Hey there, I am Marcel, working as a security manager with extensive experience in deploying Cisco Security solutions. My journey has involved numerous deployments and integrations of Cisco technologies, ensuring secure and resilient network environments for various organisations.

Cisco Umbrella Virtual Appliances (VAs) play a crucial role in integrating Cisco's cloud-based DNS security into your on-premises network, providing seamless protection against external threats while ensuring that internal resources are securely and properly resolved. Deploying Umbrella VAs not only simplifies DNS management but also ensures that your organization benefits from split DNS resolution, where internal and external DNS queries are efficiently managed based on security policies.

This article will walk you through the key steps involved in deploying Cisco Umbrella VAs, including the configuration of internal domains, integration with AD/DNS servers, and ensuring DNS queries are appropriately handled to maximize both security and performance. Whether you're integrating Umbrella into a single corporate network or dealing with the complexities of a merged or acquired network, these deployment strategies will help maintain secure and reliable DNS resolution across your organization. 

Illustration:    

Key Steps in the Deployment:

1. Get a List of Local Domains from AD/DNS Server(s):
• The first step involves extracting a list of local (internal) domain names from your Active Directory (AD)/DNS servers. These internal domains are typically used for services like Active Directory, internal applications, and other private network services that are not publicly resolvable.
2. Import the List into the Umbrella Dashboard:
• Once the list of internal domains is collected, it is imported into the Cisco Umbrella dashboard as a local domain list. This step ensures that queries for these internal domains are routed back to the AD/DNS servers for proper resolution rather than being sent to Umbrella’s cloud resolvers. This setup supports split DNS resolution, where external DNS queries are handled by Umbrella while internal ones are resolved locally.
3. Umbrella VAs Forward DNS to AD/DNS Server(s):
• The Umbrella VAs are deployed as part of the network’s DNS architecture. When a DNS query is made:
• If the query is for an internal domain (e.g., internal.company.local), the Umbrella VA forwards this query back to the AD/DNS servers for resolution.
• If the query is for an external domain (e.g., example.com), the Umbrella VA forwards the request to the Cisco Umbrella cloud, where it is filtered and resolved based on the security policies you have defined.

Detailed Breakdown of the Deployment:

1. AD/DNS Servers (Primary DNS for Internal Domains):
   • Role: These servers handle all internal domain name resolution (e.g., Active Directory lookups, internal network resources).
   • Default DNS: For all clients in the network, the AD/DNS servers are the default DNS resolvers.
   • Forwarding External Queries: When a client requests an external domain, the AD/DNS server forwards the request to the Umbrella VA, which then handles it securely.

2. Umbrella Virtual Appliance (VA):
   • Role: The VA is the point of integration between the internal network and Cisco Umbrella’s global cloud security platform. It acts as a DNS forwarder for external queries and ensures security policies are applied.
   • Forwarding Internal Queries: The VA is configured to forward internal DNS queries (e.g., requests for internal domains) back to the AD/DNS servers, ensuring that internal network resources are properly resolved.
   • External DNS Handling: External DNS requests are forwarded from the VA to the Cisco Umbrella cloud, where they are filtered for security risks (malware, phishing, etc.) and resolved.

3. Split DNS:
   • Picutre demonstrates a split DNS setup:
     • Internal DNS requests (e.g., internal.company.local) are resolved by AD/DNS servers.
     • External DNS requests (e.g., example.com) are forwarded through the Umbrella VA and resolved securely by the Umbrella cloud.

4. Optional Network (e.g., Merged or Acquired Network):
   • There is an optional network (e.g., merge-acquisition.net) represented on the left side of the diagram, which can also forward its DNS requests to the central AD/DNS servers for internal domains. This might be useful in a scenario where a merged or acquired company is being integrated into the corporate network but still maintains its own local DNS servers.

Best Practices

• AD Integration:  Integrate Umbrella with Active Directory using the AD Connector to map DNS queries to specific AD users. This allows the application of specific DNS policies based on user identity or groups and provides better visibility into user-level activity in the Umbrella dashboard.
• Redundancy: Deploying multiple VAs can help ensure high availability and redundancy for external DNS queries. Distribute VAs across different physical locations or network segments for fault tolerance.
• Internal Domain Protection: Importing internal domain information into the Umbrella dashboard ensures that local queries are resolved internally, without being sent to the cloud, preserving both security and performance.
• Umbrella Roaming Clients for Off-Network Protection: Deploy Umbrella Roaming Clients to protect users who are outside of the corporate network (e.g., remote workers or employees on laptops). This ensures that devices are still covered by DNS security even when they are not connected to the corporate network.