Due to how certificates work, the powerschool servers must reside in the remc1.net domain. We use a redirect on webservices.remc1.net to move users into the correct place.
Example
I will use the CCISD as an example. On the CCISD website there is a link to PowerSchool which points to http://powerschool.copperisd.org. This is a CNAME to webservices.remc1.net. Inside webservices there is a virtual host that does a redirect to pscopperisd.remc1.net. pscopperisd will differ from the inside and the outside. On the inside DNS this is CNAMEed to the current PowerSchool server (at time of writing that is ps2copperisd.remc1.net). On the outside that is an A record to the one public IP that is held by the PowerSchool server for the CopperISD. I have also inserted CNAMES for all the ps1, ps2, ect. on the outside to point towards it's A record.
| Outside | Inside | Virtual Host config |
|---|---|---|
pscopperisd.remc1.net. IN A 208.68.25.46 ps1copperisd.remc1.net. IN CNAME pscopperisd.remc1.net. ps2copperisd.remc1.net. IN CNAME pscopperisd.remc1.net. | pscopperisd IN CNAME ps2copperisd ps2copperisd IN A 172.16.30.4 ps1copperisd.remc1.net. IN A 172.16.20.144 | <VirtualHost powerschool.copperisd.org> |
As you can see, the way the virtual host is setup will cause the same name to be resolved on the outside as well as the inside. On the outside the VIP will never change, so that's the A record. Where as on the inside the host may so that's the CNAME.
So, in short, the 2 things you need to change to drop a new PowerSchool server in will be:
- The inside IP for the virtual IP on the fortigate
- The inside DNS CNAME