The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Configure Virtual Appliances

Prerequisites

Virtual appliances (VAs) are deployed.

For information about configuring Umbrella virtual appliances (VAs) version 2.3.x and earlier, see Configure Virtual Appliances Version 2.3 and Earlier.

Enter Configuration Mode on a VA Deployed on VMware, Hyper-V, or KVM

Open the VA in your preferred hypervisor's console, and you'll see a configuration menu. As seen in the lower right corner, the system time is set to UTC, and cannot be changed. This will not affect your DNS, network, or hypervisor.

If you have deployed the VA in a network that supports DHCP, the VA is automatically assigned a DHCP IP address and registers to Umbrella using this IP. This IP address appears on the configuration as well as the Umbrella dashboard.

  1. Press Ctrl+B and when prompted, provide a password for configuration changes. You must change the password when you enter Configuration Mode.
    Your password must be at least eight characters long, include at least one lowercase character, one uppercase character, one digit, and one special character. Your password cannot be the same as your last password.

Note

Umbrella<OrgID> should be set as the default password for the VA. Your Org ID can be retrieved from the dashboard URL in your address bar. For example, if your Org ID is 2406960, the default password for the VA would be Umbrella2406960. To learn more about the Umbrella Org ID, see Find Your Organization ID.

  1. Optionally, enable remote configuration of this VA over SSH, enter config va ssh enable
  2. If you have enabled SSH, you can now remotely connect to the VA over SSH and enter Configuration Mode after authentication. Enter ssh [email protected]<VA’s IP address>
    Note: Configuration mode does not support concurrent access by more than two users.

Enter Configuration Mode on a VA Deployed in Azure, AWS, or Google Cloud Platform

A VA can be deployed in Azure with either a static IP address or a DHCP IP address. If you do not specify a static IP address at the time of deployment, the VA is automatically assigned a DHCP IP address and registers to Umbrella using this IP address. Umbrella lists this IP address as the name of the VA on the dashboard.

In the case of AWS and Google Cloud Platform, the VA is automatically assigned a DHCP IP address and registers to Umbrella using this IPO address. Umbrella lists this IP address as the name of the VA on the dashboard.

  1. Connect to the VA’s static or DHCP IP address over SSH. Enter ssh [email protected]<VA’s IP address>

SSH access to the VA requires authentication:

  • If you specified a password at the time of VA creation in Azure, enter this password for authentication.
  • If you did not specify a password at the time of VA creation, enter the default password:
    To retrieve the default password, navigate to Deployments > Configuration > Sites and Active Directory and click Download Components.
    Umbrella prompts you to change the password the first time you log into Configuration Mode.

Your password must be at least eight characters long, include at least one lowercase character, one uppercase character, one digit, and one special character. Your password cannot be the same as your last password.

Note: Configuration mode does not support concurrent access by more than two users.

Configure the VA Through Configuration Mode

Configuring the VA involves configuring the name, IP details, and local DNS servers. It is mandatory to configure the name and IP, netmask and gateway (unless already configured), failing to do this results in the VA not being able to register to Umbrella.

Field
Description

Name*

The name associated with the VA in your Umbrella dashboard. This is a friendly name, similar to a hostname for a computer or server. If you have multiple hypervisor hosts, appending or prepending numbers or letters to indicate the local hypervisor host is advised.

  1. To configure the name, enter config va name <name>

IP, Netmask, and Gateway*

Give the VA a local, static IP address on the same network as your endpoints which will utilize the VAs for DNS resolution.

  1. To configure the IP, Netmask, and Gateway for the VA, enter config va interface <ipaddress> <netmask> <gateway>

Local DNS 1 through 6

Enter the local IPs of your existing local DNS servers. Often these are your Windows Servers with the DNS Server role installed. These are the servers which will receive the local DNS queries. For more information, see Local DNS Forwarding.

  1. To configure up to six local DNS servers, enter config va localdns <localdns1> <localdns2> … <localdns6>

Note: Each configuration overrides any previous configuration.

*Mandatory parameters for the VA.

If you have entered the Configuration Mode over SSH, to validate status, enter config va status

If tests complete without error, the next step is to verify that the VA syncs within the Umbrella dashboard.

In Umbrella, navigate to Deployments > Configuration > Sites and Active Directory. You should see your VAs listed with the name you gave it earlier in the VA Console configuration.

Troubleshooting

Did the VA register correctly and shows no errors? Skip this section.

For a VA deployed on VMware or Hyper-V, if you receive any error messages, press Tab to navigate to the test and then press Enter/Return to pop up the error for more information. In the following example, the VA is unable to reach Umbrella through 443/TCP to register with the Umbrella dashboard.

If you can identify and resolve the issue—almost always a firewall issue—tests will continue to run in the background and the test will subsequently succeed without intervention. If you'd like to ensure the tests are run successfully, reboot the VA. Navigate to the System Menu by pressing CTRL+S.

If you're unable to determine the reason for the VA errors, double check that your firewall rules meet Prerequisites, or contact Support.

Repeat Steps for the second VA

Repeat the above steps to configure a second VA. A second VA is required for continuous operation, high availability, and automatic upgrades. As mentioned previously, do not clone the first VA. Umbrella will not recognize a cloned VA.

Warning

Umbrella VAs cannot be cloned. Ensure that your second VA is set up manually. Umbrella will not recognize a cloned VA.

Note: Azure AD Domain Services is currently not supported. For identity integration with the VA, the AD Connector and Domain Controllers should be deployed as VMs in Azure. Alternately, these components can be deployed on-premise provided there is an ExpressRoute or MPLS connection over which the AD Connector can communicate with the VA in Azure.


Deploy VAs in KVM <Configure Virtual Appliances > Local DNS Forwarding

Updated 3 months ago


Configure Virtual Appliances


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.