Umbrella virtual appliances (VAs) are lightweight virtual machines that are compatible with VMWare ESX/ESXi, Windows Hyper-V, and KVM hypervisors and the Microsoft Azure, Google Cloud Platform, and Amazon Web Services cloud platforms. When utilized as conditional DNS forwarders on your network, Umbrella VAs record the internal IP address information of DNS requests for usage in reports, security enforcement, and category filtering policies. Additionally, VAs encrypt and authenticate DNS data for enhanced security.

VAs also enable Active Directory (AD) integration, which expands on the VAs’ functionality to include AD identify information in addition to the internal IP address visibility and DNS encryption.


DNS Only

The Umbrella Virtual Appliances only support DNS.

Table of Contents

How Umbrella Virtual Appliances Work

VAs act as conditional DNS forwarders in your network, intelligently forwarding public DNS queries to Cisco Umbrella's global network, and local DNS queries to your existing local DNS servers and forwarders. Every public DNS query sent to Umbrella is encrypted, authenticated, and includes the client's internal IP address.


Umbrella VAs do not cache DNS records. Caching occurs on the Umbrella resolvers. When an Umbrella VA responds with records to an endpoint's DNS query, any Time-to-Live (TTL) values in the response are equal to the TTLs as set by the authoritative DNS nameserver minus any time a record set has been in the Umbrella resolver cache.

Benefits of Virtual Appliances

Granular Identity Information
If you’re already pointing DNS to Umbrella, or plan to, all the DNS traffic visible in your Umbrella reports come from a single Network identity. The VAs provide internal IP visibility, allowing you to track down malicious or inappropriate traffic within your network to a specific IP address.

Without Virtual Appliances
Security and DNS traffic-related investigations cannot be traced back to an individual computer or IP address.


With Virtual Appliances
VAs record the internal IP address of every DNS request. Security and DNS traffic-related investigations allow you to associate traffic to an individual, internal IP address.


With AD Integration (added as a supplementary feature)
The VAs also record the AD user, group, or computer, depending on Umbrella's policies.


Granular Policy Management
Set different policies for "bring your own device" (BYOD) corporate networks, guest Wi-Fi, server-only networks, and more, by specifying the internal IP or IP range. Granular policy control makes it easy to filter unwanted content and malicious traffic on a per-network basis.


No Endpoint Software
No client-side software required. No OS image to reconfigure.

Lightweight Footprint
A VA only requires a minimum of one virtual CPU core and 512MB to process millions of DNS queries per day.

Active Directory Integration
VAs enable AD integration, which provides user, group, or computer name granularity in both reports and policies. For more information, see the Active Directory Integration with the Virtual Appliances.

Introduction > Prerequisites