The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Communication Flow and Troubleshooting

Communication Flow

The connector will first attempt to communicate to the domain controller over LDAPS. If unsuccessful, it will fall back to communicating over LDAP using Kerberos or NTLM, in that order.

The connector retrieves the AD users, groups, and computer details only. The necessary attributes are stored from each object, including the sAMAccountName, dn, userPrincipalName, memberOf, objectGUID, primaryGroupId (for users, groups and computers), and primaryGroupToken (for groups). Passwords or password hashes are not retrieved. This data is then uploaded to Umbrella for use in policy configuration and reporting. This data is also required for per-user or per-computer filtering. Note that the objectGUID is sent in hashed form.

The connector sends the AD data every 5-7 minutes if there are changes, using an HTTPS connection on port 443 TCP. It can take an hour or longer for changes to reflect on the Umbrella dashboard though.

The connector stores this data locally as well in .ldif files contained within C:\Program Files\OpenDNS\OpenDNS Connector\ADSync. To find out exactly what is being synchronized to Umbrella, you can look at these files. At install time, you have the option to turn off the local storage of .ldif files.

Troubleshooting

The following firewall/ACL requirements ensure that AD Connectors can communicate with the Umbrella cloud services and domain controllers:

Port and Protocol
Source
Destination
Note

443/TCP

AD Connector

api.opendns.com (for syncing)
disthost.umbrella.com

  • Initial registration with the Umbrella API and the Umbrella dashboard.
    • Automatic updates
    • Health status reporting in Umbrella dashboard.

80/TCP
80/UDP

AD Connector

crl.comodoca.com
ocsp.comodoca.com
crl.usertrust.com
ocsp.usertrust.com

Required to maintain the Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRL) portion of the SSL Revocation.

80/TCP

AD Connector

ocsp.digicert.com
crl3.digicert.com *crl4.digicert.com

Required for SSL Revocation list verification as part of the HTTPS handshake.

389/TCP
636/TCP

AD Connector

Domain controller/domain

LDAP syncing

Note: The Digicert domains resolve to various IP addresses based on a CDN and are subject to change. Currently, these domains resolve to 72.21.91.29, 117.18.237.29, 93.184.220.29, and 205.234.175.175.

If any issues are seen around communication to Umbrella, we recommend checking for any Layer-7 application proxies that might be blocking/dropping some data. A common case is the inspect feature on Cisco devices that act on protocols such as DNS/HTTP/HTTPS:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/inspect.html

You can restart the connector by restarting the OpenDNS Connector service on the connector system. Restarting the connector will trigger a full synchronization of AD objects (and not just the changes from the previous sync) to Umbrella.

If your connector is not in Okay state and you need to raise a support ticket with Umbrella, see Providing Support with AD Connector Logs.


Change the Connector Account Password < Communication Flow and Troubleshooting > Provision Identities from Azure AD

Updated about 12 hours ago

Communication Flow and Troubleshooting


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.