Communication Flow and Troubleshooting
The Umbrella integration spans several areas of your Cisco Active Directory (AD) Connector configuration. We recommend that you understand the flow of communication between each of the operational components. This can assist in troubleshooting and in ensuring that your environment is properly configured before you deploy.
Table of Contents
Communication Flow
The connector first attempts to communicate to the domain controller over LDAPS. If unsuccessful, it falls back to communicating over LDAP using Kerberos or NTLM, in that order.
The connector retrieves the AD users, groups, and computer details only. The necessary attributes are stored from each object, including the sAMAccountName
, dn
, userPrincipalName
, memberOf
, objectGUID
, primaryGroupId
(for users, groups and computers), and primaryGroupToken
(for groups). Passwords or password hashes are not retrieved. This data is then uploaded to Umbrella for use in policy configuration and reporting. This data is also required for per-user or per-computer filtering. Note that the objectGUID
is sent in hashed form.
If there are changes, the connector sends the AD data every five minutes, using an HTTPS connection over TCP on port 443. However, it can take an hour or longer for changes to reflect in Umbrella.
The connector stores this data locally as well in .ldif
files contained within C:\Program Files (x86)\Cisco\CiscoADConnector\ADSync. To find out exactly what is being synchronized to Umbrella, you can look at these files. At install time, you have the option to turn off the local storage of .ldif
files.
Troubleshooting
The following firewall/ACL requirements ensure that the Cisco AD Connector can communicate with the Umbrella cloud services and domain controllers:
Port and Protocol | Source | Destination | Note |
---|---|---|---|
443/TCP | AD Connector | api.umbrella.com (for syncing) |
|
80/TCP | AD Connector | ocsp.digicert.com crl3.digicert.com crl4.digicert.com | Check for certificate revocations through the Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRLs). |
389/TCP 636/TCP | AD Connector | Domain controller/domain | LDAP syncing |
Note: The Digicert domains resolve to various IP addresses based on a CDN and are subject to change.
If you experience any issues communicating to Umbrella, we recommend that you check for any Layer-7 application proxies which might be blocking or dropping data. A common case is the inspect feature on Cisco devices that act on protocols such as DNS, HTTP, and HTTPS.
For more information, see http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/inspect.html.
You can restart the connector by restarting the Cisco AD Connector service on the connector system. Restarting the connector triggers a full synchronization of AD objects (and not just the changes from the previous sync) to Umbrella.
If your connector is not in the Okay state and you need to raise a support ticket with Umbrella, see Providing Support with AD Connector Logs.
Change the Connector Account Password < Communication Flow and Troubleshooting > Provision Identities Through Manual Import
Updated about 2 months ago