• No results found

Roaming Client: Deployment Guide for Umbrella. Roaming Client

N/A
N/A
Protected

Academic year: 2021

Share "Roaming Client: Deployment Guide for Umbrella. Roaming Client"

Copied!
11
0
0

Loading.... (view fulltext now)

Full text

(1)

Roaming Client:

Deployment Guide for Umbrella

(2)

Overview

The Roaming Client serves to protect laptops regardless of where they are in the world or how they

connect to the Internet. The client works by securely redirecting DNS queries bound for the Internet

via one of the OpenDNS Global Network data centers distributed worldwide so that your policies are

enforced as you choose and security is applied, preventing your computers from becoming

compromised.

Several scenarios include computers accessing the Internet through 3g/4g wireless carrier networks,

untrusted networks via Wi-Fi hotspots (e.g. airport, café, hotel, home), and within office

environments behind trusted network gateways or Umbrella-protected networks via Virtual

Appliances.

This guide explains how to install the client on your organization’s Windows and Mac laptops (and

desktop systems, if desired) and verify that it is working properly.

(3)

Prerequisites

To use the roaming client, you must have:

Supported Operating Systems

• Windows 8, 7, XP or Vista with .NET 3.5 or newer. • Mac OSX 10.7 or newer.

!IMPORTANT! Some anti-virus or other software programs may cause conflicts or prevent the Roaming Client from functioning properly. Please test representative systems before deploying to a large number of machines.

Network Access

• Open these outbound ports to allow encrypted DNS requests to be routed through the OpenDNS Global Network:

o TCP/UDP 53 to opendns.com, api.opendns.com, 208.67.222.222, 208.67.220.220 o TCP/UDP 443 to opendns.com. api.opendns.com, 208.67.222.222, 208.67.220.220

!NOTE: The IP addresses for “opendns.com” and “api.opendns.com” are currently the same

“67.215.92.210”, but this is subject to change. As such as we advise allowing access to the domain if possible.

!NOTE: Within some Wi-Fi networks these ports may not be accessible. At such times the Roaming Client will follow a back off protocol as described in Appendix B.

Software

If you have the OpenDNS DNSCrypt client on the machine(s) you plan to install the Roaming Client on, it must be uninstalled prior to installing the Roaming Client. Otherwise, the Roaming Client will not function properly.

(4)

Whitelisting your Internal Domains first

When using the roaming client, all of your DNS lookups are sent directly from your computer to the OpenDNS resolvers. This is generally a good thing, but will cause issues for users who want to access internal network resources such as printers, or internally hosted websites that rely on internal DNS resolvers.

To ensure uninterrupted access these resources, administrators should add the appropriate domains to the Internal

Domains section of the dashboard, found under System Settings > Internal Domains. This will create an internal

domain whitelist that will be synced to your roaming users. Once the whitelist has been synced (it usually takes

between 5-10 minutes), the client should automatically forward any requests for those internal resources to the proper internal DNS server.

Which Domains Should I Whitelist?

Domain whitelists can be an entire domain or a specific subdomain as well as reverse lookup zones.

Entry Whitelists Does Not Whitelist

zombo.com zombo.com, anything.possible.zombo.com notzombo.com everything.zombo.com everything.zombo.com zombo.com

192.in-addr.arpa networks within the 192 range other RFC 1918 subnets This means that you can choose to direct an entire domain, or only specific subdomains, to be resolved using the default DNS servers. This is particularly useful in cases where some subdomains are publicly accessible, but others only accessible when connected to your Internal network (or VPN). Simply add the internal subdomains to your whitelist, and those lookups will never be sent to Umbrella. If the clients are part of an active directory domain we also recommend adding the reverse lookup zone for your internal network to make sure dynamic DNS updates and other active directory related tasks are not affected.

(5)

Roaming Client Deployment Guide for Umbrella Page 5

Step 1: Download & Install

!IMPORTANT! Downloaded installers are unique to your organization. Do not distribute them outside of your organization.

Manual Installation to Single Machine (Windows or Mac)

1. Using the machine you would like to install the Roaming Client on, ensure it has Internet access, and log into the Umbrella dashboard and navigate to Configuration > Identities > Roaming Computers

2. Click the Provision Roaming Computers button and then the Download for Windows or Download for Mac button (depending on what type of system you are installing to), and save it to the location of your choice. 3. Navigate to the downloaded installer (.ZIP file).

4. Optional: Hide the End-User UI (Tray Icon).

The .ZIP file contains a README (Windows) or PLIST file (Mac). Reference them for details if you do NOT want your users to see a tray icon with status information about the Roaming Client. By default it is visible. 5. Optional: Hide the Roaming Client from Add/Remove Programs (Control Panel).

The .ZIP file contains a README (Windows). Reference this for details if you do NOT want your users to see information about the Enterprise Roaming Client in the Add/Remove Programs applet. By default it is visible. 6. If you skipped step 4 or 5, simply double-click the file to begin the installation.

7. Click through the steps in the setup wizard, answering any questions appropriately. 8. Click the Finish button to complete the installation of the Roaming Client.

Distributed Installation for Multiple Machines (via Windows Group Policy Object)

1. Using the machine you would like to distribute the Roaming Client to target machines from, log into the Web Admin Dashboard and navigate to Configuration > Identities > Roaming Computers,.

2. Click the Provision Roaming Computers button and then the Download for Windows button, and save it to the location of your choice.

3. Navigate to the downloaded installer (.ZIP file) and extract the MSI & README files.

4. Open the README file. Inside you should see the command you can use to deploy the Roaming Client to multiple computers via GPO or SCCM/SMS. You may also optionally hide the end-user UI (tray icon) if you prefer users to NOT see status information about the Roaming Client. By default it is visible. You can optionally hide the Windows client from Add/Remove Programs.

(6)

Step 2: Verify Operation

To check that the Roaming Client successfully installed and connected to Umbrella:

1. Skip to the next step if you chose to make the tray icon invisible. By default, the tray icon is visible . Verify this on the machine you installed the Roaming Client. Clicking on the icon will expand it as follows:

Windows

Mac

Note: If the tray icon is not visible and you did not disable it when you performed the installation, please contact OpenDNS Technical Support at support@opendns.com.

2. Log into the Umbrella dashboard and navigate to Configuration > Identities > Roaming Computers 3. The hostname of each machine you installed the Roaming Client on, as well as its status and policy

information, should be listed. If so, you may skip to step 3 on the following page. If not, follow the next tasks.

!NOTE: For details on the meanings of different status indicators and information on the Identities->Roaming Computers, see Appendix A.

4. Double-check that the machine has Internet access with the appropriate network permissions. If after a few minutes the hostname still does not appear following the troubleshooting tips provided in Appendix C.

(7)

Roaming Client Deployment Guide for Umbrella Page 7

Step 3: Policy Configuration

Once verifying that the Roaming Clients are operating successfully, define and apply security and

content usage policies to them.

1. Navigate to Configuration>Policies, and click ‘add a new policy’ or click the name of an existing policy.

2. Check the ‘Roaming Computers’ box if you want to apply a single policy for all installed roaming clients, or check the box next to one or more roaming computers (by hostname) via the identity picker. To remove a selected computer, either uncheck its box via the identity picker or click the red X icon to the right of its name. Then click ‘next’.

3. Select the 'Policy Settings', then 'Block Page Settings' you would like enforced for this policy. Then click ‘next’.

!NOTE: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings' pages to do so.

4. Set a meaningful description for the policy, then click ‘save’.

!NOTE: The policy you created will be applied within 60-90 seconds to any new connections coming into Umbrella from the selected computers.

5. Click and hold the drag handle icon to re-order the policy above or below any other existing policies.

!NOTE: Policy execution follows a top-down, first-match order of operations. The first policy assigned to an identity is enforced. Any subsequent policies assigned to the same identity are ignored. There is an editable, but immutable, default [Organization Name] Policy always ordered last, which is a catchall for any identity.

!IMPORTANT: When testing the policy enforcement, some DNS responses may already be cached for several minutes to days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the cached responses to expire.

(8)

Appendix A: Status

From the Umbrella dashboard, click the Configuration tab. In the left sidebar section, click the Identities menu and choose Roaming Computers.

COLUMN DESCRIPTION

Name Hostname of the machine.

Primary Policy

Policy that the machine is governed by, and a colored protection status icon as follows:

Green (Okay): Machine is protected by the enforced policy.

Yellow (Warning): Machine is unprotected since the policy is not currently being enforced (e.g. machine is unable to connect to Umbrella).

Grey (Offline): Protection is unknown since the machine has been powered down, off the Internet, or Roaming Client uninstalled for a period of time. Last Sync Lapsed time since the roaming computer last contacted Umbrella.

Encryption Shows a locked or unlocked icon indicating whether the DNS queries between Umbrella and the machine are encrypted or not.

Note: Roaming computers behind a Virtual Appliance do not need to be in an encrypted state. Version Currently installed software version of the Roaming Client.

Note: If no version is reported, that machine has never successfully synchronized with Umbrella. A red “x” icon is present to allow you to remove that machine from the list of machines managed by your organization’s policy.

How Roaming Computers Change States

• When the Roaming Client first detects a new network connection, it attempts to contact the Umbrella Service via a special encrypted DNS query. If this succeeds, the Roaming Client will operate under Protected/Encrypted mode. If it fails, the Roaming Client will back off by attempting to connect to Umbrella via an unencrypted version of the same special DNS query.

• If the unencrypted DNS query succeeds, the Roaming Client will operate under Protected/Unencrypted mode. If it fails, the Roaming Client will attempt to use whatever DNS settings were provided by the DHCP or static network settings the machine was initially configured with, effectively entering

Unprotected/Unencrypted mode.

(9)

Roaming Client Deployment Guide for Umbrella Page 9

Appendix B: Roaming Clients Behind Virtual Appliances

• Your Organization may use Virtual Appliances for additional reporting and granularity on internal networks and Active Directory. Virtual Appliances (VA) forward all on-network machines’ DNS queries to Umbrella via the OpenDNS Global Network.

• If a machine running the Roaming Client enters that network, the Roaming Client will detect the VA presence and allow the machine to be governed by the policies for that site instead of sending the queries directly to the OpenDNS Global Network.

• Thus, policies specific to Roaming Computers will only be applied when outside of your internal networks that use a VA.

• This state is reflected in the Configuration->Identities->Roaming Computers policy status. When hovering over the GREEN policy status icon for a particular machine, a message will read “Determined by VA.”

(10)

Appendix C: Troubleshooting

Below are the locations of logs, commands, or other tools that can help troubleshoot the Roaming Client. !IMPORTANT! You will most likely need administrator access to perform the following functions.

FUNCTION WINDOWS ROAMING CLIENT MAC ROAMING CLIENT

Verify It is

Running

Check that the "OpenDNS Enterprise Roaming Client" service is "Started" via the Services control panel.

• Open up a command prompt by pressing CMD + space bar and typing terminal, then click the Enter key.

• Run the command: ps -ef | grep dns-updater | grep -v grep • You should see something like this:

0 11487 1 0 8:40AM ?? 1:07.79 /Library/Application Support/OpenDNS Roaming Client/dns-updater View the Log File • Open "C:\ProgramData\OpenDNS\ERC\OpenDNS _ERC_Service.log".

• You should see a few log entries like this:

The Roaming Client Service has started successfully.

The config file was loaded successfully.

That a Device ID was acquired from the OpenDNS cloud

service.

The Roaming Client is

successfully syncing to the cloud.

• Run the command: cat

/var/log/system.log | grep -E "(dns-updater|DNSCrypt)"

• The system.log will include information such as state changes and errors, and should indicate the state of the Roaming Client on the machine.

• You should see a log entry like this:

Aug 30 13:45:30 machinename dns-updater[553]: <INFO>: --- current proxy state:

transparent

Restart It • Open the Services control panel and re-start the “OpenDNS Enterprise Roaming Client” service.

• Run the command: sudo killall dns-updater

(11)

Umbrella is brought to

you by OpenDNS.

Trusted by millions around the world.

The easiest way to prevent malware and phishing

attacks, contain botnets, and make your Internet faster

and more reliable.

OpenDNS, Inc.

www.umbrella.com

1.877.811.2367

Copyright © 2012 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of OpenDNS, Inc. Information contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no responsibility for its use.

References

Related documents

directly competing with traditional sources, strict regulations • Reverse power flows get higher and more frequent.. • Concerns: • Overvoltages, protection and

The interaction between Cultural Orientation and Interdependence Mindset was also not statistically significant, ​F​ (1, 56) = 1.898, ​p​ = .174, ​η​ p ​ 2 ​ = .033

 1.  Press  &gt; Settings &gt; Others &gt; Roaming &gt; Roaming Mode.

 1.  Touch   &gt;   &gt; Settings   &gt; More… &gt; Mobile networks &gt; Roaming.   2.  Select an option: ..   l Domestic

[ 4] It was not unusual for students in the Tablet PC sections to comment that, even though the same material was covered and approximately the same number of homework

Few shipyards are still active in vessels building, inluding Remontowa Shipbuilding, Crist, Gdansk Shipyard, Wisła Shipyard (the only yard owned by employees). The Ministry of

For a road with embedded piezoelectric generators, part of the energy the vehicle expands on roads deformation is transformed into electric energy (via direct piezoelectric

The research model is divided into two parts; the first part represents the dimensions of the strategic planning process which focuses on strategy content, environmental