The below script can help reduce the manual labor needed to migrate the client DNS configuration from the Identity Provider into DNS Policies. The script will take all the search domains configured in the IdP and create a match domain entry in the DNS Policy. This would include the basic configuration needed to allow for the search domain to work correctly.
The DNS IPs in the IdP will be added to each match domain entry in the DNS Policy.
Requirements
A Productive AppGate SDP Collective with Client DNS configuration in the Identity Provider.
Entitlement that allows DNS query access to the current DNS servers stated in the Identity Provider DNS configuration.
Access to the Script console URI /ui/console/index.html (https://controllerFQDN:AdminPORT/ui/console/index.html)
How to use the script
Substitute the value of the Variable according to each access.
The name of the Identity Provider.
The name of the Entitlement provides DNS query permission to the DNS Server IPs.
Essential access Script
// Migrate IdP DNS to DNS Policy
/*
MIT License
Copyright (c) 2023 AppGate Cybersecurity, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
//--------------------------------------
idpName="" //Add name of the IdP
dnsName="" // Add name of the Entitlement that allows UDP-UP access to DNS servers configured in the IdP
//-------------------------------------
const fetchOptions = { headers: getHeaders() };
const IdP = await fetch("/admin/identity-providers?name="+idpName, fetchOptions).then(response => response.json()).then(json => json.data)
const entitlement = await fetch("/admin/entitlements?name="+dnsName, fetchOptions).then(response => response.json()).then(json => json.data)
var dnsIP = IdP[0].dnsServers;
var entitlementId = entitlement[0].id;
var dnsMatchAux = {};
var dnsMatch = [];
const dnsSpecific = /dns\.server\.*/;
const dnsNX = /\*\.nxdomain/
const dnsString = /^dns\.server\.(\d+\.\d+\.\d+\.\d+)\.(.*)/;
IdP[0].dnsSearchDomains.forEach(domain => {
let ismatch=domain.match(dnsString);
if (ismatch) {
if ( ismatch[2] !=="nxdomain"){
dnsMatchAux = {"domain": ismatch[2], "servers": [ismatch[1]]}
dnsMatch.push(dnsMatchAux);
dnsMatchAux = {"domain": ismatch[2]+".searchdomain", "servers": ["1.2.3.4"]}
dnsMatch.push(dnsMatchAux);
}
} else {
dnsMatchAux = {"domain": domain, "servers": dnsIP}
dnsMatch.push(dnsMatchAux);
dnsMatchAux = {"domain": domain+".searchdomain", "servers": ["1.2.3.4"]}
dnsMatch.push(dnsMatchAux);
}
})
entity={'name': 'IdP DNS migration', 'tags': ["scripted"], 'expression': 'var result = false; if (claims.user.username === "admin") { result = true; } else { return false; } return result;','entitlements': [entitlementId], 'type': 'Dns'}
entity.dnsSettings = dnsMatch;
response = await fetch("/admin/policies", { method: "POST", headers: getHeaders(), body:JSON.stringify(entity) });
if (response.ok) {
console.log( "created Policy DNS successfully");
}
else {
console.log( "failed Policy DNS");
}
You should see this result after running the script from the JavaScript console.
The script will check for the Identity Provider DNS configuration
And your controller will have this new policy created.
