Implementing Cisco Umbrella

Submitted by dash on Tue, 01/30/2018 - 23:00

First project of 2018... implementing a new web proxy company wide using Cisco Umbrella.  I have to admit, I had already stood up most of the configuration and one site during a trial.  Jiyon Ruffin with Cisco Umbrella was kind enough to wait for our executive process and extend our trial until we could fulfill a purchase order.  Thanks Jiyon!!

This has got to be by far the easiest implementation of a web proxy that I've ever deployed.  Cisco couldn't have made this any easier.  I was amazed at how easy this was to implement.  The biggest caveat is understanding how the topology works big picture so you can set your DNS accordingly on servers, DHCP scopes for clients, etc.  There is also an integration with Cisco ISR(s) that allows you to point their DNS queries to Umbrella and associate those appropriately with a site in the dashboard.  I'll post another blog about those later.

Install VA(s)

First step was to get Cisco Umbrella to create our dashboard or account.  Next, was to login and download the Umbrella VA or virtual appliance.  You can download the VA by navigating to Settings, Virtual Appliance, Sites and AD.  Click on Download Components, click download next to the appropriate type of hypervisor.  Implementing 2 VA(s) for HA is recommended.  These are very light;

  • 1 vCPU
  • 512 mb vRAM
  • 10 gb of vDISK

The specs only call for 7 gb of vDISK, but we provisioned 10 gb for overhead on disk for vm protection.  Going through the setup of the VA is easy.  Simply enter a name, IP address, mask, DNS1, DNS2, AD server 1, AD server 2.

Firewall requirements

The following firewall destination ports need opened for the VA(s);

  • tcp/udp 53 to 208.67.220.220/32 and 208.67.222.222/32
  • tcp/udp 443 to 67.215.92.0/24, 67.215.71.201/32, ocsp.digicert.com, crl4.digicert.com, 208.67.220.220/32 and 208.67.220.220/32
  • tcp/80 to 67.215.92.0/24, ocsp.digicert.com, crl4.digicert.com
  • udp/123 to 91.189.94.4/32 and 91.189.89.199/32
  • tcp/443 to disthost.opendns.com and disthost.umbrella.com
  • tcp/22, 25, 53, 80, 443, 4766 to s.tunnels.ironport.com
  • udp/5353 to 208.67.220.220/32 and 208.67.222.222/32

After provisioning, all sections of configuration in the VA will go green.  If there is a problem, it will be red.

Next step is to run the Windows Configuration script on all AD Domain Controllers.  This allows the VA and connector service to communicate.  This can be downloaded from Settings, Virtual Appliance, Sites and AD.  Click on Download Components, click download next to Windows Configuration.  Umbrella site has instructions for how to run the script on your DC(s).

Next step was to download the Windows Service or AD agent from the umbrella.com dashboard and install it on an AD server on the domain.  This was straight forward, nothing really to discuss.  You can download it by navigating to Settings, Virtual Appliance, Sites and AD.  Click on Download Components, click download next to Windows Service.

All provisioning in the dashboard was very straight forward.  Only thing to note is don't over provision.  For example, under Settings, Virtual Appliance, Sites and AD; Only provision the AD DNS server(s), AD Agent server(s), and the VA(s).  Assign them to the appropriate site.  These will be populated as they are reported to the dashboard.  Internal domains... you must enter each forward lookup domain you have on your DNS servers.  Do NOT add your internal subnets here as there is already an entry for RFC-1918 and there is already a .local in the event you have split DNS.