Solved: Umbrella VA query

sv7 · ‎09-04-2021

Hi All,

Im new to umbrella and want some guidance which help me in implementation of my project.

My Client has 12 location and every locations has its own isp address gateway to reach internet. As per their requirement they will deploy 1 VA at their DC and 1 VA at their DR. Purpose of deploying the VA is to collect internal IP address for users sitting on-prem.

So my question is would deploying 1V at DC and 1VA at DR would sufficient for umbrella to track internal ip address for all location. Also is it possible to track/record internal ip address of user machine withour using VA.

Another question is would i need to Add umbrella public IP address in Domain Controller dns forwarder or i can add VA ip address so my user would reach both internal(intranet) and external domain (internet)

Milos_Jovanovic · ‎09-13-2021

Hi @sv7,

As per Cisco's guide, it is required to deploy VAs in pairs. Once deployed, your VA becomes key point for your DNS traffic - you configure VA address to your clients. Any failure or suboptimal path (like bunch of queries from primary to DR location) could have severe consequences and negative visibility for you. Also, existance of pair of VAs makes upgrades hitless. VA resource requirements are quite minimalistic, and I would advise to follow the guidelines and to deploy pair of VAs per site.

BR,

Milos

View solution in original post

Rob Ingram · ‎09-04-2021

@sv7

This information is contained within the Umbrella documentation....

https://docs.umbrella.com/deployment-umbrella/docs/1-introduction

Without Virtual Appliances
Security and DNS traffic-related investigations cannot be traced back to an individual computer or IP address.

If not using a VA you could....

https://docs.umbrella.com/deployment-umbrella/docs/anyconnect-umbrella-roaming-security-client-administrator-guide

The Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time—both on and off your corporate VPN. The Roaming Security module enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port. Umbrella provides real-time visibility into all internet activity per hostname (and optionally AD username) both on and off your network or VPN

https://docs.umbrella.com/deployment-umbrella/docs/7-reroute-dns

When deploying the virtual appliance component of Umbrella, we recommend the following for DNS configuration on any internal DNS servers:

On the DNS server adapter settings, use the loopback address (127.0.0.1) so that the server will use itself for DNS resolution. The second entry should be another internal DNS server.
On the forwarder settings of the DNS server, we recommend using the Umbrella Anycast IPs (208.67.222.222/208.67.220.220) rather than the virtual appliance IPs. This limits the ability to see the source IP when viewing reports but avoids any problems with DNS loops if there is a misconfiguration on either the VA or internal DNS server.

sv7 · ‎09-07-2021

Hi Rob,

Thank for your reply.

One more question I have if you can help me it would be a great help.

As I said I have 12 location and every location as its own dns server/ Domain controller but all this dns server syncs wtih each other of all other locations.

I'm deploying VA at my DC and DR location only .So would I need to add AD connector and run script on all locations Domain controller or doing on DC and DR domain controller would work.

Milos_Jovanovic · ‎09-04-2021

Hi @sv7,

And just to answer your question and to add to @Rob Ingram's post, two VA appliances are required per site. You can find reference here.

BR,

Milos

sv7 · ‎09-08-2021

Thank for your reply.

One more question I have if you can help me it would be a great help.

As I said I have 12 location and every location as its own dns server/ Domain controller but all this dns server syncs wtih each other of all other locations.

I'm deploying VA at my DC and DR location only .So would I need to add AD connector and run script on all locations Domain controller or doing on DC and DR domain controller would work.

Milos_Jovanovic · ‎09-08-2021

@sv7,

As explained in the Umbrella AD Integration Guide, it is not required to install connector on all DCs (it doesn't even have to be DC):

If your security policy requires it, the connector can be installed on a different non-domain controller server. Depending on your network architecture you may not need to install the connector on all domain controllers. As long as the server with the connector has network connectivity to the required domain controllers, you may only require one or two connectors for the whole environment.

BR,

Milos

sv7 · ‎09-09-2021

Milos,

thanks for your suggestion. So from this point of view adding my local dns server of DC location in VA setup for DC location and local dns server for of DR location in VA setup for DR location would work and i dont need to add all other location local dns server in VA setup at DC and DR as they are in sync with each other.

Please correct me if im wrong.

Milos_Jovanovic · ‎09-10-2021

Hi @sv7,

Yes, I would say it should be enough. You'll get information from 2 sources, so you'll have redundancy. They will share same information, as they are all part of the same system.

BR,

Milos

sv7 · ‎09-13-2021

Hi Milos,

As per cisco recommendations two va per site is required regarding redundancy and incase upgradation required of one VA so downtime won't required. But client saying they will deploy 1 VA at DC and 1 at DR and incase DC VA fails so all traffic divert to DR VA then why would I need 2 VA per site.

I think this also makes sense. What your suggestion on this and drawbacks of having such deployment type.

Milos_Jovanovic · ‎09-13-2021

Hi @sv7,

As per Cisco's guide, it is required to deploy VAs in pairs. Once deployed, your VA becomes key point for your DNS traffic - you configure VA address to your clients. Any failure or suboptimal path (like bunch of queries from primary to DR location) could have severe consequences and negative visibility for you. Also, existance of pair of VAs makes upgrades hitless. VA resource requirements are quite minimalistic, and I would advise to follow the guidelines and to deploy pair of VAs per site.

BR,

Milos