Here are some general instructions on how to get BSI Campus Manager
Remediation Center to work with Microsoft Windows Update and other domains.
We will be putting together a more formal document, so if anyone has
questions, comments or a better more functional solution, please let
everyone know about it.
Mike
*********************************************************************
Objective:
* Allow network clients that are in the Quarantine VLAN, access to
sites that have have patches or instructions to fix themselves.
(ie Windows Update, Symantec, ...)
Disclaimer:
* BSI does not recommend or support this configuration as a general
solution. However under some situations this configuration is
desirable.
* BSI Does not maintain the list of domains for windows update or
any other configuration. This list needs to modified based on your
requirements and needs.
Network Requirements:
1. Quarantine VLAN must be routed to allow traffic to the designated
sites.
2. Access to a Real DNS Server that can resolve the Required Names.
3. An additional Forwarding DNS Server on the Quarantine Vlan
(preferably Linux, customer provided)
CMRC DHCP Configuration Changes:
1. Comment out the 'domain-name' passed to clients for the scope(s)
service the Quarantine Vlan in /etc/dhcpd.conf.
2. Change the 'domain-name-servers' entry in /etc/dhcpd.conf to the
IP Address of the new Forwarding DNS Server on the Quarantine Vlan.
Forwarding DNS Server Configuration:
* Example configuration files for Linux are provided.
---------------------------------------------------------------------------------------
/etc/named.conf
options {
directory "/var/named";
};
#######################################################################
#
# Change REAL_DNS to the p address of a real' DNS Server that resolve
# all of the domains listed below.
#
# The list of domains that are forwarded may need to be edited in order
to meet
# the needs of you network.
#
#######################################################################
zone "microsoft.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "akadns.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "akadns.net" {
type forward;
forwarders { REAL_DNS; };
};
zone "akamai.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "akamai.net" {
type forward;
forwarders { REAL_DNS; };
};
zone "download.windowsupdate.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "faculty.fairfield.edu" {
type forward;
forwarders { REAL_DNS; };
};
zone "msft.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "msft.net" {
type forward;
forwarders { REAL_DNS; };
};
zone "nsatc.net" {
type forward;
forwarders { REAL_DNS; };
};
zone "nsatc.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "ntservicepack.microsoft.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "symantec.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "windows.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "windows.net" {
type forward;
forwarders { REAL_DNS; };
};
zone "windowsupdate.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "windowsupdate.microsoft.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "windowsupdate.net" {
type forward;
forwarders { REAL_DNS; };
};
zone "wustat.windows.com" {
type forward;
forwarders { REAL_DNS; };
};
zone "." {
type hint;
file "/var/named/fake_root";
};
---------------------------------------------------------------------------------------
/var/named/fake_root
#######################################################################
#
# Change CMRC_NDS to the ip address of the CMRC on the Quarantine VLAN
#
#######################################################################
$TTL 3600
. IN NS cmrc.
cmrc IN A CMRC_DNS
---------------------------------------------------------------------------------------
Received on Fri Aug 06 2004 - 17:47:36 EDT
This archive was generated by hypermail 2.2.0 : Tue Jan 06 2009 - 19:00:04 EST