Supported Platforms for Hosts

Default DNS server for NIOS-X servers is the Infoblox Threat Defense public anycast that can resolve all *.infoblox.com domains publically (52.119.41.100 or, formerly, 52.119.40.100)

Datasheet for On-Prem Hosts is here. Note: B1-105 is EOS/EOL. Dell is no longer selling the VEP line of appliances.

NIOS-X Virtual Server

• Dell VEP-1425 6,800 QPS @85% CHR | 320 LPS
• Dell VEP-1485 6,800 QPS @85% CHR | 400 LPS
• B1-105 - 2,000 QPS @85% CHR | 80 LPS

Each NIOS-X server will be the IP of ns.b1ddilocal.infoblox.com.

• NOA = NextGen OnPrem Agent = Next Generation On Premise Agent
• CSP = Cloud Services Portal = cps.infoblox.com/csp.eu.infoblox.com = Single Point of Admin for all Cloud based Infoblox Products. Now called “Infoblox Portal”.
• OPH = On-Prem Hosts. Now called NIOS-X servers
• Docker = 17.09 and below (except for 17.05 and 17.06), or 18.09 and above. Kubernetes is not supported. Always check the latest documentation. CPU 4 core, 8 GB RAM, 64GB disk
• VMware OVA = ESXi 5.5, 6.0 and 6.5. VM can be 1 core with 0.5 GB RAM but will default to 4 cores and 8 GB RAM. I run my home lab pair of B1DDI/B1TD on 1 core and 0.5Gb of RAM.
• BloxOne B1-105 Appliance. Compact. Fanless. Zero-Touch Provisioning. Connected back to CSP automatically. Infoblox add them to the appropriate portal as part of the sales process.

What gets considered as a Server Object when it comes to sizing the number of objects on a NIOS-X Server

• DNS Views
• DNS Zones
  • DNS Authoritative Zones
  • DNS Delegation Zones
  • DNS Forward Zones
  • DNS Secondary Zones
• DNS Records
  • A Records
  • AAAA Records
  • CAA Records
  • CNAME Records
  • DHCID Records
  • DNAME Records
  • HTTPS Records
  • MX Records
  • NAPTR Records
  • NS Records
  • PTR Records
  • SOA Records
  • SRV Records
  • SVCB Records
  • TXT Records
  • UNKNOWN Records
  • RPZ Record (Policy Rule)
• Subnets
• DHCP Ranges
• Leases
• Fixed Addresses
• Reservations
• Fingerprints

The following should always work

dig @52.119.41.100 +short A www.infoblox.com

dig @threatdefense.bloxone.infoblox.com +short A www.infoblox.com

nslookup www.infoblox.com threatdefense.bloxone.infoblox.com

The following will only work when querying from a public IP that is in an External Network definition in your Infoblox Threat Defense Tenant.

dig @52.119.41.100 +short A www.google.com

You can monitor NIOS-X servers via API. SNMP is not supported. Docs here.

Configure DNS server profiles to “Minimize responses”.

If the appliance is not connecting to the cloud, check the local UI and see if NTP is happy. If it is not, change NTP from ntp.ubuntu.com to ntp.ubuntu.org (or something else) and see if that helps.

Remember that the appliance needs to figure out whether it should connect to US POP or EU POP. Therefore it must be able to resolve TXT for eu-com-1.realm-discovery.csp.infoblox.com.

dig TXT eu-com-1.realm-discovery.csp.infoblox.com
eu-com-1.realm-discovery.csp.infoblox.com. 300 IN TXT "activation=grpc.csp.eu.infoblox.com:443"
eu-com-1.realm-discovery.csp.infoblox.com. 300 IN TXT "csp=csp.eu.infoblox.com"
eu-com-1.realm-discovery.csp.infoblox.com. 300 IN TXT "ngp-cp=cp.noa.eu.infoblox.com:443"

FYI:

• Platform Management - Handles communication between NIOS-X and Infoblox Portal
• Application Management - Handles various services running on NIOS-X itself

You do not use the join token with the Dell VEPs. You first create a host in CSP and then the Dell VEP will use ZTP to connect (with it’s service tag).

Note that due to the custom OS, certain VM sizes do not support deployment. These include “Standard_F4als_v6”, “als_v6” series, “Standard_D2ads_v5”, “ads_v6” series, “Ebsv5”, “Ebdsv6”, “Lsv2”, “Lsv3”, “Lasv3”, among others.

Azure * 1x Standard F8s v2 (8 vcpus, 16 GB memory) ($142 per month in Sep 2022)

As per docs, AWS Xen-based instances are not supported (because they create interface names with capital letters) for NIOS-X deployments. Supported instance types include:

• General purpose: M1, M2, M3, M4, T1, T2
• Compute optimized: C1, C3, C4
• Memory optimized: R3, R4, X1, X1e
• Storage optimized: D2, H1, I2, I3
• Accelerated computing: F1, G3, P2, P3

When deploying BloxOne Hosts, allow 30 minutes for the device to register properly.

Join Tokens are secrets used to connect the Docker/OVA image to the Infoblox Portal. Used once. Can create multiple ones for different users and we can revoke them. A single token can join multiple hosts. Hardware devices from Infoblox have their own way of authenticating.

If you are deploying a Data Connector host (VMware), increase the disk size of the BloxOne host to 750 GB before booting it for the first time.

Setting up Interface

WAN interface means the interface can be used to phone home to the Infoblox Portal. LAN interface means that the interface will not be used for Infoblox Portal connectivity.

If a physical or virtual server has multiple interfaces configured, syslog traffic will always be sent through the MGMT/WAN interface on the host. You cannot modify this interface. as per the docs

When you enable services on a NIOS-X host, the docker image is downloaded from the cloud to the NIOS-X hosts. This is why it can take a while to deploy (especially on slow networks). Disabling service will cause the container to be removed. It might be able to use cached image if you restart quickly. If it has been a while, the download image will have been purged.

The following is not official guidance. Just observations.

• Minimum BloxOne Host specs: 3 cores and 4GB of memory
• Tested to a maximum of 80% CPU
• DHCP standalone performance is 150 LPS
• Add one core and you get another 50 LPS
• No appreciable benefit beyond 4 cores
• Peak performance is around 500 LPS
• DNS QPS is 15k
• For each core, add 5k
• Tested to 75k QPS (to compare to a 1425)

To access the HTTPS interface of an On-Prem Host, the username is admin and the password is the last 8 characters of the Product serial number. If the device is a Dell VEP, the serial is the service tag on the back of the Dell Device and is possibly only 7 characters long.

If you boot a B1-105 box and it gets DCHP, if you then reboot and there is no DHCP, it gets 192.168.1.2/24. However, the WEB GUI WILL NOT BE AVILABLE. This means we can stage all appliances on DHCP, ship to partner and get them to install. Remember to give the 105 appliances lots of time after booting before the Web GUI will appear (20 minutes).

systemctl enable docker.service
systemctl start docker.service
curl -O https://s3.amazonaws.com/ib-noa-prod.csp.infoblox.com/BloxOne_OnPrem_Docker_3.3.5.tar.gz
docker load -i BloxOne_OnPrem_Docker_3.3.5.tar.gz
docker image ls
docker run -d --name blox.noa --network=host --restart=always\
-v /var/run/docker.sock:/var/run/docker.sock \
-v /var/lib/infoblox/certs:/ver/lib/infoblox/certs \
-v /etc/onprem.d/:/etc/onprem.d/ \
infobloxcto/onprem.agent:3.3.5 --jointoken <join_token>
docker ps

You must use “blox.noa” as the container name. DO NOT change this.

To be fully compatible with the NIOS-X services, you must update the Docker daemon settings and set the log driver to “json-file.” For more information, refer to the Docker documentation.

Official documentation on deploying BloxOne in Azure is here.

First thing is to get working on azure-vhd-utilsLinux.

sudo apt install make gcc golang-go golint git
git clone  https://github.com/microsoft/azure-vhd-utils
cd azure-vhd-utils
make
sudo cp azure-vhd-utils /usr/bin/

Notes:

• You can use the market place to deploy BloxOne but you can't sepecify Availability Zones with it.
• Download the BloxOne Image from the Infoblox CSP portal (Administration > Downloads).
• In Azure, create a Create Resource Group
• In Azure, Create Storage account in that resource group (e.g. called NameOfYourStorageAccount). Select appropriate region and the resource group you just created. Set redundancy to Standard && Locally-redundant storage (LRS). Then review and create.
• In Azure, Create container in that storage account (e.g. called mycontainer1)
• Upload from Linux with the azure-vhd-utils tool using the instructions here.
• azure-vhd-utils upload –localvhdpath <local_path> –stgaccountname <storage_account> –stgaccountkey <account_key> –containername <container_name> –blobname bloxone.vhd
• Once uploaded, follow the guide here to use the uploaded “blob” to create an image, use the image to create a VM and then deploy the VM.

For uploading the BloxOne image, it needs to be uncompressed from ~3Gb to ~60Gb first.

Run PowerShell as administrator and convert the downloaded VHD file from dynmaic-size to fixed-size with:

Convert-VHD -Path C:\Users\name\Downloads\b1dynamic.vhd -DestinationPath C:\Users\Downloads\b1fixed.vhd -VHDType Fixed

The B1-105 appliance can be rebuilt using the ISO image that is available for the Dell VEP servers.

• Download the ISO image from the CSP portal (CSP > Administration > Downloads > On-Prem Hosts). You want the Dell VEP 1425/1485 image.
• Use that ISO image and create a bootable USB stick with it. The commands below use the 7-Zip command-line utility tool to do this.
  • On Linux: (Assuming /dev/sdb1 is the USB drive)
    • apt install p7zip-full
    • mkdir -p /mnt/usb && mount /dev/sdb1 /mnt/usb
    • 7z x ~/Downloads/bloxone-appliance-vX.Y.iso -o/mnt/usb
  • On Mac OS: (Assuming /dev/disk2 is the USB drive)
    • brew install p7zip
    • diskutil list
    • diskutil eraseDisk FAT32 BLOXONE MBRFormat /dev/disk2
    • diskutil mountDisk /dev/disk2
    • 7z x ~/Downloads/bloxone-appliance-vX.Y.iso -o/Volumes/BLOXONE
  • On Microsoft Windows (Assuming F:\ is the USB drive)
    • “C:\Program Files\7-Zip\7z.exe” x C:\Downloads\bloxone-appliance-vX.Y.iso -oF:\

Check that the host serial is in the CSP still and that its state is one of the following: “Pending/Awaiting Approval/Review Details”.

Now we reset the BIOS.

• Connect a USB keyboard and also a monitor with a VGA cable to the B1-105 appliance.
• Connect the power brick that comes with the appliance to the appliance (but don't plug it into the mains yet).
• Connect an ethernet cable using the LAN2 port on the front of the appliance. (You must use the LAN2 port to connect the appliance in the initial setup. Once the appliance is up and running, you can use both the LAN1 and LAN2 ports in your configuration.)
• To power up the appliance, connect the power cable to a power source. Power up the appliance by pressing the power button and releasing it quickly. The monitor screen will display the copyright screen. Press <DEL> or <ESC> to enter setup.
• On the BIOS screen, choose Restore Defaults.
• Press F4 to save the selection and exit the screen.
• When prompted with Save & Exit?, select Yes and press Enter.

Now we install the ISO image.

• Insert the bootable USB drive that you created earlier, and then restart the appliance by pressing the power button.
• Press <DEL> or <ESC> to enter setup in the BIOS screen.
• Select the Boot Option #1 as your USB drive.
• If the USB drive not detected in Boot Options, select the Hard Drive BBS Priorities and change the order for Boot Options #1 to the detected USB drive.
• Press F4 to save the selection and exit the screen.
• When prompted with Save & Exit?, select Yes and press Enter.
• Before installing the Image on the box, it would display stdin: not a typewriter; checking integrity, this may take some time.
• The first option Install BloxOne Appliance on To be filled by O.E.M. serial xxxxxxx is selected by default and the installation starts automatically if you do not already have the same ISO image pre-installed on the appliance.
• If you have the same ISO image pre-installed on the appliance, the second option Boot from next volume is selected and you must manually select the first option if you want to reinstall the same ISO image.
• The installation starts automatically once you select an option and may take up to 30 minutes to complete.
• The appliance restarts by itself.
• If your network does not have DHCP servers available, the appliance will fall back to the default IP address 192.168.1.2. Configure the B1-105 appliance through an internet browser.

After you have successfully installed the ISO image and connected the physical appliance to the Cloud Services Portal, the appliance will automatically enter the Awaiting Approval state. You will be able to log in to the Cloud Services Portal and approve. After approval it would take 30 minutes or so to complete to ONLINE status.

It is important to make sure we give ample amount of time for the appliance to complete each of its milesstones as said above or else we may not achieve the desired results.