Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4001
Views
5
Helpful
3
Replies

DNS umbrella deployment with multi-ad domain

Go to solution
techno.it
Level 3
Level 3

‎07-11-2021 06:25 AM

Hello everyone,

We are on deployment design for Cisco Umbrella in an AD environment. We have a multi-site with parent and child domain structure where the parent domain is at HQ. Each site has 2 domain controllers.

 

We have decided to deploy Umbrella VA in each site and install an AD connector on the domain controller of a particular domain. Configured internal DNS with Umbrella VA forwarders for external DNS queries.

Will this design work? Any recommendations?

Can we create separate policies for each site separately?

Do we need to install an AD connector on both primary and additional DC in each site ?

 

Any help or insights would be highly appreciated.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to techno.it

‎07-13-2021 12:20 AM

@techno.it 

That won't work.

 

The VAs must be set as the primary DNS server in order to determine the client IP address, which is then used in conjunction with the AD Connector which determines IP to User mappings and forwards to the Umbrella cloud.

https://docs.umbrella.com/deployment-umbrella/docs/1-ad-integration-setup-overview

 

If you specify the internal DNS server as the primary DNS server for the clients, the subsequent DNS request is forwarded to Umbrella from the Internal DNS servers IP address, so you lose visibility of the initial client IP address. Therefore you cannot create policies based on users/groups.

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎07-11-2021 11:07 AM

@techno.it 

One AD connector is required for each AD domain in an Umbrella site, with an optional second connector for redundancy if required.

 

Umbrella policies do not apply to AD groups with Cross-Domain members. To create a policy that applies to users from multiple domains you must add the relevant groups/users from each domain to the policy.

 

You can create separate policies for each site or just combine them.

 

Here is the Umbrella documentation regarding Multi Domain support.

https://support.umbrella.com/hc/en-us/articles/360022588891-Multi-AD-domain-support-in-Umbrella

 

0 Helpful

Go to solution
techno.it
Level 3
Level 3

‎07-12-2021 02:21 PM

@Rob Ingram Thanks for the response.

Our workstation has static IP configuration so it is not possible to reconfigure the clients with VA's IP as DNS server. In such case, can client still point to internal DNS server? What will be the DNS traffic flow when using AD connector design ?

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to techno.it

‎07-13-2021 12:20 AM

@techno.it 

That won't work.

 

The VAs must be set as the primary DNS server in order to determine the client IP address, which is then used in conjunction with the AD Connector which determines IP to User mappings and forwards to the Umbrella cloud.

https://docs.umbrella.com/deployment-umbrella/docs/1-ad-integration-setup-overview

 

If you specify the internal DNS server as the primary DNS server for the clients, the subsequent DNS request is forwarded to Umbrella from the Internal DNS servers IP address, so you lose visibility of the initial client IP address. Therefore you cannot create policies based on users/groups.

 

Customers Also Viewed These Support Documents