Skip to main content
  • EN

My organization has two main regions (USA and India).  I currently have ADDS/DNS servers in both regions.  I have two private apps configured for ADDS.  One of them is directing traffic to the India ADDS servers using the local NPAs, the other is doing the same for USA.

I have a prelogin user that has access to both private apps.

I also have a DNS private app defined (*._http.domain.local, *._kkdcp.domain.local, etc) but it only uses the USA publishers.

With this configuration, our USA users are working fine with very little lag on computer startup and login.  Our India users, however, are experiencing very long startup and login times.

My question is, what is the proper way of configuring AD and DNS access for clients when the organization is multi-regional and you want the client to always access the closest ADDS/DNS servers?

Some solutions I am considering are:

  1. Divide each region’s users into separate groups and give them only access to their local ADDS server.  This however does not solve the DNS problem as that is defined using the above nomenclature and is not region specific).  It also will cause the user issues if they ever travel to the opposite region
  2. Create a separate client configuration profile with a different prelogin user.  Similar to #1 but this would help with the startup lag issue.
  3. Add all local NPAs to the DNS private app configuration.  However I do not know how the private app selects the NPA to use in this specific instance.  Does it just round robin through them? (This would actually be worse as then my USA users may end up using a India NPA to access a USA AD server)...Or does the private app somehow figure out the best path and stitch to the closest NPA by user location?

Please let me know what you all have done if you have a similar situation.  I can’t imagine this is an uncommon setup.

Thank you,

Jason

With latency-based publisher selection becoming GA with release 114 I would just define two apps globally, one for ADDS and one for DNS, and point these to all the publishers both in US and India.

You need to beware of the 16 publishers limit (if you have that many) on a single app.

This will route users to the closest publisher measured from the Netskope gateway location (it puts them into different latency buckets, and performs round-robin across all publishers in the same bucket).

With publisher DNS enabled I’m guessing(!) it will point you to your local DC based on sites, assuming your publisher IPs are part of the correct sites.

At least, that’s how we did it.

The feature is “controlled GA”, so you need to talk to your account team to get it enabled.

This is great!  I just asked our sales team for access to the new GA controlled feature.  I am hoping that they can provide that quickly.  Thank you very much for the response.  This appears to be the solution that I needed.  Have a great day!

Reply


Terms & ConditionsCookie settings