Configuring DNS for Endpoints that use Autodiscovery¶
This section explains how to configure your DNS server to provision endpoints with Endpoint Bootstrap Manager information, as part of the endpoint autodiscovery process.
DNS Discovery Process
Endpoints poll the DNS server for information about the PCoIP Management Console (that is, the Endpoint Bootstrap Manager/Endpoint Manager) to which they should connect only if the DHCP server does not have a DHCP option containing the PCoIP Management Console’s IP address or FQDN.
If an endpoint has already retrieved a DNS record before the DNS server is configured with PCoIP Management Console information, it does not poll the DNS server again until the record’s Time-To-Live expires (or the endpoint is rebooted). If the DHCP server does provide an option for the PCoIP Management Console address but the endpoint fails to connect for any reason (for example, because of a certificate verification failure or the PCoIP Management Console address is not reachable), DNS record lookup will not occur.
Note: Do not configure DHCP options when you are using DNS record discovery
Do not configure DHCP options if you want to use DNS record discovery. Endpoints always prefer the PCoIP Management Console address or fingerprint that is specified in the DHCP options over that specified in the DNS record. If you provide the PCoIP Management Console address both as DHCP option and also as the DNS record, the endpoint will only use the PCoIP Management Console address found in the DHCP option.
DNS service record discovery requires you to have a DNS server in your network that is configured with the following DNS records:
-
An address record (A record): Specifies the FQDN and IP address of the PCoIP Management Console. This record may be automatically created by the DHCP server.
-
A service location record (SRV record): Associates information such as the PCoIP Management Console’s TCP/IP service and the port the PCoIP Management Console listens on with the PCoIP Management Console’s domain and host name. The PCoIP Management Console’s TCP/IP service is called _pcoip-bootstrap, as shown in Adding the DNS SRV Record.
-
A DNS TXT record: Contains the PCoIP Management Console certificate SHA-256 fingerprint is also required if you have not installed the PCoIP Management Console’s trusted root CA certificate (the PCoIP Management Console chain certificate) in the endpoint’s certificate store and you want to use automatic discovery. The record’s name must be the host name of the PCoIP Management Console offering the service. In the following example, this record is called pcoip-mc38719. The domain is appended automatically.
Note: Endpoint only picks up DNS TXT fingerprint if the PCoIP Management Console address is specified in a DNS SRV record
The endpoint only picks up the fingerprint from the DNS TXT record if the PCoIP Management Console address is specified in a DNS SRV record. For example, if the PCoIP Management Console address is specified as a DHCP option but the fingerprint is provided as a DNS TXT record, the endpoint will not retrieve the fingerprint information in the DNS server. Configure your PCoIP Management Console information using either DHCP options or DNS records, but not both.
Before You Begin¶
Before configuring your DNS SRV record discovery, you'll need the following information:
-
The PCoIP Management Console’s FQDN
-
The PCoIP Management Console’s certificate fingerprint (that is, the certificate’s digital signature). If provided, this fingerprint is only used when the endpoint’s security level is set to Low Security Environment and certificate verification has failed. It is ignored when the security level is set to Medium Security Environment or High Security Environment.
To locate the PCoIP Management Console’s fingerprint:
-
Use Mozilla Firefox to log in to the PCoIP Management Console web interface.
-
Click the padlock icon in the browser’s address bar.
-
Click More Information.
-
Click View Certificate.
-
In the Fingerprints section, copy and paste the SHA-256 fingerprint into a text editor.
Note: Examples shown use Windows Server 2012 R2
The instructions provided may change slightly depending on your specific server version.
Adding the DNS SRV Record¶
To add the PCoIP Management Console DNS SRV record to DNS server:
-
Log in to your Windows Server and select DNS.
-
Right-click on your DNS server in the SERVERS pane and select DNS Manager from the context menu.
-
In Forward Lookup Zones, right-click on your domain and select Other New Records from the context menu.
-
In the Resource Record Type dialog, select Service Location (SRV) from the list and click Create Record.
-
Fill in the entries as shown in the following example. Set Service to _pcoip-bootstrap, Protocol to _tcp, and Port number to 5172, the PCoIP Management Console’s default listening port. For Host offering this service, enter the PCoIP Management Console’s FQDN.
Note: FQDN must be entered in place of IP address
The PCoIP Management Console’s FQDN must be entered because the DNS specification does not enable an IP address in SRV records.
-
Click OK.
-
If you are not adding an optional DNS TXT record (see next) and have finished configuring your DNS server, power cycle your endpoints or put them online to enable them to make the connection to the PCoIP Management Console. You must also upload the PCoIP Management Console’s root CA certificate to the endpoint’s certificate store.
Adding a DNS TXT Record¶
If your endpoints do not have the PCoIP Management Console’s root CA certificate installed in their certificate store, you must configure your DNS server with a DNS TXT record containing the PCoIP Management Console certificate SHA-256 fingerprint.
To add a DNS TXT record:
-
In Forward Lookup Zones, right-click on your domain and select Other New Records from the context menu.
-
In the Resource Record Type dialog, select Text (TXT) from the list and click **Create Record*.
-
Fill in the entries as follows:
-
In the Record name field, enter the host name of the PCoIP Management Console offering the service (this example uses pcoip-mc38719). The FQDN field will be automatically populated for you, and matches the FQDN of the PCoIP Management Console.
-
In the Text field, type
pcoip-bootstrap-cert=
and then paste the PCoIP Management Console certificate SHA-256 fingerprint you obtained previously immediately after this prefix, as shown in the following example.
-
-
Click OK.
-
When you have finished configuring your DNS server, power cycle your endpoints or put them online to enable them to make the connection to the PCoIP Management Console.
Note: Automatically name and group endpoints
You can configure the PCoIP Management Console to automatically name endpoints and place them in a specific group when they are discovered. See Auto Naming Endpoints and Auto Configuring Endpoints (Enterprise) for details.
See Troubleshooting DNS to verify that your DNS server is configured correctly for the PCoIP Management Console.