3 Replies Latest reply on Feb 27, 2012 6:46 PM by Jon Scholten

    DNS - In AD Integration - Point to AD DNS or Google?

      Just a quick one - on a setup where the MWG is joined to an AD Domain and using integrated authentication - would you need to point the DNS settings of the MWG to the DNS in AD (eg our Domain Controller) for integrated authentication to work - or can you point the DNS settings to your ISP DNS or Google DNS (eg 8.8.4.4).

       

      Reason - we are seeing some issues on our in internal DNS and I wanted to point the MWG box away from our internal DNS to say google whilst we troubleshoot. Would this have an impact on single sign on for domain machines for example?

       

      Craig

        • 1. Re: DNS - In AD Integration - Point to AD DNS or Google?
          michael_schneider

          Hello Craig,

           

          in order for intergrated authentication to work properly, AD DNS is required. MWG checks persistently for availability of DCs and uses this information to failover in case one DC isn't reachable.

           

          Michael

          • 2. Re: DNS - In AD Integration - Point to AD DNS or Google?

            So does this mean that all the DNS lookups for all your proxy requests are sent first to your DC DNS rather than having MWG using your ISP or Google DNS directly?

             

            Reason I am asking is that we were seeing some slow DNS response times on the MWG (in the vicinity of 7,500 ms using Performance Summary) - when MWG was pointint to our AD DNS which was using root hints (Win2k8R2).

            We then pointed AD DNS to Google as forwarders rather than using Root Hints and since last night we have seen a much better DNS response time this morning - but we have still seen 1 spike of about 10,000ms.

             

            So what we have now is MWG DNS pointint to AD DNS which is using Google as the forwarder. Will monitor today and see what we find..

            Cheers

            Craig

            • 3. Re: DNS - In AD Integration - Point to AD DNS or Google?
              Jon Scholten

              Hi Craig,

              So does this mean that all the DNS lookups for all your proxy requests are sent first to your DC DNS rather than having MWG using your ISP or Google DNS directly?

              The Web Gateway will operate in somewhat of a failover fashion with the DNS servers. As it stands the MWG does not know which one is your DC, and which one is your ISP if you specify both.

               

              Pointing to internal DNS is the recommended method because the MWG will need to resolve internal addresses (like your DC's for NTLM purposes). The MWG would not be able to resolve your DC fqdn if you point only to external DNS (unless you add /etc/hosts file entries).

               

              ~Jon

              1 of 1 people found this helpful