Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. From the Data Management tab -> DNS tab -> Subscriber Services Deployment tab -> Subscriber Sites tab, click the Add icon.
  2. In the Add Subscriber Site wizard, complete the following:
    1. Name: Enter the name of the subscriber site.
    2. Maximum Subscribers: Specify the maximum number of subscribers for the subscriber site. This represents the overall size of the subscriber cache. You can enter a value between 10000 to 10000000.
    3. Comment: You can enter additional information about the subscriber site.
    4. Members: In the Members table, click the Add icon to add Grid members to the site. If there are multiple members, the Member Selector dialog box is displayed, from which you can select a member. Click the required member name in the dialog box. You can also delete a member from the list.
      Note that a Grid member can support only one subscriber site.

    5. Deterministic NAT Block Size: The block size specifies the number of ports made available for each incoming subscriber address. In a deterministic NAT, zero means not using NAT. The value can be any number from 0 to 64512. 
    6. First port: The value of the first usable port for the subscriber. The first usable port will have a default value of 1024, and the value can be any number from 1024 to 65535, both inclusive.
    7. : Select this option to restrict only NATed subscribers. Here the IP address and port block allocations are made dynamically for the subscriber instance.

  3. Click Next to configure NAS gateways for the subscriber site. Complete the following:
    1. Listen on RADIUS port number: Enter the UDP port number that the collector member uses to collect accounting information from the NAS gateway. You can enter an integer from 1 to 65535. The default is 1813.
    2. NAS Gateways: You must add at least one NAS gateway to the subscriber site in order to start the subscriber collection service. You can add up to 20 NAS gateways. Click the Add icon and complete the following to add a NAS gateway:
      1. Name: Enter the name of the NAS gateway.
      2. IP Address: Enter the IP address of the NAS gateway.
      3. Shared Secret: Enter a shared secret that can be used to authenticate the communication between the RADIUS accounting server and the collector member. This shared secret must match the one you entered on the RADIUS server.
      4. Confirm Shared Secret: Enter the shared secret again.
      5. Send Protocol Acknowledgment: Select this check box to send an acknowledgment to the client when the collector member receives accounting information from the NAS gateway.
      6. Comment: Enter additional information about the NAS gateway.
      7. Click Add to add the NAS gateway.
        You can select a NAS gateway configuration and click the Edit icon to modify it or click the Delete icon to delete it.

  4. This step is required only if Infoblox Subscriber Parental Control is enabled. For information about enabling Parental Control, see Infoblox Subscriber Parental Control. Click Next to configure the parental control blocking IP addresses. Complete the following:

    1. Content Proxy Addresses: You can add IP addresses of the Infoblox Harmony product. The appliance will forward the subscriber session to Infoblox Harmony for in-line processing of the subscriber session, depending on the policies. Click the Add icon. Grid Manager adds a row to the Content Proxy Addresses table. It is recommended that you enter two addresses in this field. The first address is considered the primary address and the second address is considered the secondary address. If you enter only one address, the same address is considered the primary and secondary address. Click the row and enter the IP address in the Address field. To delete an IP address, select the check box and then click the Delete icon.
    2. Proxy RPZ Passthru: Select this check box if you want to proxy the traffic to the MSP (Multi-Services Proxy) server. If you select this check box, and a passthru rule from any RPZ zone is hit, then the query resolves to an MSP proxy virtual IP address and NIOS generates a "synthetic resolution”. If you do not select this check box and a passthru rule from any RPZ zone is hit, then the query resolves normally. This check box is disabled and you will not be able to enable it until you add a context proxy address.

      Note
      titleNote
      • If you want to enable and run DNS over TLS, DNS over HTTPS, and Parental Control features simultaneously on a member, ensure that the appliance meets the base memory configuration requirements defined in Configuration Requirements. If you try to run these features when the required memory configuration is not available, then all of these features will be disabled.
      • If an RPZ passthru rule is triggered and the Proxy RPZ Passthru check box is selected, queries are proxied to the MSP (Multi-Services Proxy) server only if the passthru rule is not blocked by other policies (for example, blacklist, whitelist, parental control) in NIOS.


    3. Additional Blocking Servers: Besides the IP addresses you specify in the Parental Control Blocking IP Addresses fields, you can specify additional IP addresses that will act as blocking servers for the blocking policies you defined when configuring blocking server policies. Click the Add icon. Grid Manager adds a row to the Additional Blocking Servers table. Click the row and select a blocking policy. In the Address field, enter the IP address of the blocking server that will contain the selected blocking policy. To delete an IP address, select the check box and then click the Delete icon. 
    4. Parental Control Blocking IP Addresses: You can configure two sets of IPv4 and IPv6 addresses that are used as blocking VIP addresses. The parental control subscribers are redirected to the following blocking IP addresses whenever the domain queried by the subscriber is blocked based on the subscriber parental control policy. 

      Complete the following:

      1. IPv4 Address (primary): Enter the primary blocking IPv4 address.
      2. IPv4 Address (secondary): Enter the secondary blocking IPv4 address.
      3. IPv6 Address (primary): Enter the primary blocking IPv6 address.
      4. IPv6 Address (secondary): Enter the secondary blocking IPv6 address.


    5. Policy Management Addresses: You can add IP addresses of the policy management servers to which the appliance sends APIs about the expired parental control policies. Click the Add icon. Grid Manager adds a row to the Policy Management Addresses table. Click the row and enter the IP address in the Address field. To delete an IP address, select the check box and then click the Delete icon.
  5. Save the configuration, or click Next to continue to the next step where you define extensible attributes as described in Managing Extensible Attributes.

...

  1. From the Data Management tab -> DNS tab -> Subscriber Services Deployment tab -> Subscriber Sites tab, click the Action icon next to the subscriber site name and select Edit from the menu.
  2. The Subscriber Site Properties editor provides the following tabs from which you can modify data:
    1. On the General tab, you can modify the information you previously entered through the wizard, as described in Adding Subscriber Sites 48202289.
    2. On the NAS Gateways tab, you can edit the NAS gateways configured for the subscriber site, as described in Adding Subscriber Sites48202289.

      Note
      titleNote

      If you make any changes to the NAS gateway configuration, the subscriber collector will automatically restart within 30 seconds. However, the subscriber data collected in the subscriber cache is not affected by the NAS gateway configuration changes


    3. If parental control is enabled, the Parental Control tab is displayed. You can modify information on the Parental Control tab as described in Adding Subscriber Sites 48202289. On the Advanced tab, you can modify the details pertaining to the DCA subscriber.

      Note
      titleNote

      If you want to enable and run DNS over TLS, DNS over HTTPS, and Parental Control features simultaneously on a member, ensure that the appliance meets the base memory configuration requirements defined in Configuration Requirements. If you try to run these features when the required memory configuration is not available, then all of these features will be disabled.

      1. Enable DCA subscriber Query count logging: Select this check box to allow the DCA to generate subscriber logs and to record query counts greater than or equal to zero for subscriber query count updates and deletions. These logs are generated for deletions even when the query count is equal to zero. By default, this option is disabled.
      2. Enable DCA subscriber Allowed & Blocked list support: Select this check box to support the blocked and allowed list of subscribers. This option is disabled by default. Once the domain is cached, the blocked lists are provided by DCA. Domains in the allowed list are transferred to BIND. There are several members on the site, but the memory requirement is 32GB or higher for all the vDCA capable members. You must manually restart NIOS after selecting this check box for the support to be successful.

        Note
        titleNote

        The allowed and blocked listing feature allows you to specify all possible top-level domains, (for example, linkedin.com, linkedin.co.uk) for well-known names. If a dotless name such as "facebook" is in the allowed list or blocked list and the qname is facebook.<suffix>, then:

        • If the suffix is a top-level domain (example "xxxyyy"), the two are matched regardless of whether "xxxyyy" is registered or not in the worldwide DNS.
          Example: 
          facebook == facebook.com

          facebook == facebook.xxxyyy
        • If the suffix is not a top-level domain (example "xxx.yyy"), whether the two are matched or not depends on whether "xxx.yyy" is registered and present in the public_suffix_list.dat on the appliance or not.
          Example:
          facebook == facebook.co.uk
          facebook != facebook.xxx.yyy


    4. You can enter or edit information in the Extensible Attributes tab, as described in Managing Extensible Attributes.
    5. You can export subscriber site data into a CSV file by selecting the Export option. For more information, see Importing and Exporting Data using CSV Import.
  3. Save the configuration.

...