Jump to content
Welcome to our new Citrix community!

SSL vpn intranet IP secure Dns update


piddon

Recommended Posts

Hi,

 

I have set up an internal IP address and my clients can communicate with my internal network.

 

DNS registration will work inside my AD zone if DNS updates is set to unsecured.

 

But will not work if it’s set to secured.

 

I would like to set this to register the client host names with secured dynamic updates set to on.

 

Is this possible?

 

Thanks

 

Paul 

Link to comment
Share on other sites

Hello Paul,

Secure DNS updates are supported starting with 13.0-71.44. 

 

Citrix Gateway

Support for dynamic secure DNS update on Windows plug-in

VPN plug-in for Windows now supports Secure DNS update. This feature is disabled by default. To enable it, create HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\secureDNSUpdate value of type REG_DWORD and set it to 1.

When you set the value to 1, the VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in tries the secure DNS update.

To try only the secure DNS update, you can set the value to 2.

 

Val 

Link to comment
Share on other sites

2 hours ago, Valeri Bonchev said:

Hello Paul,

Secure DNS updates are supported starting with 13.0-71.44. 

 

Citrix Gateway

Support for dynamic secure DNS update on Windows plug-in

VPN plug-in for Windows now supports Secure DNS update. This feature is disabled by default. To enable it, create HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\secureDNSUpdate value of type REG_DWORD and set it to 1.

When you set the value to 1, the VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in tries the secure DNS update.

To try only the secure DNS update, you can set the value to 2.

 

Val 

Hi, 

 

Thanks for the swift reply. Unfortunately it did not work for me. Is there anything that needs to be set on the netscaler? Im surprised that secure updates of forward lookup zones is only now being added. Is there another way to update DNS? Can a DHCP server issue addresses for intranet IP? 

 

Thanks, 

 

Paul 

  • Like 1
Link to comment
Share on other sites

  • 2 months later...
  • 2 weeks later...

Secure DNS dynamic updates worked on my enviroment sometimes. On the ADC Client Log (nsverctl) i see error 9017 on A, PTR or both Records.

 

2021-04-29 07:50:54.570 | Tid: 09012 | DEBUG   | using DNS_UPDATE_SECURITY_ONLY. Forced secure DNS
2021-04-29 07:50:54.570 | Tid: 09012 | DEBUG   | Aquired context for DNS update
2021-04-29 07:50:54.570 | Tid: 08932 | DEBUG   | Waiting on nsload.exe object
2021-04-29 07:50:54.570 | Tid: 09012 | EVENT   | Registering DNS records of type A and PTR during login for IP 172.31.XX.XX
2021-04-29 07:50:55.076 | Tid: 09012 | ERROR   | updateDNSHelper | 381 | Failed to add type A record; Error 9017
2021-04-29 07:50:55.404 | Tid: 09012 | DEBUG   | Successfully sent PTR record

 

Newest ADC VPN Windows Client and also newest ADC VPX Version. DNS Server Windows 2016 with Secure enabled and also DNSSEC enabled.

Kerberos Ports are open. ADC with Full Tunneling, VIP, Machine Tunnel mode.

ADC Trace shows successful DNS and Kerberos communication. ADC DNS Resolver UDP and TCP active.

 

Link to comment
Share on other sites

On 2/5/2021 at 11:49 PM, piddon said:

Hi, 

 

Thanks for the swift reply. Unfortunately it did not work for me. Is there anything that needs to be set on the netscaler? Im surprised that secure updates of forward lookup zones is only now being added. Is there another way to update DNS? Can a DHCP server issue addresses for intranet IP? 

 

Thanks, 

 

Paul 

 

Hi Paul, 

 

VIP (Intranet IP) with DHCP Relay Function is not supported on Netscaler ADC.

 

Kai

Link to comment
Share on other sites

  • 3 weeks later...
On 4/16/2021 at 10:09 AM, Daniel Särnström said:

Secure DNS dynamic updates relies completly on kerberos. It is important to have authorization policy that allows all kerberos ports, even the UDP ones 88.

Hi,

 

Thanks for that. Do you know where I could find out more about this.

 

 Thanks 

 

Paul 

Link to comment
Share on other sites

  • 2 months later...
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...