Installing GSS configurations in Address Manager - Adaptive Applications - BlueCat Gateway - 24.1

Global Server Selector Administration Guide

Product name
BlueCat Gateway

Once you have configured the DNS settings in Address Manager, you can proceed to configure the GSS workflow. When you first install GSS, the GSS installation workflow proposes and applies the required configuration in Address Manager.

To install GSS configurations in Address Manager
  1. Log in to BlueCat Gateway.
  2. In the left navigation, click DNSTrafficSteering > GSS Installation.
  3. GSS adds the following two User-Defined Fields (UDFs) to the Address Manager object schema:
    • Tag Object data—the data optional text field is added to the Tag object type. GSS uses this UDF to store the type of region, such as client, answer or both, on the tag objects that represent health-check regions.
    • Resource Record GSS—the GSS workflow link field is added to the Resource Record object type. This field adds an optional cross-launch link to the DNS resource record objects that launches the GSS application user interface, and selects between standard GSS functionality and the more limited NAT workflow.
      Note: The base URL of the GSS installation page is used as the base URL of the cross-launch link. BlueCat recommends accessing GSS using the preferred name when creating the UDFs.

    If the required UDFs do not exist, the GSS installation workflow offers to add them.

    Click OK to add the required UDFs.

  4. GSS is used in a single configuration with a selected default DNS view in Address Manager. If you have not selected the configuration and DNS view that GSS is used in, the GSS installation workflow offers to configure them.
    • Under Configuration, select the Address Manager configuration that GSS will use.
    • Under View, select the DNS view that GSS will use.

    Click OK to confirm the selection.

    GSS creates and links tag objects Configuration to the selected Address Manager configuration and View to the selected DNS view.

  5. Where GSS uses separate DNS views to provide different answers based on client IP address, these views are configured to share a single cache for DNS resolution. To ensure consistent policy configuration between these views, you must configure the same maximum cache size for all of these views. GSS allows you to set a fixed maximum cache size for all views by adding a DNS deployment option at the Configuration level in Address Manager.
    • Select the Set maximum cache size option on configuration level checkbox to configure a maximum cache size.
    • Under Value, enter the maximum cache size value in MB. By default, the maximum cache size is 2048 MB.
      Note: Setting the value to 0 indicates that there is no limit on the cache size.

    Click OK to confirm the selection.

  6. GSS uses a locally configured shared TSIG key to authenticate communication with authoritative DNS servers. If multiple DNS views are configured, multiple TSIG keys are generated for the configured TSIG key.

    If no local TSIG key has been configured, GSS offers to configure one. If TSIG keys are found in Address Manager, you can a TSIG key that is compatible with GSS. If no TSIG keys are found in Address Manager, GSS offers to create a new key named gss-key.

    Select the TSIG key that you would like to use and click OK.

    The selected key is linked to a TSIG key tag in Address Manager and will automatically be selected when installing further instances of GSS. GSS adds view-level DNS options Allow Dynamic Update and Allow Zone Transfer to enable GSS to perform dynamic updates and zone transfers with this TSIG key, but only when these options have not yet been configured at the view level.

  7. From the GSS installation, you can create and select a health-check region to install. Under GSS Region, enter the health-check region to install.

    If the required zones have not been created in Address Manager, the GSS installation workflow automatically creates the status.gss.bluecat and rpz.gss.bluecat zones for the health-check region configured.

    Click OK to confirm the selection.

  8. If the required GSS zones have not been deployed, you can perform a manual deployment to the required DNS/DHCP Servers from the GSS installation workflow.

    Click OK to confirm the deployment.

Once the required settings have been configured, the standard GSS installation workflow is displayed. For more information on the standard GSS installation workflow, refer to Setting up the GSS workflow.

Each instance of GSS belongs to a health-check region. While the configuration is shared and global, health-checks are performed and the state is maintained separately in each health-check region. Each health-check region manages the DNS response for a different set of client regions. You can deploy the GSS application in multiple regions to provide region survivability for the GSS health-check service. Each health-check region corresponds to a health-check zone in DNS name <region>.status.gss.bluecat.

A special health-check region named Default is responsible for updating the standard DNS response given where either no client region is configured, or the configured client region has no available servers. If you would like to update GSS to update the standard DNS response for your applications, choose one of your health-check regions that will perform this function and select the name Default for this health-check region.

If a health-check region has not yet been selected, you must select one. You can either select one from existing health-check regions or enter the name of a new region.

If you enter the name of a region that does not exist, a new health-check region is created through the creation of the relevant health-check zone.

When there are no DNS roles defined at the zone level for the selected health-check zone, the GSS workflow can add them. This is optional if appropriate roles are inherited but can be useful where a regional DNS primary server has been selected to provide regional survivability for the GSS service.

To configure DNS roles, enter the name of the primary BlueCat DNS server and the secondary servers, adding secondary roles as required.
Note: The installation workflow is only used to add additional roles to the health-check zone that has no roles defined. If existing roles are defined, these settings are greyed-out and cannot be updated. Changes can be made on the DNS roles page for the relevant health-check zones in Address Manager.
Important: Before verifying the GSS configuration, you must deploy DNS to all DNS servers that are authoritative for GSS zones from Address Manager. This is required to push the changes made by the installation workflow to the relevant DNS servers.