The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    


Active Directory (AD) integration supplements Umbrella virtual appliances (VAs) and roaming clients by providing AD user, group, or computer name information for each applicable DNS request.

This Active Directory Setup Guide explains how to install and configure the AD components provisioned and maintained from the Umbrella dashboard. By integrating with your AD environment and forwarding DNS queries to the Cisco global network, you can enforce and report on users, computers and groups.

Note: An AD "site” in the context of this document means an independent location with its own domain controllers, DNS server(s), and connection to the internet.

AD integration requires deployment of the following components in your network at each independent AD site.

  • The Connector, which:
    • Runs in your AD environment
    • Securely communicates non-sensitive user and computer login information to the VAs
    • Securely communicates non-sensitive user and computer group info to the Cisco global network.


If your security policy requires it, the connector can be installed on a different non-domain controller server. Depending on your network architecture you may not need to install the connector on all domain controllers. As long as the server with the connector has network connectivity to the required domain controllers, you may only require one or two connectors for the whole environment.

  • The VA (an optional component for AD integration), which:
    • Runs in a virtualized server environment
    • Forwards local DNS queries to your existing DNS servers
    • Forwards external DNS queries with non-sensitive metadata to the Cisco global network.


In order for the VA to properly route local DNS queries and external DNS queries, all clients that are to be managed by Umbrella must have their DNS addresses be the addresses of your VAs.

For an overview of how the network topology is expected to work, as well as the flow of traffic with the VA, see Appendix A – Communication Flow And Troubleshooting.

Depending on where you are in your planning or deployment, Appendix A can help plan your deployment.


If you do not want to deploy VAs, you can use the Umbrella roaming client or AnyConnect Cisco Umbrella Roaming Security Module with the AD Connector for AD integration.

Network Diagram for VA Deployments

The client computers at each AD site must be set to use the VA at their respective site as their DNS resolvers. The VA can then route DNS queries to their appropriate IP address for both internal and external resources.

The VA also communicates with the AD environment to query for a list of user information to match to clients.

Introduction > Prerequisites

Updated about a year ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.