Guides
ProductDeveloperPartnerPersonal
Guides
ProductDeveloperPartnerPersonal

Prerequisites for AD Connectors

Suggest Edits

To support the integration of Active Directory (AD) with Umbrella, review and meet the requirements in this guide.

Table of Contents

Connector Server

Configure a server that is a member of the AD domain with the following environment:

  • Windows Server 2012, 2012 R2, 2016, 2019, or 2022 with the latest service packs and 100MB free hard disk drive space. Service packs prior to SP2 are not supported.
  • .NET Framework 4.5 or above
  • If a local anti-virus application is running, allow the CiscoAuditClient.exe and CiscoAuditService.exe processes to run on the system.

The Cisco AD Connector may be deployed directly on the domain controller. In this case, the domain controller must meet all prerequisites listed above. Only one connector is required to provision identities from an AD domain, with an optional second connector for redundancy if required.

Outbound Network Access to Cisco Umbrella

The Cisco AD Connector server requires outbound access as specified below:

  • For syncing, allow traffic on 443 (TCP) to api.umbrella.com.
  • Access to additional URLs on port 80/443 (TCP) may be required for Windows to perform Certificate Revocation List and Code-Signing checks. For a complete list of ports, see Communication Flow and Troubleshooting.
  • For downloading upgrades, allow traffic on 443 (TCP) to disthost.umbrella.com.

If you are using a transparent HTTP web proxy, ensure that the above URLs on port 80/443 are excluded from the proxy, and not subject to authentication.

Connector Account

For the AD Connector deployment, create a new user account in the AD domain. This account should have:

  • The logon name (sAMAccountName) set to Cisco_Connector. A custom username can also be used but must be configured with the required permissions as listed below.
  • Select Password never expires.
    Note:  Passwords must not include backslashes, quotations (single or double), greater-than or less-than chevron brackets (< >), or colons.
  • Assign Read and Replicating Directory Changes permissions. Alternatively, you can make the connector account a member of the built-in Enterprise Read-only Domain Controllers group which will automatically assign these permissions.
    Note: The Cisco AD Connector does an initial synchronization of the AD structure to Umbrella. After this, it detects changes to the AD structure and communicates these changes only. The detection of changes requires the Replicating Directory Changes permission, so the Connector cannot function without this permission. The Replicating Directory Changes permission is different from the Replicating Directory Changes All permission which enables the retrieval of password hashes. The Connector does not read password hashes and hence does not require the Replicating Directory Changes All permission.

Provision Identities from Active Directory < Prerequisites for AD Connectors > Configure Authentication for AD Connectors

Updated about 1 month ago