Update Virtual Appliances

New virtual appliance (VAs) software versions become available automatically and are usually applied without any intervention required. To ensure the high availability of DNS services, you must have two VAs running for automatic updates to take place.

Both the connector and the VA are capable of automatic updates. As an Umbrella administrator, you can configure the schedule during which updates take place. We recommend this be done during non-business hours.    

🚧

Important

In order for new versions to be automatically installed on the VAs, we require that a minimum of two VAs be installed.

Performing an "in-place" manual update of a VA results in up to 15 minutes of downtime, during which you will not be able to perform DNS queries on the network and effectively will not have internet service.

Before you begin, you must have two VAs in place so that there is no downtime or interruption in service during the update process.

Table of Contents

• Update Your Virtual Appliance
• Configure Automatic Update of Virtual Appliances
• Manual Update of a Virtual Appliance
• Configure Automatic Update Postponement
• API Authentication Credentials - CLI Commands
• API Authentication Credentials - AD Connector

Update Your Virtual Appliance

To ensure that VAs are updated in an orderly manner, the update for the VA is controlled by commands from the Umbrella API that the VA is connected to. This means you cannot decide which VA is updated automatically. If you wish to update a particular VA first, do this manually. See Manual Update of a Virtual Appliance.

Logic is built-in to our API to prevent two VAs at a single site from upgrading at once or upgrading when one of the VAs is in an error state. The following checks are performed:

1. The API checks if there is only a single VA for the site. If there is only one VA, the API does not offer a command to auto-update.
2. If there is a secondary VA for the site but it is in an ERROR state, then the first VA will not auto-update. 
3. The API checks to see if a second VA for that site is already updating and if it is in a mid-update state it will not auto-update during that window of time. If we have ordered a VA to update and have not heard back that it has completed, this qualifies as a mid-update state.
4. If all the prerequisite checks have been met, the VA is updated.

Configure Automatic Update of Virtual Appliances

Your VA's version can be seen in your Umbrella dashboard.

1. Navigate to Deployments > Configuration > Sites and Active Directory.
2. Under Version, note the versions of the VA and AD Connectors.

3. Click Settings and then the Auto-Upgrade tab.
4. Under Virtual Appliance Auto-Upgrade, choose a Day and a Time Range within which your auto-upgrades will occur.
5. Click Set to save the date and time range. Auto-upgrade is enabled.
   Note: The Set button is unavailable until you choose a day and time range.

Manual Update of a Virtual Appliance

The update of a VA results in the loss of DNS service for the duration of the update. We highly recommend that you perform updates during non-business hours. Preferably, a second VA for this site is deployed to automate the process of updates without introducing VA downtime.

1. Navigate to Deployments > Configuration > Sites and Active Directory.
2. Under Version, note the versions of the VA. If a VA is out of date, Umbrella displays a red triangle alert.
3. Click the alert to start the update process.
4. Click Upgrade.

Configure Automatic Update Postponement

You can enable postponement of an update for all your VAs for a period of 90 days since the update was made available. You can defer all VA updates while you manually update one or more VAs and test them in your environment. VAs for which postponement has been configured will automatically update after a period of 90 days. This auto-update will occur during the update window you configure.
Note: The postponement only applies to major releases and not for patch releases, for example, 3.4.2 to 3.4.3.

API Authentication Credentials - CLI Commands

You can use these commands to change the Client ID and Client Secret in the VA generated from Master API Credentials if you feel the credentials are compromised. Also when the VA assets are down for a long time, this procedure can be used to update the latest Client Credentials so that VA can establish secure connection.

CLI Commands

$ config authcred help

Usage : config authcred

     commands has to be one of the following -

     set <client_id>:<client_secret> : updates the opendns-config with the new client_id, client_secret values.

     show: Show current client_id:cliet_secret stored in VA

     args -

     client_id           : Generated using the master api key, taken from sites-and-ad page

     client_secret    : Generated using the master api key, taken from sites-and-ad page

$ config authcred set <client-id>:<client-secret>

Client credentials : are added successfully

$ config authcred show

Configured client credentials are:

client_id:

API Authentication Credentials - AD Connector

You can use this procedure to change the Client ID and Client Secret in the AD Connector generated from Master API Credentials in case you feel the credentials are compromised. Also when the assets are down for a long time, this procedure can be used to update the latest Client Credentials so that ADC can establish secure connection

Procedure

AD Connector

There are two methods to update the credentials on an AD Connector

Reinstall AD Connector to ensure the new/current credentials are used.

1. Download the AD Connector from the Dashboard: Deployments → Sites and Active Directory → Download
2. Uninstall the AD Connector

3. Reinstall AD Connector.

When you unzip the download, a Setup.msi and a Config.dat file are downloaded. Reinstall by executing the new Setup.msi file. Ensure that the new Config.dat is also in the same folder.

Update Credentials and Service restart

Update the running Config.dat file with the new client credentials and restart the AD Connector service for the AD Connector to start using the updated credentials.

1. Edit the running Config.dat file in C:\Program Files (x86)\OpenDNS\OpenDNS Connector folder, and update the values against the "ClientApiKey" and "ClientApiKey" keys (under "Credentials" key) and save.

2. [Optional] For consistency and to avoid confusion, it is good to update the Config-init.dat file in the same folder with the same values (against the same fields)

3. Restart the AD Connector service, by opening Services window, finding OpenDNS Connector service and Restart.

---

Reroute DNS < Update Virtual Appliances > Virtual Appliance Sizing Guide