Active Directory Integration:
Install and Setup Guide
This guide explains how to install and configure the Active Directory Components provisioned and
maintained from the Umbrella Dashboard with Umbrella Insights. By integrating with your Active
Directory environment and securely forwarding DNS queries to the Umbrella Security Cloud, you can
enforce and report on users, computers and groups.
For many customers, only instructions on pages 4-13 are required.
Table of Contents
Overview ... 3
Prerequisites ... 4
Virtualized Server Environment Active Directory Environment Network Environment
Step 1: Setup DNS Forwarding via Virtual Appliances ... 5
Create the Virtual Appliance (VA) Configure the Virtual Appliance Verify the Virtual Appliance Syncs with the Dashboard Create the Redundant Virtual Appliance Route Local DNS Queries
Step 2: Prepare your Active Directory Environment ... 8
Run the Configuration Script on the AD Server Verify the AD Server Reports to the Dashboard Repeat for Each AD Server
Step 3: Connect Active Directory to Umbrella ... 10
Install the Connector Verify the Connector Syncs with the Dashboard Verify all Active Directory Components are Operational
Step 4: Configure Settings in Dashboard ... 12
Step 5: Route DNS Traffic through the Virtual Appliances ... 13
Multiple AD Sites ... 14
Appendix A: Prepare a Separate non-AD Server to Install the Connector ... 15
Appendix B: Configuring AD Servers on Windows Server 2003 R2 ... 16
Setting the ‘Manage auditing and security log’ Group PolicyOverview
The Active Directory integration consists of two components that must reside in your network at each independent AD site:
INOTE: An “Active Directory site” in the context of this document means an independent location with its own AD
server(s), DNS server(s), and connection to the Internet.
1. The Virtual Appliance (“VA” for short), which • Runs in a virtualized server environment,
• Forwards local DNS queries to your existing DNS servers and
• Forwards external DNS queries with non-sensitive metadata to the Umbrella Security Cloud.
INOTE: The recommended installation includes a redundant VA (not shown in the diagram).
2. The Connector, which
• Runs in your Active Directory environment,
• Securely communicates non-sensitive user and computer login info to the Virtual Appliances.
• Securely communicates non-sensitive user and computer group info to the Umbrella Security Cloud service.
INOTE: If your security policy requires it, the Connector can be installed on a different non-AD server (see
Appendix A for details).
Prerequisites
To support the Umbrella Insights Active Directory integration, you must have:
Virtualized Server Environment
• VMware ESXi 4.1 or newer to create the Virtual Appliances.
• Your ESXi server host is set to the correct date and time for predictable VA behavior.
• Your ESXi server host has one CPU core, 512Mb of RAM and 6.5Gb of hard disk drive space available to be provisioned per Virtual Appliance instance.
Active Directory Environment
• Windows Server 2003 R2, 2008 or 2008 R2 with the latest service packs and 100Mb free hard disk drive space.
• Only a single domain environment.
IIMPORTANT! When deploying Umbrella Insights Active Directory Components at more than one WAN-linked (MPLS-type network) AD site, repeat steps 1-5 after verifying a complete, functioning installation at current site before moving on to the next.
• A new user account with:
o The logon name (aka. sAMAccountName) set to OpenDNS_Connector. o The box ‘Password never expires’ checked.
o A password entered without backslash or quotation characters.
o Make sure the OpenDNS_Connector user is a member of the following groups and if not, please add the missing ones:
§ Event Log Readers § Distributed COM users
§ Enterprise Read-only Domain Controllers
IIMPORTANT! For environments on Windows Server 2003 R2, several manual steps are required (see Appendix B for instructions).
Network Environment
• Set the following ports to be open from the Active Directory server to the Virtual Appliances: o 443 TCP
• Set the following outbound ports to be open from the VAs and connectors to opendns.com: o 53 TCP & UDP
o 443 TCP o 2222 TCP
Step 1: Setup DNS Forwarding via Virtual Appliances
The purpose of Virtual Appliances is to map internal source IP addresses to AD users and computers then forward external DNS queries from your network to the Umbrella Security Cloud via one of the OpenDNS Global Network data centers. Local DNS queries are forwarded to your internal DNS servers.
Create the Virtual Appliance (VA)
1. On any network PC with the ability to log into your ESXi server using the VMware vSphere client, point your browser to https://dashboard2.opendns.com and log in with your Umbrella credentials.
2. From the Dashboard, navigate to Configuration > System Settings > Active Directory Configuration. 3. Click the ‘download components’ button in the upper-right corner and select the 'Virtual Appliance'.
INOTE: If you already downloaded this file a few days ago, please re-download it in case of a newer version. System prompts will update you on the status of the download the OpenDNS .ova file.
4. Log onto your VMware vSphere client.
5. Select the File tab, and click ‘Deploy the OVF Template’. 6. Follow the deployment wizard prompts; taking note of:
a. For the source, browse to the .ova file you just downloaded.
b. Verify that your VMware server host is running version 4.1 or newer. c. Specify a unique name and location of your Virtual Appliance. d. Select the disks appropriate to your environment.
e. Make sure you select the Thin Provision radio button.
f. Specify the network.
7. Click Finish after completing the deployment configuration. System prompts will update you on the status.
8. Select the device just created and right-click. Select Power > Power on.
9. Right-click the device just created, and select Open Console.
Configure the Virtual Appliance
1. From the VMware console after a brief boot up process, you are prompted to configure the DNS forwarder by tabbing between fields.
INOTE: For Local DNS 1 and 2 enter your local DNS servers, which is often the IP addresses of your
Windows Servers with both the Active Directory Domain Services and DNS Server roles installed.
2. At the ‘Add Domain’ prompt enter the name of your domain (adding internal zones is described below). 3. Press Return.
4. Tab to ‘Save’ and press Return.
Verify the Virtual Appliance Syncs with the Dashboard
• When you return to the Umbrella Dashboard, you will see the VA you just created in the ‘Inactive’ state on the Active Directory Configuration page.
Create the Redundant Virtual Appliance
• Repeat the above steps to create a secondary Virtual Appliance, which is required for continuous operation.
INOTE: It ensures 100% uptime in the event of any critical issues, as well as, enabling auto-upgrades to stagger
any necessary reboots. Depending on your setup, you can place each VA on a separate VMware host.
Route Local DNS Queries
To ensure correct DNS responses to local hosts inside your internal network, you will want to configure your VAs to route queries to your existing DNS servers.
To add internal DNS zones:
1. From the VMWare console, select Edit.
2. Use Tab until you have highlighted the “Add domain” option. 3. Add your internal zone(s) (e.g. example.com).
4. Add your reverse zone(s) (e.g. if your network is 192.168.1.0/24 you should add: 1.168.192.in-addr.arpa). 5. Select Save and hit Enter.
To add A & PTR records for your VAs
1. On your local DNS server, click Start, Run and type dnsmgmt.msc
2. Navigate to your forward lookup zones for your local domain (e.g. corp.domain.com). 3. Select the local zone (e.g. corp.domain.com).
4. On the right hand side right-click, select New Host.
5. Enter a hostname for the VA, an IP and make sure the box ‘Create associated pointer (PTR) record’ is checked. 6. Click Add Host.
To verify if the records were created correctly, you can test with nslookup:
1. Enter: nslookup (IP ADDRESS of the VA). For example: Ø nslookup 192.168.1.2
Server:192.168.1.1 Address:192.168.1.1#53 Non-authoritative answer:
1.168.192.in-addr.arpaname = va01.corp.domain.com. 2. Enter: nslookup (HOSTNAME of the VA). For example:
Step 2: Prepare your Active Directory Environment
Running the script on each of the AD servers (also referred to as the Domain Controller, or DC) prepares them to communicate with the Connector.
IIMPORTANT! For environments running on Windows Server 2003 R2, several manual steps are required before completing step 2 (see Appendix B for instructions).
Run the Configuration Script on the AD Server
1. From the 'Active Directory Configuration' page, click ‘download components’ and then 'Windows Configuration'. 2. Download the file and save it to a location on the machine you plan to run it on.
INOTE: The configuration script is written in Visual Basic Script and is human readable. For reference, it
automates the instructions you’ll find in Appendix B, plus more. Contact support for more details.
3. As Admin, open an elevated command prompt.
4. Enter: cscript <filename> where <filename> is the name of the configuration script you downloaded in Step 2. The script will display your current configuration, then offer to auto-configure the AD Server for operation. If the auto-configure steps are successful, the script will register the AD Server with the Umbrella Dashboard. INOTE: The OpenDNS_Connector user must be created before running the script, as detailed in the
Verify the AD Server Reports to the Dashboard
• When you return to the Dashboard, you will see the hostname of the AD Server you just ran the script on in the ‘Inactive’ state on the 'Active Directory Configuration' page.
INOTE: The configuration script only runs once; it is not an application or service. If you change the IP address
or hostname of the AD Server, remove the previous instance of the AD Server by clicking the round X icon, and repeat tasks 1-4.
Repeat for Each AD Server
Step 3: Connect Active Directory to Umbrella
The purpose of the Connector is to monitor one or more AD servers. It listens to user and computer logins via the security event logs, and subsequently enables IP-to-user and IP-to-computer mappings on the Virtual Appliances. It synchronizes user-to-group, computer-to-group and group-to-group memberships with the Umbrella service, enabling you to create and enforce group-based settings and view user, computer and group-based reports.
INOTE: You only need to install one Connector per site, but you may install more than one. If your security policy does
not allow you to install software directly on your AD Server, you can install it on a separate Windows machine (see Appendix A), otherwise it is recommended to install the Connector on one or more of your AD Servers.
Install the Connector
1. From the Active Directory Configuration page, click ‘download components’ and then 'Windows Service'. IIMPORTANT! You must download the zip file to the local machine where you plan to run it. Issues have
been observed attempting to install the connector from networked drives.
2. As Admin, select the zip file and extract the setup.msi file. 3. Run setup.msi.
4. Enter the password you configured for the OpenDNS_Connector user you created. (see Prerequisites).
5. Follow the setup wizard prompts. 6. When finished, click Close. 7. Return to the Dashboard.
Verify the Connector Syncs with the Dashboard
1. When you return to the Dashboard, you will see the hostname of the AD Server or other Windows machine that you installed the Connector on the 'Active Directory Configuration' page.
2. The Umbrella Security Cloud automatically configures and connects the VAs to the AD Servers via the Connectors for each configured site, and the status of all of your VAs, AD Servers, and Connectors should change from “Inactive” to “Active” . If not, contact support.
3. Navigate to 'Configuration > Policies'.
i. The AD Servers should automatically synchronize user and computer group memberships, and any subsequent changes, with the Umbrella Security Cloud via the Connector. You can verify that this has occurred successfully by clicking 'add a new policy' and confirming that your groups are present. ii. As such, you should see all of your AD Groups, included those nested within other groups, within the
identity picker of the policy wizard.
iii. If you don’t see your groups, check the 'Active Directory Configuration' page to see if the status of all components is ‘Active’ . If not, [email protected].
INOTE: It can take up to 10 minutes for large numbers of AD user, computer and group objects to
Verify all Active Directory Components are Operational
1. Before you deploy your Umbrella configuration, confirm that you can resolve DNS traffic by entering the following command that sends a query to opendns.com through your VA:
C:\>nslookup
> server {{enter the IP of one of your VA's}} > opendns.com
2. You can further verify DNS traffic by entering the following command to send a TXT Record query to debug.opendns.com through the VA:
> set type=TXT > debug.opendns.com > exit
Step 4: Configure Settings in Dashboard
Once verifying that all Active Directory components were integrated successfully, define and apply security and acceptable use policies to AD Groups.
1. Navigate to Configuration>Policies, and click ‘add a new policy’ or click the name of an existing policy.
2. Check the ‘AD Groups’ box if you want to apply a single policy for all AD users and/or computers, or check the box next to one or more specific groups via the identity picker. To remove a selected group, either uncheck its box via the identity picker or click the red X icon to the right of its name. Then click ‘next’.
IIMPORTANT: Clicking on a group will show its members including nested groups, user accounts or computer
accounts. Selecting the group will apply the policy to all its members. You can select only a nested group, but not an individual user or computer account. As a best practice, centrally manage your group memberships via your AD servers. Any changes will be synced with the Umbrella Security Cloud within a few minutes.
3. Select the 'Policy Settings', then 'Block Page Settings' you would like enforced for this policy. Then click ‘next’.
INOTE: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings' pages to do so.
4. Set a meaningful description for the policy, then click ‘save’.
INOTE: The policy you created will be applied within 60-90 seconds to any new connections coming into the Umbrella Security Cloud from the selected computers.
5. Click and hold the drag handle icon to re-order the policy above or below any other existing policies.
Step 5: Route DNS Traffic through the Virtual Appliances
In order for you to begin enforcing your settings, all DNS traffic should be routed through your Virtual Appliances. 1. It is suggested that you test on a few devices by manually configuring their DNS settings to use the Virtual
Appliances.
IIMPORTANT: When testing the policy enforcement, some DNS responses may already be cached for several
minutes to days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the cached responses to expire.
2. If possible, a good next step is to change the DNS settings for a specific DHCP server pool or scope in your organization.
3. Once you’ve verified correct enforcement of policies with your pilot group of computers, you can either stage the cut over to using the Virtual Appliances for DNS or cut over the entire organization. The best time to affect the cut over is typically after users log out for the day.
4. When users log in after the installation is complete, they should begin sending all DNS queries to the one of the VAs forwarding DNS traffic.
Multiple AD Sites
•
Follow the previous steps 1-5 again, and after each sub-step to verify that the component has synced or
reported to the dashboard, assign the component to a site by clicking on its name and selecting an
existing site or creating a new site.
•
You may also rename the default or any existing sites.
IIMPORTANT: When testing the policy enforcement, some DNS responses may already be cached for several minutes to
Appendix A: Prepare a Separate non-AD Server to Install the Connector
If your security policy requires it, the Connector can be installed on a non-AD Server machine, but it must be joined to the same domain as the AD Servers that the Connector will be monitoring.
1. Provision a virtual or physical machine using a static IP.
2. Install one of the three supported Windows OS and other components below. a) Windows Server 2008 R2 SP1 (Preferred)
i. Install AD Domain Services Snap-ins and Command-line Tools feature via Remote Server Administration Tools >
Role Administration Tools > AD DS & AD LDS Tools > AD DS Tools
ii. Install .NET v3.5 b) Windows Server 2008 SP2
i. Install Active Directory Lightweight Directory Services role ii. Install .NET v3.5
c) Windows 7 (non-home license)
i. Install Remote Support Administration Tools -
download available from http://go.microsoft.com/fwlink/?LinkID=137379 ii. Install .NET v3.5
3. Join machine to the same domain as the AD Server (domain controller) being connected to 4. Open WMI ports via the following command run as Administrator:
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes 5. (Optional) If there is no access to a network file share to retrieve the file locally, download and/or unrestrict
Appendix B: Configuring AD Servers on Windows Server 2003 R2
Setting the ‘Manage auditing and security log’ Group Policy
INOTE: Adding the OpenDNS_Connector user to this group policy for all AD Servers (DCs) is also required in certain Windows Server 2008 configurations.
1. By default, Windows Server 2003 does not come with the Group Policy Management Console (GPMC) and it may be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=21895.
INOTE: Alternatively, 2008 R2 servers should have GPMC installed and you can apply the following permissions from this server to be replicated to the 2003 R2 server.
2. Open the GPMC (via Start > Administrative Tools), and select a Group Policy that applies to Domain Controllers.
INOTE: If you aren’t sure what policy to change, open a command prompt and type the following command: "gpresult /scope computer /r". Look for the ‘Applied Group Policy Objects’ line. Under it will be a list of policies applied to that Domain Controller. Make note of one that is likely to be applied to all Domain Controllers (e.g. ‘Default Domain Controllers Policy’).
3. Right-click that policy and select ‘Edit’ to bring up the Group Policy Management Editor.
user.
6. Run the "gpupdate" command on the Domain Controller to make sure the policy is applied.
Setting DCOM permissions
1. From a command line run dcomcnfg.
2. Console Root > Component Services > Computers. 3. Right-click on ‘My Computer’ and select ‘Properties’. 4. From ‘My Computer Properties’ select ‘COM Security’ tab. 5. In ‘Launch and Activation Permissions’ area click ‘Edit Limits’.
6. Add OpenDNS_Connector user and allow ‘Remote Launch’ and ‘Remote Activation’ permissions.
7.
Click OK to confirm and close My Computer Properties.Setting WMI permissions
1. Run wmimgmt.msc (Windows Management Infrastructure Control console). 2. Right-click on ‘WMI Control’. Click ‘Properties’ > ‘Security’ tab.
3. Select Root > CIMV2 namespace and click the Security button.
4. Add the OpenDNS_Connector user and Allow the following permissions: ‘Enable Account’, ‘Remote Enable’ and ‘Read Security’.
