Security

Hi Guys

I have upcoming big deployment – and one of the major client demands are to enable to users only to go to googleplay/appstore.

Now here is the issue:

APPLE & Google keep changing address (ip address) so I can’t build a normal access role.

Please advise, or give me tip how to overcome this limitations in Aruba controller( I can see that I can add only IP HOST)

Thanks

Me.

If this is controller-based, you need to be running the latest ArubaOs 6.1.3.x and turn on DNS name resolution:

config t

ip name-server 8.8.8.8

ip domain-name company.com

ip domain lookup

netdestination android-market

  name android.clients.google.com

  name *.ggpht.com

  name *.apple.com

When you create your firewall policy you can permit traffic to the alias android-market

Thanks on the info - and that should work and allow only GooglePlay/Appstore (If i'm not allowing other port 80 services)

---

@kdisc98 wrote:

Thanks on the info - and that should work and allow only GooglePlay/Appstore (If i'm not allowing other port 80 services)

---

The apple store restricts only to the apple domain.  Have not found a way to just allow it to the store.  The android portion should work, however.

I can't see that as an option,

(Controller) (config) #ip d?
default-gateway         Specify default gateway (if not routing IP)
dhcp                    Configure DHCP Server
domain                  IP DNS Resolver
domain-name             Define the default domain name

(Controller) (config) #ip dns-server 8.8.8.8
                                              ^
% Invalid input detected at '^' marker.

(Controller) (config) #show version
Aruba Operating System Software.
ArubaOS (MODEL: Aruba620), Version 6.1.3.4

supposed to be ip name-server.  I changed the original.

perfect for allowing through that annoying ocsp behaviour as well.

:smileyhappy:

so when I enter both the

ip name-server 8.8.8.8

ip domain-lookup

commands, it says I may need to reload the controller.  Is that really necessary?  I'd rather not have to schedule an outage with the customer.

Is this a command that is pushed down from the Master or done on the each local?

When a lookup is done, is it cached, or done each time a user hits the acl?

Thanks

---

@Michael_Clarke wrote:

so when I enter both the

 

ip name-server 8.8.8.8

ip domain-lookup

 

commands, it says I may need to reload the controller.  Is that really necessary?  I'd rather not have to schedule an outage with the customer.

 

Is this a command that is pushed down from the Master or done on the each local?

 

When a lookup is done, is it cached, or done each time a user hits the acl?

 

Thanks

---

No need to reload...usually.  Try it without doing that.

Lookup is cached.  If you type "show firewall dns-names" it will tell you what is resolved.

i'am using 6.1.3.4 and there is no "ip domain-lookup" command... i'am getting invalid input

---

@kdisc98 wrote:

i'am using 6.1.3.4 and there is no "ip domain-lookup" command... i'am getting invalid input

---

It is just plain "ip domain lookup"

no hyphen, just 'ip domain lookup'

Yeah, seems to be ok without having to reload.

Have just been testing and wondering about certain domains that have continuously changing addresses.  What causes the cache list to be updated.

Let's say a user gets a response from the corporate dns with an address no yet cached on the Aruba.  The user tries to go to that address.  When it hits the acl, will the Aruba do a lookup to see if that address matches the netdestination or will it just move to the next rule because it is not yet cached?

I'll do a little testing in the meantime.

Thanks

There is a cache timeout that determines how stale entries are and updates them if they are stale.

My question is ... how to I know the exact timeout of this cache?

Is it possible to change this value?

Thanks.

(192.168.1.3) #show aaa dns-query-interval 

DNS Query Interval = 15 minutes

(192.168.1.3) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(192.168.1.3) (config) #aaa dns-query-interval ?
<1-1440>                DNS query interval in minutes (default value is 15)

(192.168.1.3) (config) #aaa dns-query-interval