Versions Compared

Old Version 15

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version 16

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

By enabling BloxOne Endpoint protected bypass mode for a BloxOne Endpoint group, you can define your own domain and response for on-prem DNS service protected by DNS Firewall. With deployed DNS forwarding proxies (in auto mode), a unique and hashed response using a probe token is used to detect if an endpoint is in a protected environment. By design, because DNS is used, the probe domain is resolvable. If the endpoint is in a protected environment, then it must adhere to the policies defined for the location. When configuring BloxOne Endpoint groups for use with the endpoint probe using a probe token, the following must be taken into consideration:

  • Bypass Mode: You must enable bypass mode at the group level so that the bypass configuration can be used. The bypass mode setting is inherited whenever a new endpoint group is created. The user can change the settings at a group level. The group level setting will override the setting established at the default endpoint group setting. The bypass code must be provisioned on the Cloud Services Platform. 
  • FQDN: A fully qualified domain name or FQDN must be selected at the time of configuration. The FQDN can either be the default probe domain (i.e. probe.infoblox.com), or customized based on your requirements. If you choose to use a customized probe domain, ensure that it can be resolved with the defined TXT record.

  • TXT Record: A TXT record to be prepended to the FQDN must be created when generating a probe token or randomly generated by clicking Generate random TXT record during the configuration. You can also define a custom TXT record to accompany a custom probe domain to ensure that the domain can be resolved.

The probe token supports two modes: automatic and manual. In automatic mode, clicking Generate random TXT record generates a new random label to be prepended to the default domain. In manual mode, a custom domain and TXT record for the probe token are custom defined and supplied. A custom created TXT record can be up to 256 characters in length. Customers can also choose to disable probing requests entirely by disabling protected bypass mode for an endpoint group.

...

  1. From the Cloud Services Portal, click Manage -> Endpoints.

  2. On the Endpoints page, select the Endpoint Groups tab, and then click the Add button. Do note that at least one BloxOne Endpoint must be added to the configuration prior to configuring and enabling protected bypass mode.

  3. In the Bypass Mode section of the Create Endpoint Group page, complete the following:

    1. State: Enable protected bypass mode from its default disabled state by switching the toggle from Disabled to Enable.
    2. FQDN: The default probe domain is probe.infoblox.com. You can choose to accept the default or create your own FQDN based on your requirements. If you choose to use a custom probe domain, ensure that it can be resolved with a custom TXT record.

    3. TXT Record: You can choose to accept the default TXT record, generate a random TXT record by clicking Generate random TXT Record, or apply a custom TXT record. To avoid conflict between two TXT records, Infoblox recommends that you define a custom probe domain and a custom TXT record instead of using the provided defaults. Ensure that the custom probe domain can be resolved based on the information in the custom TXT record.

  4. Click Save & Close to create the endpoint group or click Cancel to return to the BloxOne Endpoint Group page without enabling protected bypass mode and probing.

Disabling Probing Requests

...