Umbrella's sites let administrators segregate their Umbrella deployments. Each Umbrella site is an isolated deployment in which components only communicate with other components in the same Umbrella site. Umbrella sites are a container to isolate sections of a large multi-site network into groups which only sync to the other components in the container. For example, Umbrella sites may be North America, Asia, and Europe or Northeast, California, Atlanta office, South Region, and London and each Umbrella site may be one or a combination of Active Directory (AD) sites.
This is primarily useful in AD environments containing locations with high-latency connections, or in environments with locations whose internal IP space overlaps.
A site represents a set of computers connected by a high-speed network, such as a local area network (LAN). Typically, all computers in the same physical site reside in the same building or perhaps the same campus network. AD and Umbrella both use the term "sites", and while related, have slightly different meanings.
- For AD, a site object represents the actual directory data that is replicated between domain controllers
- AD sites are used to manage the objects that represent the site, and the servers that reside in the site
- For Umbrella, a site refers to a set of components—virtual appliances (VAs), connectors, and domain controllers—that communicate only with each other
- An Umbrella site is more than a label and is more like a container; however, is not the same as an AD site. Multiple AD sites can be part of an Umbrella site, but one AD site should not be split into multiple Umbrella sites
- A site must have a minimum of two VAs, and one connector and DC each for AD integration
Because Umbrella sites act as isolated deployments, each Umbrella site must have a minimum of two VAs. If AD integration is also being used, each site must additionally contain a minimum of one AD connector and ALL domain controllers against which a user in that location authenticates.
- You need to limit WAN traffic between locations and are using AD sites to limit authentication to local servers
- Your locations communicate between a NAT device, which causes the internal IP address of an end machine to be lost when communicating between locations.
- Your locations use overlapping internal IP ranges
- You have locations which have high-latency connections between them. For example, branches in different continents. High latency connections, especially between the connector and the VAs, can result in delays to updates for user mappings.
The isolation of the components in a given Umbrella site means that a specific VA will only be aware of users who have authenticated against domain controllers assigned to the same Umbrella site. As a result, we do not recommend using multiple Umbrella sites in a single AD site, even if that AD site spans multiple geographical locations. In such a scenario, users in a location may still authenticate against a DC in a different location, and thus the Umbrella components may miss user mappings.
Individual Umbrella sites should be configured as if they are complete deployments. For each Umbrella site:
- Follow the previous steps of this guide again, and after each sub-step to verify that the component has synced or reported to the dashboard, assign the component to a site by clicking its name and selecting an existing site or creating a new site.
- You may also rename the default or any existing sites.
Ensure that there are at least two VAs, one AD server and one AD connector assigned to each site. Verify a complete, functioning deployment at each site before moving on to the next site.
To assign a site to a component, click an existing Insights identity (Deployments > Configuration > Sites and Active Directory), and the dropdown will contain a menu to add a new site, or change the site of the component.
Active Directory Only
If you change the location of an Insights component after you've installed the connector service, you must Stop/Start the connector service on each connector at both the new and old Umbrella sites through the Services management tool in Windows.
Appendix A – Communication Flow and Troubleshooting < Appendix B – Multiple Active Directory and Umbrella Sites > Appendix C – Change the Connector Account Password
Updated 2 months ago