Table of Contents

• Active Directory Syncing
• When the Connector Script is Run on a Domain Controller
• AD Connector Communication with the Umbrella Cloud Service or a Virtual Appliance
• Virtual Appliances to the Cloud, Other Internet Destinations, and Internal DNS Servers
• AD Connector Service
• AD Servers (Domain Controllers)
• The Umbrella Windows Connector Script
• SSH Support Tunnel – Allowing and Blocking the Tunnel

As our integration spans several areas of your Active Directory (AD) configuration, it can be helpful to understand the flow of communication between each of the operational components. This can assist in troubleshooting and in ensuring that your environment is properly configured pre-deployment.

Active Directory Syncing

Only the AD users, groups, and computer details are synced. These are posted securely to the Umbrella API and are required to perform mapping of DNS requests to their users for logging and filtering purposes. No other AD information or AD attributes are synced with us.

To find out exactly what is being synced, you can look at the .ldif files contained within C:\Program Files\OpenDNS\OpenDNS Connector\ADSync.

When the Connector Script is Run on a Domain Controller

The Windows Connector script will make a one-time connection from the domain controller to the Umbrella cloud on port TCP/443 using HTTPS. This is to register the domain controller (DC) to the dashboard so that the connector knows about it. Umbrella makes a call to https://api.opendns.com with some specific parameters.

Once the script successfully registers the DC, you should see it listed at Deployments > Configuration > Sites and Active Directory.

We have previously seen issues that can be related to the "Root Certificate Updates" on Windows. A quick way to determine if you are seeing this behavior is to open a Microsoft browser and point it to https://api.opendns.com/v2/OnPrem.Asset.

The page should provide a message similar to "1005 Missing API key".

If there are any certificate errors or warnings seen on that page, make sure that you have the latest "Root Certificates Update" from Microsoft installed.

AD Connector Communication with the Umbrella Cloud Service or a Virtual Appliance

Connector > Cloud

The connector uploads all AD data every two minutes if there are changes, using an HTTPS connection on port 443 TCP. We only upload information on Groups/Users/Computers; no passwords are uploaded and all user information is hashed locally so that the data is unique to us. Although data is submitted to the Umbrella cloud service every two minutes, changes can take several hours to appear in the dashboard.

Connector > Virtual Appliances

The connector constantly sends AD events to the virtual appliances (VAs) using port 443 TCP. This is a one-way communication; the appliances will not talk back to the connectors.

By default, the connector sends information, including IP to username mappings, to the VA in unencrypted form. A pre-requisite for AD integration with the VA is that the connector and VA should communicate over a trusted network. If encryption of communication between the Connector and VA is required for compliance or other reasons, see Umbrella Virtual Appliance: Receiving user-IP mappings over a secure channel.

Connector > Domain Controllers

The connector will talk to all domain controllers that are located in the same site using ports 389 TCP and 3268 TCP/UDP for LDAP sync. The connector also communicates with the domain controllers using RPC/WMI. In general, port 135 TCP is the standard port for RPC and WMI.

Based on your AD version, WMI also uses a randomly assigned ephemeral port: either between 1024 TCP and 65535 TCP for Windows 2003 and older or between 49152 TCP and 65535 TCP for Windows 2008 and above.

Starting with version 1.1.24, the connector can also communicate to the domain controller using LDAPS (LDAP over SSL) over ports 636 TCP and 3269 TCP. The connector will first attempt to communicate to the domain controller over LDAPS and if unsuccessful, it will fall back to communicating over LDAP using Kerberos or NTLM in that order.

If any issues are seen around communication, we recommend checking for any Layer-7 application proxies that might be blocking/dropping some data. A common case is the inspect feature on Cisco devices that act on protocols such as DNS/HTTP/HTTPS:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/inspect.html

If any changes are made to the domain controllers’ audit policy to change the user login/logout events reporting, it is recommended that you restart the connector to eliminate any issues around communication channels.

Virtual Appliances to the Cloud, Other Internet Destinations, and Internal DNS Servers

The VAs will frequently communicate with the Umbrella APIs on port 443 TCP to api.opendns.com. They will also receive updates from disthost.opendns.com and disthost.umbrella.com on port 443. The VAs receive data from the connectors on port 443 TCP but do not require communication back to the connector.

Additionally, the VAs need to communicate on port 22, 25, 53, 80, 443 or 4766 TCP to s.tunnels.ironport.com to establish a support tunnel under the new model. The VA will also forward internal DNS requests to your internal DNS servers. Ensure that port 53 UDP is open between the VA and your internal DNS server.

The following table lists ports, with source/destination of the request and the function of the request:

Note: The Digicert domains resolve to various IP addresses based on a CDN and are subject to change. Currently, these domains resolve to 72.21.91.29, 117.18.237.29, 93.184.220.29, and 205.234.175.175.

If you are utilizing AD components (as opposed to just using the VAs for internal IP address granularity), the following extra inbound network traffic will also occur from the AD connector service.

AD Connector Service

Note: The Digicert domains resolve to various IP addresses based on a CDN and are these subject to change. Currently, these domains resolve to 72.21.91.29, 117.18.237.29, 93.184.220.29, and 205.234.175.175.

AD Servers (Domain Controllers)

Note: The Digicert domains resolve to various IP addresses based on a CDN and are these subject to change. Currently, these domains resolve to the following IPs: 72.21.91.29, 117.18.237.29, 93.184.220.29, 205.234.175.175.

The Umbrella Windows Connector Script

The Windows Connector script sets specific user permissions for the Connector user. When the user is deleted, the script's impact is deleted. If you are running the script in a strictly controlled AD environment, some administrators may not be permitted to run VB scripts. If this is the case, contact Support.

SSH Support Tunnel – Allowing and Blocking the Tunnel

As of version 2.1.0 of the VA (September 2017), there is a new SSH Support tunnel. The new tunnel must be established by the customer to the Cisco support team and otherwise is not available. For more information, see On-Demand Tech Support SSH Tunnel for Virtual Appliances.

4. Route DNS Traffic < Appendix A – Communication Flow and Troubleshooting > Appendix B – Multiple Active Directory and Umbrella Site