Ran into an interesting issue today related to a Meraki MX deployment for a large multi site customer.

Normally in a Microsoft built network, you want all your clients and servers to use the Microsoft DNS infrastructure.    Let us be clear, it does make things a little easier when Microsoft machines just know about each other.

I ran into a problem where the Meraki MX block page was not showing when users attempted to use regular HTTP web sites.   On HTTPS sites, no block page is shown, that is by design, however non SSL sites should see a block screen.

A little background..  When you try to visit a page that is blocked by Content Filtering with Meraki – you will be greeted with a screen like this..

How do we get this page to display?    The Meraki MX intercepts the session and sends a HTTP 302 Moved Temporarily message to the browser and redirects the browser to a URL like this.

http://wired.meraki.com:8090/blocked.cgi?&blocked_server=&blocked_url=http%3A%2F%2Fwww.beretta.com%2F&blocked_categories=bc_036

If you resolve wired.meraki.com on the internet it resolves to an IP of 54.241.7.184

Locally the DNS for wired.meraki.com will resolve to your Meraki MX — that is if you were using your Meraki MX as your DNS.   In large Microsoft deployments that DNS server might use root hints or forward lookups somewhere else on the network,  so the response would be 54.241.7.184.

Why is this a problem?  If you look at the URL, you will notice that it opens port 8090,  a quick check of the internet IP 54.241.7.184 will show that port 8090 is not open on that IP, so if the client resolves wired.meraki.com and does not get an IP of an MX SOMEWHERE on the network — your client is greeted with

So how do we fix this?   You have two options

1) Make all your clients use a Meraki MX, or a DNS server that always sends forward lookups through a Meraki MX device  (Good luck, the Microsoft Server team is probably not going to want you to change your client DNS settings)

2) Add a host file entry to the workstation (No!)

3)  Add wired.meraki.com to your Microsoft DNS.

So going with option 3,  if your Microsoft DNS add a forward looking zone called “wired.meraki.com”  and then create an entry pointing towards your MX, like this.

1) Create a forward lookup zone called “wired.meraki.com”   — NOT MERAKI.COM  if you do this you will prevent your devices from contacting the Meraki Cloud Controller.

2) Create a Host (A) record like this – nothing under the name, as we want the wired.meraki.com domain to respond,  replace the IP address with the IP of your MX.

If you have multiple Meraki MX devices create multiple entries in your DNS,  the machines will always choose the device within their local subnet first, if for some reason they do not – it does not matter as the other devices will technically respond, but we do not want those responses from over the WAN.

Hopefully someone else runs into this problem and this can be of assistance.