Configuring DNS SRV Record Discovery for Reverse Proxy¶
This section explains how to configure a public facing DNS SRV and a DNS TXT record for your reverse proxy to provision endpoints with Endpoint Bootstrap Manager information, as part of the endpoint discovery process.
Endpoints polls the public facing DNS server for information about the reverse proxy (that is, the Endpoint Bootstrap Manager/Endpoint Manager) to which they should connect.
DNS service record discovery requires you to have a public facing DNS server in your network that is configured with the following DNS records:
-
An address record (A record): Specifies the FQDN and IP address of the reverse proxy.
-
A service location record (SRV record): Associates information such as the reverse proxy’s TCP/IP service and the port the reverse proxy listens on with the reverse proxy’s domain and host name. The reverse proxy’s TCP/IP service is called _pcoip-bootstrap, as shown in Adding the DNS SRV Record. The remote PCoIP Zero Client will look for this external facing DNS record.
-
A DNS TXT record: Contains the reverse proxy certificate SHA-256 fingerprint. The record’s name must be the host name of the reverse proxy offering the service. In the following example, this record is called proxy. The domain is appended automatically.
DNS Text fingerprint
Remote Endpoints only pick up the DNS TXT fingerprint if the reverse proxy address is specified in a DNS SRV record
Before You Begin¶
Before configuring your DNS SRV record discovery, you'll need the following information:
-
The reverse proxy’s FQDN
-
The reverse proxy’s certificate fingerprint (that is, the certificate’s digital signature). If provided, this fingerprint is only used when the endpoint’s security level is set to Low Security Environment and certificate verification has failed. It is ignored when the security level is set to Medium Security Environment or High Security Environment.
Adding the DNS SRV Record¶
To add the public facing reverse proxy DNS SRV record to DNS server:
-
Log in to your Windows Server and select DNS.
-
Right-click on your DNS server in the SERVERS pane and select DNS Manager from the context menu.
-
In Forward Lookup Zones, right-click on your domain and select Other New Records from the context menu.
Public Facing Forward Lookup Zone -
In the Resource Record Type dialog, select Service Location (SRV) from the list and click Create Record.
New Resource Record Type for SRV -
Fill in the entries as shown in the following example. Set Service to _pcoip-bootstrap, Protocol to _tcp, and Port number to 5172, the reverse proxy’s listening port. For Host offering this service, enter the reverse proxy’s FQDN.
FQDN entered
FQDN must be entered in place of IP address
The reverse proxy’s FQDN must be entered because the DNS specification does not enable an IP address in SRV records.
New Resource Record Dialog -
Click OK.
Adding a DNS TXT Record¶
If your endpoints do not have the reverse proxy’s root CA certificate installed in their certificate store, you must configure your DNS server with a DNS TXT record containing the reverse proxy certificate SHA-256 fingerprint.
To add a public facing DNS TXT record:
-
In Forward Lookup Zones, right-click on your domain and select Other New Records from the context menu.
-
In the Resource Record Type dialog, select Text (TXT) from the list and click Create Record.
-
Fill in the entries as follows:
-
In the Record name field, enter the host name of the reverse proxy offering the service (this example uses proxy). The FQDN field will be automatically populated for you and should match the FQDN of the reverse proxy.
-
In the Text field, type
pcoip-bootstrap-cert=
and then paste the reverse proxy certificate SHA-256 fingerprint you obtained previously immediately after this prefix, as shown in the following example.
New Text Record
-
-
Click OK.
-
When you have finished configuring your DNS server, power cycle your endpoints or put them online to enable them to make the connection to the reverse proxy.
See Troubleshooting DNS to verify that your DNS server is configured correctly for the reverse proxy.