Connect Active Directory to Umbrella

The Cisco Active Directory (AD) Connector integrates Cisco Umbrella with your instance of Microsoft AD. Before you can provision users and groups from Active Directory, connect your instance of AD to Umbrella by deploying an AD Connector.

This guide describes the steps to install the Cisco AD Connector for LDAP or LDAPS, and provision users and groups from your instance of Microsoft AD to Umbrella.

How to Configure the Setup of the AD Connector

The deployment of the AD Connector has various components. You can configure the Cisco AD Connector to provision users and groups from Microsoft AD using LDAP or LDAPS (domain controller or domain), or LDAP Interchange Format (LDIF) source files.

1. (Optional) Configure authentication for the AD Connectors in your environment. For more information, see Configure Authentication for AD Connectors and VAs.
2. Add a domain controller or domain in Umbrella for LDAP or LDAPS deployments.
3. Download the software package for the AD Connector and install it on your server.
4. (Optional) Configure the provisioning of users and groups with LDIF source files. For more information, see Deploy LDIF Files for Cisco AD Connector.
5. Verify that the AD Connector begins to provision users and groups in Umbrella.

Table of Contents

• Prerequisites
• Add a Domain Controller or Domain in the Umbrella Dashboard
  • Add a Domain Controller
  • Add a Domain
• (Optional) Specify AD Groups of Interest
• Download the Cisco AD Connector
• Install the Cisco AD Connector
• Verify That the Connector Syncs with Umbrella

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• For information about the requirements for deploying the AD Connector, see Prerequisites for AD Connector.
• (Optional) Configure Authentication for the AD Connectors and VAs.

Add a Domain Controller or Domain in Umbrella

Active Directory integration requires you to register an AD domain controller or AD domain in Umbrella. The Cisco AD Connector performs an LDAP sync against this domain controller or domain to retrieve the users and groups. The Connector Server must be able to communicate with the domain controller over port 389/636 TCP for LDAP sync or LDAP over SSL.

The Cisco AD Connector can only retrieve users and groups from a single domain controller. If you register multiple domain controllers on the Umbrella dashboard, the Connector will only attempt to perform an LDAP sync against the first domain controller in the list. Ensure that the domain controller you are registering is not subject to any AD replication delays. Read-only Domain Controller (RODC) registrations are supported for the retrieval of users and groups.

If you need to periodically bring down your domain controller for maintenance or updates or your domain controllers are behind a load balancer that does not support LDAP queries, it is recommended to register the domain instead.

Note: If you have deployed any Virtual Appliances, you need to register all of your domain controllers that are handling Active Directory authentication. Otherwise, not all users and groups in the Active Directory will be identified.

We recommend that you review the requirements before adding a domain controller or domain in Umbrella. For more information, see Prerequisites for AD Connectors.

Add a Domain Controller

1. Navigate to  Deployments > Configuration > Sites and Active Directory and click Add.

2. Select Domain Controller and then click Next.

   

3. Confirm that you have provided permissions for the AD Connector account as specified in Prerequisites and click Next.
   Note: See Run the Configuration Script on the Domain Controllers to download the configuration script.

4. Enter the hostname, internal IP address, and the domain of the DC. Choose the appropriate Umbrella site for the domain controller and click Save.
   The Active Directory connector within the chosen Umbrella site will attempt to connect to your newly added domain controller. If all the required permissions have been configured, you should not experience any issues.

Add a Domain

1. Navigate to  Deployments > Configuration > Sites and Active Directory  and click Add.

2. Select Domain and then click Next.

   

3. Add the Domain, choose an appropriate Umbrella site from the Site drop-down list, and then click Save.

(Optional) Specify AD Groups of Interest

You can specify AD Groups of interest for the purpose of policy creation in Umbrella.

Rename Selective Sync File After Upgrading to AD Connector v1.14.4

If you use selective sync and upgrade the Cisco AD Connectors to v1.14.4 or later, you must rename the current selective sync file C:\CiscoUmbrellaADGroups.dat to C:\CiscoADGroups.dat.

Note: The selective sync file—previously named CiscoUmbrellaADGroups.dat—is not recognized by the Cisco AD Connector v1.1.4.4 or later.

After you rename the selective sync file, Umbrella automatically reads the selective sync file (C:\CiscoADGroups.dat) and syncs the Users in the specific Groups from AD to Umbrella. You are not required to restart the AD Connector service.

Create AD Groups in a Selective Sync File

1. Identify the AD groups of interest. Users and computers belonging to these groups will be synchronized to Umbrella.
   For each sub-tree, only the parent group needs to be specified. All AD groups, users, and computers that are part of this parent group will automatically be included.
   Note: If Selective Sync is enabled, AD Users and Computers that are not members of Groups specified in CiscoADGroups.dat or their sub-groups will not be synchronized to Umbrella and will be completely exempt from Umbrella Policies and Reporting.
2. Create a CiscoADGroups.dat file in the C:\ drive of each machine where the connector will be installed.
   The connector will only read the C:\CiscoADGroups.dat file. If the file is incorrectly named or is not present in the C:\ drive, all groups will be imported to Umbrella.
3. List the AD groups that need to be synchronized in distinguished name (DN) format in this file.

👍

Supported OUs

Not Supported: OU=My OU,OU=Organizational Unit,DC=sample,DC=local
Supported: CN=My Group,OU=Organizational Unit,DC=sample,DC=local

Sample file entries:

• CN=Engineering,CN=Builtin,DC=ciscoumbrella,DC=com
• CN=Sales,CN=Builtin,DC=ciscoumbrella,DC=com
• CN=Marketing,CN=Builtin,DC=ciscoumbrella,DC=com

4. Ensure that there are no blank lines anywhere in the file.
   Note: If you are running multiple connectors, the file C:\CiscoADGroups.dat should be present on each system running the connector and should be identical on each system.

👍

Total Number of Groups Selected for Synchronization

The total number of groups selected for synchronization—groups specified in the selective sync file and all their sub-groups—should not exceed 15,000. Also, these groups should not be nested within more than five OU levels. Selective synchronization fails in both cases. If either of these requirements cannot be met, the selective sync file should not be used so that a full AD tree synchronization can be done instead.

Download the Cisco AD Connector

Download the Cisco AD Connector to your server.

When you download the Cisco AD Connector software package and if you did not configure API key credentials for your AD Connectors and VAs, Umbrella displays a warning message. We recommend that you configure API keys for your AD Connectors and Umbrella VAs. For more information, see Configure Authentication for AD Connectors and VAs.

1. On the server that you have configured to deploy the connector, sign in to Umbrella, navigate to  Deployments > Configuration > Sites and Active Directory and click  Download.

2. For  Windows Service (Active Directory Connector), click Download.
   Note: You must download the ZIP file to the local machine where you plan to run it or copy it locally from another machine. We do not recommend that you install the connector from a network drive or run the setup.msi directly from the compressed file.

   

Install the Cisco AD Connector

1. As an administrator, extract the contents of the CiscoConnector ZIP file that you downloaded from Umbrella to a folder on the server, and then navigate to that folder.
   Note: If you run the AD Connector installer files from the root directory of your server, you may encounter installation errors.
2. Run setup.msi, and then in the Cisco AD Connector Setup wizard, click Next.

3. Choose the directory on the server to install the Cisco AD Connector.

4. Confirm that you permit your AD Users and Groups to sync to Umbrella from the Cisco AD Connector.

5. Add your Active Directory credentials. Enter the Username of the Cisco AD Connector user (Cisco_Connector or custom username) and the Password. For more information, see  Prerequisites.
6. Follow the remaining prompts in the setup, and then click Finish.

Verify That the Connector Syncs with Umbrella

• For more information, see View AD Components in Umbrella.

---

Configure Updates on AD Connectors < Connect Active Directory to Umbrella > Deploy LDIF Files for AD Connector