Page tree

Contents


Important Note

The minimum system requirements specified for on-prem hosts must be dedicated to the on-prem host you plan to deploy. They cannot be shared with or used for other non-Infoblox applications. Doing so will negatively affect the performance of your BloxOne services. For information about the minimum system requirements and port usage, see the following:


To ensure a successful deployment of on-prem hosts, consider the following best practices:

For BloxOne Threat Defense Cloud

  • When setting up DNS forwarding proxies as on-prem hosts for failover purposes, Infoblox recommends that you deploy two DNS forwarding proxies using one as the primary proxy and the other as the secondary.
  • Port 1053 must be open and available because DNS forwarding proxies run on port 1053. In addition. the DNS forwarding proxies must be configured as DNS forwarders if you also run BloxOne DDI as a service on the on-prem host.
  • If you have configured any name servers through the DHCP options or hosts, ensure that you point them to the DNS forwarding proxies.
  • If you change the IP address or make any configuration changes on the on-prem host outside of the Cloud Services Portal, you must restart the system for the change to take effect. If the change is made within the BloxOne Cloud infrastructure, no restart is required.
  • For DNS to function properly in OVA deployments on ESXi servers, ensure that you enable the Synchronize guest time with host option during the deployment and that your ESXi host is synchronized with the NTP server. If you do not select the Synchronize guest time with host option (or if this option is disabled), the on-prem host synchronizes with the Ubuntu NTP servers: ntp.ubuntu.com and ubuntu.pool.ntp.org. When you disable this option, ensure that you open the UDP 123 port for time synchronization with the Ubuntu NTP servers. For more information, see Synchronizing Time on the ESXi Servers.
  • When you enable on-prem hosts to BloxOne Threat Defense Cloud on a NIOS appliance, the QPS (query per second) throughput might vary, depending on your appliance models and the cache hit ratios. You might see a bigger performance impact when the cache hit ratio is lower. In general, NIOS can forward at least 3,500 QPS to BloxOne Threat Defense Cloud. For standalone installations, the QPS may vary depending on the hardware used and the cache hit. However, the number of queries per second should fall in the range of 3,500 QPS using an OVA with 512 MB memory and 1 CPU.

Note
DNS uses both TCP and UDP ports. Therefore, the interface must have both TCP and UDP available.

For BloxOne DDI

  • For any on-prem host using the BloxOne DDI capabilities, the interface should be reachable through LAN/WAN for queries from external clients to be resolved.
  • Port 1053 must be open and available because DNS forwarding proxies run on port 1053. In addition, the DNS forwarding proxies must be configured as DNS forwarders if you also run BloxOne DDI as a service on the on-prem host.

  • When setting up DNS forwarding proxies as on-prem hosts for failover purposes, Infoblox recommends that you deploy two DNS forwarding proxies using one as the primary proxy and the other as the secondary.
  • If you have configured any name servers through the DHCP options or hosts, ensure that you point them to the DNS forwarding proxies.
  • If you change the IP address or make any configuration changes on the on-prem host outside of the Cloud Services Portal, you must restart the system for the change to take effect. If the change is made within the BloxOne Cloud infrastructure, no restart is required.
  • For DNS to function properly in OVA deployments on ESXi servers, ensure that you enable the Synchronize guest time with host option during the deployment and that your ESXi host is synchronized with the NTP server. If you do not select the Synchronize guest time with host option (or if this option is disabled), the on-prem host synchronizes with the Ubuntu NTP servers: ntp.ubuntu.com and ubuntu.pool.ntp.org. When you disable this option, ensure that you open the UDP 123 port for time synchronization with the Ubuntu NTP servers. For more information, see Synchronizing Time on the ESXi Servers.

Note

DNS uses both TCP and UDP ports. Therefore, the interface must have both TCP and UDP available.

  • No labels

This page has no comments.