Safe networks are not typically required for our DNS Firewall's roaming functionality, but you may need to map a safe network, depending on your environment.

Note for Partners: safe networks are mapped at the individual client level. So, make sure that the organization selector is set to the correct client before continuing.

Once a safe network is mapped, and roaming is enabled, each time a device (with the endpoint agent installed), connects to a network, our endpoint agent will compare the current network against your safe network mappings. Networks that do not match the mappings of a safe network will be considered unsafe; roaming will become enabled.

To map a safe network, you need to define its parameters in the Field Effect MDR Portal, which are used determine a network as being safe or unsafe. If any parameter of the network the device is connecting to matches a parameter included in a safe network mapping, the connection will be considered safe.

The following parameters are available for safe network mappings:

• Connection-specific DNS suffix:
  • A connection-specific DNS suffix must be assigned to a network interface so our endpoint agent can recognize the safe network assigned to that interface.
  • It’s recommended that you configure the connection-specific suffix on a Windows client via DHCP.
    • An “ipconfig /all” command will confirm that the suffix is assigned as required.
  • Only one DNS suffix can be added to a safe network.
• Basic Service Set Identifiers (BSSID) for access points:
  • This is used to identify wireless connections, as it acts as unique identifier. This is only used for Wi-Fi networks.
  • Multiple BSSIDs can be added to a safe network.

Gathering Safe Network Parameters

The following sections provide instructions that can help you gather your organization’s safe network parameters.

Identifying DNS Suffixes

To find your organization’s DNS suffix from a Windows computer that’s connected to your corporate network, open the command prompt and use the following command:

ipconfig

After running the command, check the “Connection-specific DNS Suffix” field for your DNS suffix. 

Identifying BSSIDs 

Since the BSSID is unique to each physical network access point, the following procedure will only provide the BSSID for the access point the computer is connected to. You will need to connect to each access point separately and perform this procedure.

To find the BSSID for the access point your computer is wireless connected to, open the command prompt and type the following: 

netsh wlan show interfaces

Information about the interface, including the BSSID, will be listed on your screen.

Mapping Safe Networks in the Portal

After gathering your safe network mappings, navigate to the Administration section's DNS Firewall page and click Safe Networks within the blue banner.

The Safe Networks window will appear on your screen. The column on the left lists out any existing Safe Networks. Click “+ New Safe Network” in the left column to map a new Safe Network. Give your new Safe Network (Ex: Headquarters, Branch Office) a name.

After naming the Safe Network, you can begin adding the parameters outlined in the previous section. Use the drop-down menu to select a parameter and enter its details in the text field beside your selection. To confirm, click the “+” icon, and the parameter will be added to the central pane’s parameter list. Once the parameter(s) have been added, click Update.