Active Directory (AD) integration supplements Umbrella Virtual Appliances by providing AD user, group, or computer name information for each applicable DNS request.
This guide explains how to install and configure the Active Directory components provisioned and maintained from the Umbrella dashboard. By integrating with your Active Directory environment and forwarding DNS queries to the Cisco global network, you can enforce and report on users, computers and groups.
The Active Directory integration consists of two components that must reside in your network at each independent AD site.
An Active Directory "site” in the context of this document means an independent location with its own Domain Controllers(s), DNS server(s), and connection to the Internet.
The first of the two components that the integration consists of are:
1. The Virtual Appliance (VA), which
- Runs in a virtualized server environment,
- Forwards local DNS queries to your existing DNS servers and
- Forwards external DNS queries with non-sensitive metadata to the Cisco global network.
In order for the VA to properly route local DNS queries and external DNS queries, all clients that are to be managed by Umbrella need to have their DNS addresses be the addresses of your VAs.
2. The Connector, which
- Runs in your Active Directory environment,
- Securely communicates non-sensitive user and computer login info to the Virtual Appliances
- Securely communicates non-sensitive user and computer group info to the Cisco global network.
If your security policy requires it, the Connector can be installed on a different non-Domain Controller server. For more information, see Appendix C – Prepare a Non-AD Server to install the Connector. Depending on your network architecture you also do not need to install the connector on all Domain Controllers, as long as the server with the Connector has network connectivity to the required Domain Controllers you should be fine about having one or two connectors for the whole environment.
For an overview of how the network topology is expected to work, as well as the flow of traffic, please see Appendix A – Communication Flow And Troubleshooting.
Depending on where you are in your planning or deployment, the appendix can help plan your deployment.
The client computers at each Active Directory site must be set to use the VA at their respective site as their DNS resolvers. The VA can then route DNS queries to their appropriate IP address for both internal and external resources.
The Virtual Appliance also communicates with the AD environment to query for a list of user information to match to clients.
This diagram outlines each component of the integration.