Re: Where to place Umbrella VAs?

chang0986 · ‎05-23-2023

For the folks who have deployed Umbrella VAs in their enterprise,

Should we put it in the same Vlan as current DNS/AD servers?

I know this is an obvious question, is there any benefit putting near the current AD servers as opposed to placing it separated via a FW (context) in another subnet?

https://mobdro.bio/ https://kodi.bio/

Rob Ingram · ‎05-23-2023

@chang0986 there is no specific recommendation on where to deploy the VA, whether on a separate network or behind the firewall, other than it should be deploy in the internal network and deployed in pairs on separate physical hypervisor hosts. As long as the VAs can route to the internal DNS servers and the umbrella cloud, the VA could be on a different VLAN/subnet.

https://docs.umbrella.com/deployment-umbrella/docs/3-deployment-guidelines

Konstantinos9 · ‎05-23-2023

Hello chang0986,

It doesn't really matter if the VAs will be close to the AD or not. You just need to ensure DNS connectivity from the VAs to the internal DNS server, in most cases it's the AD, and the connectivity requirements from the VA to the Umbrella cloud.

Only thing you need to keep in mind, is if there's any NAT between your clients generating DNS queries and the VAs. If the client's IP addresses are behind a NAT gateway, the VA won't have visibility of the exact client that generated the DNS query, and this might affect policy enforcement (depending on the identities selected), reporting and user authentication.

https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-1

Hope that helps.