topic Re: Umbrella setup with VA without AD integration in Cloud Security

Umbrella setup with VA without AD integration

1netconsulting — Tue, 20 Oct 2020 00:39:30 GMT

Hello,

I am looking for option to deploy Umbrella in AD environment (but without AD integration and roaming clients) and have ability to track end system IP addresses.

Will this scenario work:

Deploy Umbrella VA and point end systems (including servers) DNS to VA. For domain controllers specify forwarders pointing to Umbrella for external DNS queries.

Re: Umbrella setup with VA without AD integration

Rob Ingram — Tue, 20 Oct 2020 06:47:39 GMT

Hi @1netconsulting

If your clients continue to point to the internal DNS server, which then sends the external DNS queries to Umbrella VA, the VA will see only the internal DNS server(s) as the source IP address, not the clients. The Umbrella VA needs to be the primary DNS server, forwarding internal DNS queries to the internal DNS servers.

The only exception to that (that I am aware of) is Infoblox, which can preserve the original IP address before forwarding to the Umbrella VA.

HTH

Re: Umbrella setup with VA without AD integration

1netconsulting — Tue, 20 Oct 2020 15:45:37 GMT

This is not the scenario I am asking about:
Internal devises will be pointing to VA for DNS resolution.
VA is configured to point to internal DNS servers (which are in my case AD controllers) Only for internal domain resolution. All external dns requests from VA are going to Umbrella servers.
The difference in this Suggested scenario compared to “standard” is that there is no AD connectors/sync script configured

Re: Umbrella setup with VA without AD integration

Rob Ingram — Tue, 20 Oct 2020 16:22:22 GMT

Ok I miss understood this:- "For domain controllers specify forwarders pointing to Umbrella for external DNS queries." - the Domain Controllers should never receive external DNS queries if the VA is the primary DNS server. Umbrella doesn't recommend pointing the DC's DNS to the VAs as that can create a loop in DNS.

No you don't need to run the script or configure AD connectors, you can just use the VA which will encrypt and forward the DNS request including the learnt client IP address to the cloud or if local forward to the internal DNS server.

Re: Umbrella setup with VA without AD integration

1netconsulting — Sun, 25 Oct 2020 03:31:04 GMT

OK, I configured it as planned:

1. AD controllers, which are running DNS, are pointing to VAs via forwarders.

2. All DHCP clients and other servers are pointing to VAs.

VAs are set to point to AD controllers for local DNS zones resolution.

As a result, I have ability to identify sources (IP addresses) of the DNS requests for Internet destinations.