Forum Discussion
Dean_Miller_908
Nimbostratus
NimbostratusHow does Firepass determine the FQDN of connecting machine?
Hi!
We have our firepass working with a pre-logon endpoint inspection of a machine certificate (does the standard check of CN equal to FQDN). However, my CISO is asking how the Firepass determines the FQDN. It does not seem to be Reverse-DNS because I connected to the Firepass through another VPN which does not provide a reverse-DNS lookup. Can anyone tell me how, in fact, the Firepass determines the FQDN of the connecting machine? He is looking at it to determine whether it meets our security policies.
Thanks.
dean
Mike_HoCirrus
As far as I can tell it is not DNS but rather it looks at the host name and default domain of the machine.
E.g. on Windows XP open a command prompt and run ipconfig /all and then mash "Host Name" and "Primary Dns Suffix" together.
I have some machines with no default domain so the CN of their machine certificate is "computername." and that works fine.- Mike_HoBut now I see it's more than I suggested in my previous post. I too would like to know how exactly the machine certificate checker identifies the client FQDN.
- Mike_HoFYI I opened a support case and learned the following:
If the computer is joined to a domain then the FQDN is computer name . domain. It will match exactly what you see in the "Full computer name" field of the "Computer Name" tab of the system properties control panel. It is case sensitive, too.
If the computer is not joined to a domain then the certificate CN only needs to contain the computer name (case sensitive). If the computer has any connection-specific DNS suffixes one of those can be present in the cert but it is not required.