Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3399
Views
0
Helpful
0
Replies

Cisco Umbrella Active Directory Integraion

mrrlg
Level 1
Level 1

‎02-21-2019 10:16 AM

We are faced with the prospect of migrating from Cloud Web Security (CWS) to Cisco Umbrella. We have purchased the apex licenses for the enterprise and have our basic policies built in the cloud. We have been assured by Cisco (more than once), that our existing active directory groups that create exceptions for users in CWS can be migrated to Umbrella.

 

To that end we have started down the sites and active directory path in Umbrella. We have multiple egress points so we stood up a virtual appliance in each egress point. Once the second device was able to reach Umbrella the device status changed to OK. (Now as a point of clarification half of the documentation talks about reaching out to OpenDNS and the other half uses Umbrella.  We will be using Umbrella to reference either external resource).

 

We then stood up two connectors, these are Windows 2012 R 2 servers running the OpenDNS-windows-service-20180927.

We found some documentation indicating this is to be run through the command prompt, that failed so we double-clicked on the msi instead. The installer does not allow you to select a service account, it is hard-coded to use OpenDNS_Connector, which does not match our internal naming convention, access acls or identity services application. 

 

The two connectors do appear in the umbrella cloud, they do appear to recognize the virtual appliances, and they do generate an error that there are no domain controllers present.

 

Next we choose two domain controllers, one in the same subnets as each of the connectors. We ran the OpenDNS-windowsconfigurationscript-20180927.wsf script from the command line as the documentation indicated, the script stopped with an error message for Windows 2003 domain controllers, (none of which exist in our environment), we had to force the script to complete. This was on Windows 2008 R2 domain controllers.

 

The domain controllers did not appear in the Umbrella cloud. Digging around we discovered that the DCs need to be able to be able to reach the Umbrella cloud to register. We're not sure if this is a one time requirement or permanent We removed this access as soon as the domain controllers registered in the Umbrella cloud.

 

Our current state of affairs is there are six devices in the cloud. Both VAs have a status of OK. The domain controllers are grayed out with a status of run 2 days ago. The connectors show an error status with the error being "The Connector was once connected, but is not currently connected to any of the DCs available." 

 

There does not appear to be any support through Cisco TAC for Umbrella. We did not purchase phone support so we are at the mercy of email support. We have done the troubleshooting steps that we could find, including stopping and starting the service, and posting the logs in a email to support.

 

Their reply to date is to check the permissions applied to the service account, and reboot the domain controllers. Since this is a production environment we have to wait to the regularly scheduled maintenance window to perform that task. We have no confidence that this will address the issue. 

 

We apologize for the length of this post but are curious if there are others facing these same integration  issues?

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents