What is the Name Resolution Policy Table? (Full Version)

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess



Message


tshinder -> What is the Name Resolution Policy Table? (2.Apr.2010 6:16:49 AM)

The Name Resolution Policy Table (NRPT) is a method that allows the DirectAccess (DA) client to take advantage of a form of "DNS routing" when the DA client components are turned on.

When the DA client is off the corporate network, it turns on it's DA client configuration so that it can send traffic destined to the corpnet over the DA IPsec tunnels.

The questions is "how does the DA client know when to send traffic to the DA server to forward to the corpnet?" The answer is that it consults the NRPT.

The NRPT contains domain names and FQDNs that should be sent to the UAG DA server DNS proxy (the UAG has it's own DNS proxy that forwards DNS queries to DNS servers on the corpnet). If there is a match to an entry on the NRPT, then the DNS query is forwarded to the UAG DA server's DNS proxy, while will resolve the name to an IP address on the corpnet and forward the request to the host on the corpnet.

If the host name or FQDN does not match an entry on the NRPT, then the query is sent to the DNS configured on the DA client's NIC, which will resolve names for Internet based hosts (or internal network hosts if you're on another corpnet that has it's own DNS infrastructure).

There are also "exemption rules" in the NRPT. There rules exempt certain FQDNs for a more general domain based rule. For example, if you had a NRPT entry for *.contoso.com so that all queries for hosts in the contoso.com domain are sent to the UAG DA server's DNS proxy, you could create an exemption rule to prevent certain names from being sent to the UAG DA server's DNS proxy. For example, if you don't want the FQDN nls.contoso.com to be sent to the UAG DA server's DNS proxy, you would create an exemption rule for that name and the DNS query would be sent to the DNS server configured on the DA client's NIC.

There are several names that should be included on the exemption list - but the most important one is the name of the Network Location Server. This prevents the DA client from being able to connect to the NLS server when it's off network and therefore prevents it from mistakenly thinking that it's on the corporate network.

HTH,
Tom




tshinder -> RE: What is the Name Resolution Policy Table? (5.Apr.2010 8:16:46 AM)

And you if want to know more about the NRPT, check out The Edge Man's blog post on this subject over at

http://blogs.technet.com/tomshinder/archive/2010/04/02/directaccess-client-location-awareness-nrpt-name-resolution.aspx

HTH,
Tom




Page: [1]