Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

Multiple Active Directory and Umbrella Sites

Suggest Edits

Umbrella's sites let administrators segregate their Umbrella deployments. Each Umbrella site is an isolated deployment in which components only communicate with other components in the same Umbrella site. Umbrella sites are a container to isolate sections of a large multi-site network into groups which only sync to the other components in the container. For example, Umbrella sites may be North America, Asia, and Europe or Northeast, California, Atlanta office, South Region, and London, and each Umbrella site may be one or a combination of Active Directory (AD) sites. 

This is primarily useful in AD environments containing locations with high-latency connections, or in environments with locations whose internal IP space overlaps.

Table of Contents

Active Directory Sites and Umbrella Sites

A site represents a set of computers connected by a high-speed network, such as a local area network (LAN). Typically, all computers in the same physical site reside in the same building or perhaps the same campus network. AD and Umbrella both use the term "sites", and while related, have slightly different meanings.

Active Directory Sites and Services

  • For AD, a site object represents the actual directory data that is replicated between domain controllers.
  • AD sites are used to manage the objects that represent the site, and the servers that reside in the site.

Umbrella Sites

  • For Umbrella, a site refers to a set of components—virtual appliances (VAs), connectors, and domain controllers—that communicate only with each other.
  • An Umbrella site is more than a label and is more like a container; however, is not the same as an AD site. Multiple AD sites can be part of an Umbrella site, but one AD site should not be split into multiple Umbrella sites.
  • A site must have a minimum of two VAs, and one connector and DC each for AD integration.

Because Umbrella sites act as isolated deployments, each Umbrella site must have a minimum of two VAs. If AD integration is also being used, each site must additionally contain a minimum of one AD connector and ALL domain controllers against which a user in that location authenticates.

When You Want to Use Umbrella Sites

  • You need to limit WAN traffic between locations and are using AD sites to limit authentication to local servers
    http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx.
  • Your locations communicate between a NAT device, which causes the internal IP address of an end machine to be lost when communicating between locations.
  • Your locations use overlapping internal IP ranges.
  • You have locations which have high-latency connections between them—for example, branches in different continents. High latency connections, especially between the connector and the VAs, can result in delays to updates for user mappings.

Caveats

The isolation of the components in a given Umbrella site means that a specific VA will only be aware of users who have authenticated against domain controllers assigned to the same Umbrella site. As a result, we do not recommend using multiple Umbrella sites in a single AD site, even if that AD site spans multiple geographical locations. In such a scenario, users in a location may still authenticate against a DC in a different location, and thus the Umbrella components may miss user mappings.

Use Umbrella Sites

Individual Umbrella sites should be configured as if they are complete deployments. For each Umbrella site:

  • Follow the previous steps of this guide again, and after each sub-step, to verify that the component has synced or reported to the dashboard, assign the component to a site by clicking its name and selecting an existing site or creating a new site. 
  • You may also rename the default or any existing sites.

🚧

Important

Ensure that there are at least two VAs, one AD server and one AD connector assigned to each site. Verify a complete, functioning deployment at each site before moving on to the next site.

Assign a Site to a Component

  1. Navigate to Deployments > Configuration > Sites and Active Directory.
1324
  1. Roll over a site entry and click the Change Site icon.
1020
  1. From the Site drop-down list, select a site and click Save.
374

👍

Active Directory Only

If you change the location of a virtual appliance, Cisco AD connector, or domain controller after you've installed the connector service, you must Stop/Start the connector service on each connector at both the new and old Umbrella sites through the Services management tool in Windows.

Connect Active Directory to Umbrella VAs < Multiple Active Directory and Umbrella Sites > Change the Connector Account Password

Updated 6 days ago