• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What is the Name Resolution Policy Table?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> What is the Name Resolution Policy Table? Page: [1]
Login
Message << Older Topic   Newer Topic >>
What is the Name Resolution Policy Table? - 2.Apr.2010 6:16:49 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The Name Resolution Policy Table (NRPT) is a method that allows the DirectAccess (DA) client to take advantage of a form of "DNS routing" when the DA client components are turned on.

When the DA client is off the corporate network, it turns on it's DA client configuration so that it can send traffic destined to the corpnet over the DA IPsec tunnels.

The questions is "how does the DA client know when to send traffic to the DA server to forward to the corpnet?" The answer is that it consults the NRPT.

The NRPT contains domain names and FQDNs that should be sent to the UAG DA server DNS proxy (the UAG has it's own DNS proxy that forwards DNS queries to DNS servers on the corpnet). If there is a match to an entry on the NRPT, then the DNS query is forwarded to the UAG DA server's DNS proxy, while will resolve the name to an IP address on the corpnet and forward the request to the host on the corpnet.

If the host name or FQDN does not match an entry on the NRPT, then the query is sent to the DNS configured on the DA client's NIC, which will resolve names for Internet based hosts (or internal network hosts if you're on another corpnet that has it's own DNS infrastructure).

There are also "exemption rules" in the NRPT. There rules exempt certain FQDNs for a more general domain based rule. For example, if you had a NRPT entry for *.contoso.com so that all queries for hosts in the contoso.com domain are sent to the UAG DA server's DNS proxy, you could create an exemption rule to prevent certain names from being sent to the UAG DA server's DNS proxy. For example, if you don't want the FQDN nls.contoso.com to be sent to the UAG DA server's DNS proxy, you would create an exemption rule for that name and the DNS query would be sent to the DNS server configured on the DA client's NIC.

There are several names that should be included on the exemption list - but the most important one is the name of the Network Location Server. This prevents the DA client from being able to connect to the NLS server when it's off network and therefore prevents it from mistakenly thinking that it's on the corporate network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: What is the Name Resolution Policy Table? - 5.Apr.2010 8:16:46 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
And you if want to know more about the NRPT, check out The Edge Man's blog post on this subject over at

http://blogs.technet.com/tomshinder/archive/2010/04/02/directaccess-client-location-awareness-nrpt-name-resolution.aspx

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tshinder)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> What is the Name Resolution Policy Table? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts