Before You Begin
If you intend to implement Active Directory integration, in addition to Umbrella virtual appliances (VAs), see Appendix B – Multiple Active Directory and Umbrella Site. Use cases and guidelines differ slightly.
Sites/VAs are only required for DNS-based deployments. When using an Umbrella Cloud-Delivered Firewall (CDFW) deployment alone, sites/VAs are not required.
In the context of virtual appliances (VAs), Umbrella sites represent the physical location of your network, and specifically the internet egress point—the DNS egress point.
Each egress requires separate VAs. For more information, see Deploy Virtual Appliances.
Having separate Umbrella sites is important for identifying the physical location of the VAs, the association of network traffic, and logical automatic updating of the VAs.
If you are deploying VAs at multiple locations and if the internal IP space of each site location overlaps or is shared, you must set up multiple Umbrella sites. For each office with VAs, a separate Umbrella site can be added to group VAs together with a label. Note that you must do this when the IP space overlaps.
- Navigate to Deployments > Configuration > Sites and Active Directory**.
- Hover over a Site and then click the Edit icon. The Site modal appears.
- From the Site pulldown menu, choose a site, and click Save.
The IP address is utilized in Umbrella reports and analytics, and is used when creating policies for security and category filtering. For more information about policies, see Manage DNS Policies and Manage the Web Policy.
Each Internal Network must be associated with either a Site, Network, or Network Tunnel depending on your Umbrella deployment method.
For use with Umbrella Virtual Appliances to identify DNS traffic based on the internal source IP.
For use with Umbrella Secure Web Gateway to identify web requests based on the internal source IP. Requires a proxy chaining configuration with X-Forwarded-For headers enabled. See the Manage Proxy Chaining documentation for more information.
For use with Umbrella Secure Web Gateway features to identify web traffic based on the internal source IP. Requires a Network Tunnel (IPSec) connection to Umbrella. See the Network Tunnel Configuration documentation for more information.
Adding an IP address or range of IP addresses to Umbrella creates a new "Identity" from which traffic can be identified and filtered.
- Navigate to Deployments > Configuration > Internal Networks and click Add.
- Enter a name for the internal network and an IPv4 address or address range.
- Select Site, Network, or Network Tunnel for Internal Network Association.
- From the dropdown menu, choose a site, network, or network tunnel to associate with this internal network.
Note: If you are associating an internal network with a network tunnel, you can choose a specific network tunnel or associate it with all of your tunnels.
Updated 2 months ago