Cisco Umbrella: Sites and Active Directory Setup

The goal of this document is to provide a guided walk-through for the necessary steps to successfully setup Cisco Umbrella in a Microsoft Windows Active Directory environment. It is required that you have an Administrator account in UWSA Umbrella Console. It is recommended to have a server environment running VMware or Microsoft Hyper-V for setting up target Umbrella Virtual Appliances.

Initial Access

The first step in configuration is to log into our UW-Madison console at From here you'll be brought to the overview dashboard for our instance. 

  • Admin Portal Setup Steps
    • Sites

      You will find the first setting needed under Deployments on the left panel, under the section "Configuration/Sites and Active Directory".

      From here click Setup in the upper right corner of the page to reveal the page for creating a site specific to the Active Directory domain. Click Add site and enter a clear identifier for the department/domain. (example = DoIT) Domain-Add

      Internal Domains

      Next you will add the internal domain name for the AD domain by clicking Add under "Configuration/Sites and Active Directory"

      When Adding the internal domain you'll place the full domain name example.local, etc..., a description of the internal domain and then select the site setup above and devices it will apply.

      Repeat this step until all internal domains are added.

  • Virtual Appliance Setup
      • Environment Setup Pre-requisites
        • VA Resource Specifications - At a minimum, each VA requires the following allocated resources:

          • One virtual CPU
          • Minimum 512MB of RAM (1GB RAM recommended)
          • 7GB of disk space.
        • Two virtual appliances (VAs) per Umbrella site

          VAs must be deployed in pairs to ensure redundancy at the DNS level and to allow for updates without downtime. Ideally with one VA on redundant virtual hosts. It is  critical  that these VAs are  not  cloned or copied in any way. Each VA must be set up and configured manually.

      • Configuration Steps:
        • (Follow along in Cisco Umbrella Documentation here:

          Open the VA in your preferred hypervisor's console, and you'll see a configuration menu. As you'll see in the lower right corner, the system time is set to UTC by default. This will not affect your DNS, network, or hypervisor.

          If you have deployed the VA in a network that supports DHCP, the VA is automatically assigned a DHCP IP address and registers to Umbrella using this IP. This IP address appears on the configuration as well as the Umbrella dashboard.

          1. Press Ctrl+B and when prompted, provide a password for configuration changes. You must change the password when you enter Configuration Mode.
            Your password must be at least eight characters long, include at least one lowercase character, one uppercase character, one digit, and one special character. Your password cannot be the same as your last password.

            Note: Umbrella<*OrgID*> should be set as the default password for the VA. Our UW-Madison Org ID is 3243228.
          2. (Optional) enable remote configuration of this VA over SSH, enter config va ssh enable
          3. If you have enabled SSH, you can now remotely connect to the VA over SSH and enter Configuration Mode after authentication. Enter ssh vmadmin@<VA’s IP address>
            Note: Configuration mode does not support concurrent access by more than two users
        • Configuring the VA involves configuring the name, IP details, and local DNS servers. It is mandatory to configure the name and IP, Netmask, and Gateway (unless already configured). Failing to do this results in the VA not being able to register to Umbrella.

          In addition to an IPv4 address, you can also configure the VA with an IPv6 address. Endpoints with an IPv6 address can use the VA for DNS resolution, and the internal IPv6 address of the endpoint will be reported in Umbrella. Active Directory integration is currently not supported for IPv6 endpoints.

          Configurable parameters:
          • Name:
            • The name associated with the VA in your Umbrella dashboard. This is a friendly name, similar to a hostname for a computer or server. If you have multiple hypervisor hosts, appending or prepending numbers or letters to indicate the local hypervisor host is advised.
            • To configure enter command "config va name <name>"
          • IP, Netmask, and Gateway (Required params for functionality):
            • Give the VA a local, static IP address on the same network as your endpoints which will utilize the VAs for DNS resolution.
            • To configure the IP, Netmask, and Gateway for the VA, enter command "config va interface <ipaddress> <netmask> <gateway>"

            • (Optional) To configure an IPv6 address on your VA, enter command "config va interface6 <ipv6 address>/<prefix> <ipv6-gateway>"

          • Local DNS - 1 through 6:
            • Enter the local IPs of your existing local DNS servers. Often these are your Windows Servers with the DNS Server role installed. These are the servers that will receive the local DNS queries. You can enter IPv4 and/or IPv6 addresses here.
            • To configure up to six local DNS servers, enter command "config va localdns <localdns1> <localdns2> … <localdns6>"
            • Note: Each configuration overrides any previous configuration.
          If you have entered the Configuration Mode over SSH, to validate status, enter command "config va status"
          If tests complete without error, the next step is to verify that the VA syncs within the Umbrella dashboard.
          In Umbrella, navigate to Deployments > Configuration > Sites and Active Directory. Your VAs are listed with the name you gave it earlier in the VA Console configuration.

Configure Second VA

Repeat above steps for configuration of first VA
NOTE:  Umbrella VAs cannot be cloned. Ensure that your second VA is setup manually. Umbrella will not recognize a cloned VA.

Keywords:AD security cybersecurity DNS   Doc ID:110560
Owner:Vincent A.Group:IT Security Vulnerability Management
Created:2021-04-28 08:00 CSTUpdated:2021-10-11 07:53 CST
Sites:IT Security Vulnerability Management
Feedback:  0   0