Communication Flow and Troubleshooting

Communication Flow

The connector first attempts to communicate to the domain controller over LDAPS. If unsuccessful, it falls back to communicating over LDAP using Kerberos or NTLM, in that order.

The Cisco AD Connector retrieves the AD Users, Groups, and Endpoint Devices details only. Secure Access stores these required attributes from each object:

  • cn—The common name.
  • dn—The distinguished name.
  • dNSHostName—The device name as it is registered in DNS.
  • mail—Email addresses associated with the user.
  • memberOf—The groups that include the user.
  • objectGUID—The group ID of the object. This property is sent to Secure Access as a hash.
  • primaryGroupId—The primary group ID that is available for Users and Groups.
  • primaryGroupToken—The primary group token that is available only for Groups. Passwords or password hashes are not retrieved. Secure Access uses the primaryGroupToken data in the access policy and configuration and reporting. This data is also required for each user or per-computer filtering.
  • sAMAccountName—The username that you use to sign into the Cisco AD Connector.
  • userPrincipalName—The user's principal name.
    Note: If there are updates, the Cisco AD Connector sends the AD data every five minutes using an HTTPS connection on TCP port 443. However, it can take an hour or longer for changes to reflect in Secure Access.

The connector stores this data locally as well in .ldif files contained within C:\Program Files\OpenDNS\OpenDNS Connector\ADSync. To find out exactly what is being synchronized to Umbrella, you can look at these files. At install time, you have the option to turn off the local storage of .ldif files.

Troubleshooting

The following firewall/ACL requirements ensure that AD Connectors can communicate with the Umbrella cloud services and domain controllers:

Port and Protocol

Source

Destination

Note

443/TCP

AD Connector

api.umbrellagov.com (for syncing)
disthost.umbrellagov.com

  • Initial registration with the Umbrella API and the Umbrella dashboard.
  • Automatic updates
  • Health status reporting in Umbrella dashboard.
80/TCPAD Connectorocsp.digicert.com
crl3.digicert.com crl4.digicert.com
Check for certificate revocations through the Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRLs).
389/TCP
636/TCP
AD ConnectorDomain controller/domainLDAP syncing

Note: The Digicert domains resolve to various IP addresses based on a CDN and are subject to change.

If you experience any issues communicating to Umbrella, we recommend that you check for any Layer-7 application proxies which might be blocking or dropping data. A common case is the inspect feature on Cisco devices that act on protocols such as DNS/HTTP/HTTPS:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/inspect.html

You can restart the connector by restarting the OpenDNS Connector service on the connector system. Restarting the connector triggers a full synchronization of AD objects (and not just the changes from the previous sync) to Umbrella.

If your connector is not in the Okay state and you need to raise a support ticket with Umbrella, see Providing Support with AD Connector Logs.


Change the Connector Account Password < Communication Flow and Troubleshooting > Provision Identities Through Manual Import