05-23-2023 08:53 AM
For the folks who have deployed Umbrella VAs in their enterprise,
Should we put it in the same Vlan as current DNS/AD servers?
I know this is an obvious question, is there any benefit putting near the current AD servers as opposed to placing it separated via a FW (context) in another subnet?
05-23-2023 09:14 AM
@chang0986 there is no specific recommendation on where to deploy the VA, whether on a separate network or behind the firewall, other than it should be deploy in the internal network and deployed in pairs on separate physical hypervisor hosts. As long as the VAs can route to the internal DNS servers and the umbrella cloud, the VA could be on a different VLAN/subnet.
https://docs.umbrella.com/deployment-umbrella/docs/3-deployment-guidelines
05-23-2023 10:21 AM - edited 05-23-2023 10:22 AM
Hello chang0986,
It doesn't really matter if the VAs will be close to the AD or not. You just need to ensure DNS connectivity from the VAs to the internal DNS server, in most cases it's the AD, and the connectivity requirements from the VA to the Umbrella cloud.
Only thing you need to keep in mind, is if there's any NAT between your clients generating DNS queries and the VAs. If the client's IP addresses are behind a NAT gateway, the VA won't have visibility of the exact client that generated the DNS query, and this might affect policy enforcement (depending on the identities selected), reporting and user authentication.
https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-1
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide