpful

sesoerensen
Level 1
Level 1
In response to Plinio Brandao

‎10-15-2012 02:34 PM

Hi Plinio,

If you want to "delegate" control to the GSS's for an entire domain, or simply for a single "host",

you will need to use NS (Name Server) resource Records on your DNS servers.

On the GSS, you need to create answer vips, which are IPv4 or IPv6 addresses.

You tie those into answer groups; which is tied to dns rules

Instead, I would suggest creating an entire zone which is only used for GSS purposes,

and using a CNAME to reference the specific host.

That way you do not end up with a potentially high number of NS records within the domain.local zone,

and you only have to add 1 NS record for all GSS delegation.

The intenal name servers delegates gss.domain.local. to the GSS's.

On the GSS's you create all the answer vips, groups and rules you need.

E.g: ServiceA.gss.domain.local belongs to the GSS's

On the domain.local name server, you use CNAMEs to reference the gss.domain.local names:

servicea.domain.local -> CNAME -> servicea.gss.domain.local

If you are doing CNAME's within a Kerberos environment, you might need additional SPN names.

If not, forget the line above this one

I hope that answers your question.

Cheers,

Søren Elleby Sørensen

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents