The Umbrella integration spans several areas of your Active Directory (AD) configuration. We recommend that you understand the flow of communication between each of the operational components. This can assist in troubleshooting and in ensuring that your environment is properly configured before you deploy.
The connector first attempts to communicate to the domain controller over LDAPS and if unsuccessful, it falls back to communicating over LDAP using Kerberos or NTLM, in that order.
The connector retrieves the AD users, groups, and computer details only. The necessary attributes are stored from each object, including the
primaryGroupId (for users, groups and computers), and
primaryGroupToken (for groups). Passwords or password hashes are not retrieved. This data is then uploaded to Umbrella for use in policy configuration and reporting. This data is also required for per-user or per-computer filtering. Note that the
objectGUID is sent in hashed form.
The connector sends the AD data every 5-7 minutes if there are changes, using an HTTPS connection on port 443 TCP. It can take an hour or longer for changes to reflect on the Umbrella dashboard though.
The connector stores this data locally as well in
.ldif files contained within C:\Program Files\OpenDNS\OpenDNS Connector\ADSync. To find out exactly what is being synchronized to Umbrella, you can look at these files. At install time, you have the option to turn off the local storage of
The connector constantly sends AD events to the virtual appliances (VAs) using port 443 TCP. This is a one-way communication; the appliances will not talk back to the connectors. By default, the connector sends information, including IP to username mappings, to the VA in unencrypted form. A pre-requisite for AD integration with the VA is that the connector and VA should communicate over a trusted network. If encryption of communication between the Connector and VA is required for compliance or other reasons, see Umbrella Virtual Appliance: Receiving user-IP mappings over a secure channel.
The connector communicates with the domain controllers/event log collector using RPC. In general, port 135 TCP is the standard port for RPC communication with domain controllers. The RPC communication also uses a randomly assigned ephemeral port between 49152 TCP and 65535 TCP.
The following firewall/ACL requirements ensure that AD Connectors can communicate with the Umbrella cloud services and on-premise components:
|Port and Protocol||Source||Destination||Note|
|443/TCP||AD Connector||api.opendns.com (for syncing)|
| Initial registration with the Umbrella API and the Umbrella dashboard.|
* Health status reporting in Umbrella dashboard.
|Check for certificate revocations through the Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRLs).|
|AD Connector||Domain controller/ domain||LDAP syncing|
|443/TCP||AD Connector||Virtual Appliances||Send information relating to login events and IP addressing. It's very important to note that this traffic occurs over 443/TCP but is not an SSL connection by default. Many IDS and IPS systems will flag this traffic as suspicious. If you're running an IDS or IPS that is listening on the local network, check the enforcement logs to ensure this traffic is not getting flagged.|
|AD Connector||Domain Controllers/ Event Log Collector||RPC communication to fetch login events|
|135/TCP||Domain controllers/ Event Log Collector||AD Connector||RCP response|
Note: The Digicert domains resolve to various IP addresses based on a CDN and are subject to change.
If you encounter any issues communicating with Umbrella, we recommend checking for any Layer-7 application proxies that might be blocking/dropping some data. A common case is the inspect feature on Cisco devices that act on protocols such as DNS, HTTP, and HTTPS:
You can restart the connector by restarting the OpenDNS Connector service on the connector system. Restarting the connector triggers a full synchronization of AD objects (and not just the changes from the previous sync) to Umbrella.
If your connector is not in the Okay state and you need to raise a support ticket with Umbrella, see Providing Support with AD Connector Logs.
Change the Connector Account Password < Communication Flow and Troubleshooting
Updated 7 months ago