Insights Deployment Guide

Transcription

1 Insights Deployment Guide Overview The Umbrella Insights is setup to be implemented in three major areas of configuration, depending on your network and on your needs. This guide serves to outline these three major areas of configuration, all of which are covered in this guide. To skip to the area that is of interest to you, go to the following page numbers: Active Directory Integration allows you to manage AD groups & users in your Umbrella policies and reports: Active Directory Integration Install and Setup Guide pg. 2 Internal Networks allows to you manage Umbrella policy for subnets of computers based on the internal IP address: Internal Networks Install and Setup Guide pg. 29 Umbrella Roaming Clients helps you install the client for Umbrella on Windows or Macintosh laptop computers that will leave the network: Umbrella Roaming Clients Install and Setup Guide pg. 36 1

2 Active Directory Active Directory Integration: Install and Setup Guide 2

3 This guide explains how to install and configure the Active Directory Components provisioned and maintained from the Dashboard with Umbrella Insights. By integrating with your Active Directory environment and securely forwarding DNS queries to the Umbrella Secure Cloud Gateway, you can enforce and report on users, computers and groups. Table of Contents Overview 4 Prerequisites 6 Virtualized Server Environment Active Directory Environment Network Environment Step 1: Setup DNS Forwarding via Virtual Appliance 7 Create the Virtual Appliance (VA) in VMware Create the Virtual Appliance (VA) in Hyper-V Configure the Virtual Appliance Verify the Virtual Appliance Syncs with the Dashboard Create the Redundant Virtual Appliance Route Local DNS Queries Step 2: Prepare your Active Directory Environment 19 Run the Configuration Script on the Domain Controller (DC) Verify the Domain Controller Reports to the Dashboard Repeat for Each Domain Controller Step 3: Connect Active Directory to Umbrella 21! Install the Connector Verify the Connector Syncs with the Dashboard Verify all Active Directory Components are Operational Step 4: Configure Settings in Dashboard 23! Step 5: Route DNS Traffic through the Virtual Appliances 24! Multiple AD Sites 25! Appendix A: Prepare a Separate non-domain Controller to Install the Connector 26! Appendix B: Configuring Domain Controllers on Windows Server 2003 R2 27! Setting the Manage auditing and security log Group Policy Setting DCOM permissions Setting WMI permissions! 3

4 Overview The Active Directory integration consists of two components that must reside in your network at each independent AD site:!note: An Active Directory site in the context of this document means an independent location with its own Domain Controller server(s), DNS server(s), and connection to the Internet. 1. The Virtual Appliance ( VA for short), which Runs in a virtualized server environment, Forwards local DNS queries to your existing DNS servers and Forwards external DNS queries with non-sensitive metadata to the Umbrella Service.!NOTE: The recommended requirements for installation include a second VA for redundancy (not shown in the diagram) to ensure uptime during upgrade and high availability.!important! In order for the Virtual Appliance to properly route local DNS queries and external DNS queries, all clients that are to be managed by Umbrella need to have their DNS addresses be the addresses of your VAs. 2. The Connector, which Runs in your Active Directory environment, Securely communicates non-sensitive user and computer login info to the Virtual Appliances. Securely communicates non-sensitive user and computer group info to the Umbrella Service.!NOTE: If your security policy requires it, the Connector can be installed on a different non-domain Controller (see Appendix A for details). 4

5 This guide explains how to install each of these components and verify that they are working properly before you deploy them. 5

6 Prerequisites To support the Umbrella Insights Active Directory integration, you must have: Virtualized Server Environment on VMware or Hyper-V Requirements for VMware: VMware ESXi 4.1 update 2 or newer to create the Virtual Appliances. Your ESXi server host is set to the correct date and time for predictable VA behavior. Your ESXi server host has at least one CPU core, 512Mb of RAM and 6.5Gb of hard disk drive space available to be provisioned per Virtual Appliance instance. We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA and the network. Requirements for Hyper-V: Windows Server 2012, Window Server 2012 SP1 or Windows Server 2012 R2 (Standard or Data Center) with Hyper-V. Your Windows 2012 server is set to the correct date and time for predictable VA behavior. In addition to the minimum required hardware to run Windows Server 2012, we recommend: o An additional 512Kb of RAM for each Virtual Appliance o Allocation of 7GB of disk space for each Virtual Appliance o An additional CPU core for each Virtual Appliance. (Note: This may not be necessary if the server provisioned for Hyper-V is highly spec'd). We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA and the network. Active Directory Environment Windows Server 2003, 2003 R2, 2008 or 2008 R2, 2012 or 2012 R2 with the latest service packs and 100Mb free hard disk drive space. Only a single domain environment.!important! When deploying Umbrella Insights Active Directory Components at more than one WANlinked (MPLS-type network) AD site, repeat steps 1-5 after verifying a complete, functioning installation at current site before moving on to the next. A new user account with: o o o o The logon name (aka. samaccountname) set to OpenDNS_Connector. The box Password never expires checked. A password entered without backslash or quotation characters. Make sure the OpenDNS_Connector user is a member of the following groups and if not, please add the missing ones: " Event Log Readers 6

7 " Distributed COM users " Enterprise Read-only Domain Controllers!IMPORTANT! For environments on Windows Server 2003 and Windows Server 2003 R2, several manual steps are required (see Appendix B for instructions). Network Environment The following requirements are for your Network Environment to ensure you can communicate with OpenDNS. These requirements apply to both VMware and Hyper-V. Set the following outbound ports to be open from the VAs to the /24 subnet and the OpenDNS DNS resolvers: 53 TCP & UDP ( and ) 443 TCP & UDP ( /24) 80 TCP ( /24) 2222 TCP ( /24) Do not place devices with network address translation (NAT), or that in any manner obfuscates the internal IP address(es) between the computers and the Virtual Appliance at each site. Make sure you do not have transparent proxies on your network to avoid issues. Step 1: Setup DNS Forwarding via Virtual Appliances The purpose of Virtual Appliances is to map internal source IP addresses to AD users and computers then forward external DNS queries from your network to the Umbrella Secure Cloud Gateway via one of the OpenDNS Global Network data centers. Local DNS queries are forwarded to your internal DNS servers. Virtual Appliances can be created in VMware (below) or in Hyper-V (page 9 of this guide). Create the Virtual Appliance (VA) in VMware 1. On any network PC with the ability to log into your ESXi server using the VMware vsphere client, point your browser to and log in with your Umbrella credentials. 2. From the Dashboard, navigate to Configuration > System Settings > Sites & Active Directory. 3. Click the download components button in the upper-right corner and select the download button for the VA for VMware ESXi 4.1 Update 2.! NOTE: If you already downloaded this file a few days ago, please re-download it in case of a newer version. System prompts will update you on the status of the download of the OpenDNS.ova file. 4. Log onto your VMware vsphere client. 7

8 5. Select the File tab, and click Deploy the OVF Template. 6. Follow the deployment wizard prompts; taking note of: a. For the source, browse to the.ova file you just downloaded. b. Verify that your VMware server host is running version 4.1 or newer. c. Specify a unique name and location of your Virtual Appliance. d. Select the disks appropriate to your environment. e. Make sure you select the Thin Provision radio button. f. Specify the network.!note: This is the same network that includes your Domain Controller (DC) and VA instances. These two components must be able to communicate with each other. 7. Click Finish after completing the deployment configuration. System prompts will update you on the status. 8. Select the device just created and right-click. Select Power > Power on. 8

9 9. Right-click the device just created, and select Open Console. Create the Virtual Appliance (VA) in Hyper-V 1. On the computer running Hyper-V, point your browser to and log in with your Umbrella credentials. 2. Download the Hyper-V installer from within your Dashboard, under Configuration > System Settings > Sites and Active Directory. Click the download components button in the upper-right corner and select the download button for the VA for Hyper-V for Windows Server 2012 and Windows 2012 Server R2.!NOTE: The download may take some time to begin as the file is generated on a per-customer basis. If you already downloaded this file a few days ago, please re-download it in case of a newer version. 3. Once you've downloaded the file, extract the contents to a folder. There are two folders - virtual hard disks and virtual machines. There is also one configuration file. You should have an extraction path similar to this: 9

10 4. If you are using Windows 2012 R2 with Hyper-V, please note: Microsoft has changed the VM format on Hyper-V Windows 2012 R2. As a result the "import" steps below will fail on import. Instead, we recommend that you create a new virtual machine under Generation 1 and attach the hard drives (step 7 in the steps below). 5. Next go to the Hyper-V Manager. Select your Hyper-V server, then right-click on it's name and select Import Virtual Machine from the menu: 6. Navigate to extraction folder from your download and select that folder to import: 7. Click Next to move to the next part of the wizard At this point, you should see "forwarder-va" as the name of the virtual machine to import. Select this name and click next: 10

11 8. You'll be asked to choose the type of import to perform. Select the radio button to "Copy the virtual machine (create a new unique ID)" as below, and click Next: 11

12 9. Next, choose Destination folders to install to. These will be the Hyper-V Configuration folders by default but you can pick another folder if you'd like:!note: If selecting a different folder, pick a drive with sufficient space and create a folder with a specific name for the virtual machine, such as \opendnsfowarder-1\. This can be helpful to ensure you're able to distinguish between the two virtual appliances in your file structure. Click Finish to end the wizard. 10. The next steps are very important. First, navigate in Windows Explorer to the \Virtual Hard Disks\ subfolder within the extracted download folder created earlier (step 1). Copy the two files from that location to the Virtual Machine Configuration Folder you specified in the "Choose destination" step of the wizard (step 6) There will be two files, dynamic and forwarder-va. You should rename these files in accordance with the VA that is being installed. For instance, re-name the file "dynamic" to "Dynamic-VA-1" and rename "forwarder-va" to "Forwarder-VA-1. If configuring your second VA, change the number accordingly. This can help ease management of multiple virtual appliances and avoids conflicts between filenames when configuring your second VA. Next, go back to your Hyper-V Manager. Select the virtual machine you've created right-click and choose "Settings " 12

13 In Settings for Hardware, select the Network Adapter and then assign a virtual switch that has Internet access, as below: 13

14 11. Next, in Settings for Hardware select the hard-drives. Ideally, they should be under the same IDE controller. For hard-drive settings, browse to the Virtual Machine Configuration Folder and the first hard drive should be set to the forwarder file (Forwarder-va) and the second hard drive should be set to the dynamic (Dynamic) file, as shown in this example: 14

15 15

16 12. At this point, apply the configuration in the wizard. Then power-on on the virtual machine, which will bring you to the command line to configure your VA. If all is well, you'll start by seeing the boot screen for the Hyper-V resolver. The next stage of the process is to configure the VAs to match your network, or you can build a second VA following these steps before proceeding. 16

17 Configure the Virtual Appliance 1. From the VMware console after a brief boot up process, you are prompted to configure the DNS forwarder by tabbing between fields.!note: For Local DNS 1 and 2 enter your local DNS servers, which is often the IP addresses of your Windows Servers with both the Active Directory Domain Services and DNS Server roles installed. 2. At the Add Domain prompt enter the name of your domain (adding internal zones is described below). 3. Press Return. 4. Tab to Save and press Return.!NOTE: You should see a sync message indicating that the VA and the Umbrella Service are communicating. Verify the Virtual Appliance Syncs with the Dashboard When you return to the Umbrella Dashboard, you will see the VA you just created in the Inactive state on the Active Directory Configuration page. Create the Redundant Virtual Appliance Repeat the above steps to create a secondary Virtual Appliance, which is required for continuous operation.!note: It ensures 100% uptime in the event of any critical issues, as well as enabling auto-upgrades to stagger any necessary reboots. Depending on your setup, you can place each VA on a separate VMware host. Route Local DNS Queries To ensure correct DNS responses to local hosts inside your internal network, you will want to configure your VAs to route queries to your existing DNS servers. To add internal DNS zones: 1. From the VMware console, select Edit. 2. Use Tab until you have highlighted the Add domain option. 3. Add your internal zone(s) (e.g. example.com). 17

18 4. Add your reverse zone(s) (e.g. if your network is /24 you should add: in-addr.arpa). 5. Select Save and hit Enter. To add A & PTR records for your VAs 1. On your local DNS server, click Start, Run and type dnsmgmt.msc 2. Navigate to your forward lookup zones for your local domain (e.g. corp.domain.com). 3. Select the local zone (e.g. corp.domain.com). 4. On the right hand side right-click, select New Host. 5. Enter a hostname for the VA, an IP and make sure the box Create associated pointer (PTR) record is checked. 6. Click Add Host. To verify if the records were created correctly, you can test with nslookup: 1. Enter: nslookup (IP ADDRESS of the VA). For example: # nslookup Server: Address: #53 Non-authoritative answer: in-addr.arpaname = va01.corp.domain.com. 2. Enter: nslookup (HOSTNAME of the VA). For example: # nslookup va01.corp.domain.com Server: Address: #53 Non-authoritative answer: Name: va01.corp.domain.com Address:

19 Step 2: Prepare your Active Directory Environment Running the script on each of the Domain Controllers (DCs) prepares them to communicate with the Connector.!IMPORTANT! For environments running on Windows Server 2003 or Windows Server 2003 R2, several manual steps are required before completing step 2 (see Appendix B for instructions). Run the Configuration Script on the Domain Controller 1. From the 'Active Directory Configuration' page, click download components and then 'Windows Configuration'. 2. Download the file and save it to a location on the machine you plan to run it on.!note: The configuration script is written in Visual Basic Script and is human readable. For reference, it automates the instructions you ll find in Appendix B, plus more. Contact support for more details. 3. As Admin, open an elevated command prompt. 4. Enter: cscript <filename> where <filename> is the name of the configuration script you downloaded in Step 2. The script will display your current configuration, then offer to auto-configure the Domain Controller for operation. If the auto-configure steps are successful, the script will register the Domain Controller with the Umbrella Dashboard.!NOTE: The OpenDNS_Connector user must be created before running the script, as detailed in the prerequisites. There are also several Group Policies that affect system operation that may need manual configuration. The script will display the status of these settings and, if needed, provide instructions on changing them. 19

20 Verify the Domain Controller Reports to the Dashboard When you return to the Dashboard, you will see the hostname of the Domain Controller you just ran the script on in the Inactive state on the 'Active Directory Configuration' page.!note: The configuration script only runs once; it is not an application or service. If you change the IP address or hostname of the Domain Controllers, remove the previous instance of the Domain Controller by clicking the round X icon, and repeat tasks 1-4. Repeat for Each Domain Controller Server Repeat the above steps to prepare additional Domain Controller in your single domain environment to successfully communicate with the Connector. 20

21 Step 3: Connect Active Directory to Umbrella The purpose of the Connector is to monitor one or more Domain Controllers. It listens to user and computer logins via the security event logs, and subsequently enables IP-to-user and IP-to-computer mappings on the Virtual Appliances. It synchronizes user-to-group, computer-to-group and group-to-group memberships with the Umbrella Service, enabling you to create and enforce group-based settings and view user, computer and group-based reports.!note: You only need to install one Connector per site, but you may install more than one. If your security policy does not allow you to install software directly on your Domain Controller you can install it on a separate Windows machine (see Appendix A), otherwise it is recommended to install the Connector on one or more of your Domain Controllers. Install the Connector 1. From the Active Directory Configuration page, click download components and then 'Windows Service'.!IMPORTANT! You must download the zip file to the local machine where you plan to run it. Issues have been observed attempting to install the connector from networked drives. 2. As Admin, select the zip file and extract the setup.msi file. 3. Run setup.msi. 4. Enter the password you configured for the OpenDNS_Connector user you created. (see Prerequisites). 5. Follow the setup wizard prompts. 6. When finished, click Close. 7. Return to the Dashboard. Verify the Connector Syncs with the Dashboard 1. When you return to the Dashboard, you will see the hostname of the Domain Controller or other Windows machine that you installed the Connector on the 'System Settings > Sites & Active Directory' page. 2. The Umbrella Service automatically configures and connects the VAs to the Domain Controllers via the Connectors for each configured site, and the status of all of your VAs, Domain Controllers, and Connectors should change from Inactive to Active. If not, contact support. 3. Navigate to 'Configuration > Policies'. i. The Domain Controllers should automatically synchronize user and computer group memberships, and any subsequent changes, with the Umbrella Service via the Connector. You can verify that this has occurred successfully by clicking 'add a new policy' and confirming that your groups are present. ii. iii. As such, you should see all of your AD Groups, included those nested within other groups, within the identity picker of the policy wizard. If you don t see your groups, check the 'System Settings > Sites & Active Directory' page to see if the status of all components is Active. If not, contact [email protected].!note: It can take up to 10 minutes for large numbers of AD user, computer and group objects to synchronize for the first time. 21

22 Verify all Active Directory Components are Operational 1. Before you deploy your Umbrella configuration, confirm that you can resolve DNS traffic by entering the following command that sends a query to opendns.com through your VA: C:\>nslookup > server {{enter the IP of one of your VA's}} > opendns.com 2. You can further verify DNS traffic by entering the following command to send a TXT Record query to debug.opendns.com through the VA: > set type=txt > debug.opendns.com > exit This query returns a string of information if you are going through the VA. If you receive a non-existent domain result from that query, there is still something wrong with your configuration and you should contact support. 22

23 Step 4: Configure Settings in Dashboard Once verifying that all Active Directory components were integrated successfully, define and apply security and acceptable use policies to AD Groups. 1. Navigate to Configuration>Policies, and click add a new policy or click the name of an existing policy. 2. Check the AD Groups box if you want to apply a single policy for all AD users and/or computers, or check the box next to one or more specific groups via the identity picker. To remove a selected group, either uncheck its box via the identity picker or click the red X icon to the right of its name. Then click next.!important: Clicking on a group will show its members including nested groups, user accounts or computer accounts. Selecting the group will apply the policy to all its members. You can select only a nested group, but not an individual user or computer account. As a best practice, centrally manage your group memberships via your Domain Controllers. Any changes will be synced with the Umbrella Service within a few minutes. 3. Select the 'Policy Settings', including the Security Settings, Category Settings and Domain Lists for your identity. 4. Click Next then select 'Block Page Settings' you would like enforced for this policy. Then click next.!note: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings' pages to do so. 5. Set a meaningful description for the policy, then click save.!note: The policy you created will be applied within seconds to any new connections coming into the Umbrella Service from the selected computers. 6. Click and hold the drag handle icon to re-order the policy above or below any other existing policies.!note: Policy execution follows a top-down, first-match order of operations. The first policy assigned to an identity is enforced. Any subsequent policies assigned to the same identity are ignored. There is an editable, but immutable, Default Policy always ordered last, which is a catchall for any identity. 23

24 Step 5: Route DNS Traffic through the Virtual Appliances In order for you to begin enforcing your settings, all DNS traffic should be routed through your Virtual Appliances. 1. First, start by testing on a few devices by manually configuring their DNS settings to use the Virtual Appliances. Try different operating systems or hardware types to ensure compatibility with all your devices.!important: When testing the policy enforcement, some DNS responses may already be cached for several minutes to days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the cached responses to expire. 2. If possible, a good next step is to change the DNS settings for a specific DHCP server pool or scope in your organization. 3. Once you ve verified correct enforcement of policies with your pilot group of computers, you can either stage the cut over to using the Virtual Appliances for DNS or cut over the entire organization. The best time to affect the cut over is typically after users log out for the day. 4. When users log in after the installation is complete, they should begin sending all DNS queries to the one of the VAs forwarding DNS traffic.!note: Most stub DNS resolvers, those that reside on endpoint devices, do not have a true primary vs. secondary DNS server relationship. Stub DNS resolvers behavior on many operating systems are undocumented in regards to which DNS server they will use at any time. 24

25 Multiple AD Sites Follow the previous steps 1-5 again, and after each sub-step to verify that the component has synced or reported to the dashboard, assign the component to a site by clicking on its name and selecting an existing site or creating a new site. You may also rename the default or any existing sites.!important: When testing the policy enforcement, some DNS responses may already be cached for several minutes to days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the cached responses to expire. 25

26 Appendix A: Prepare a Separate non-domain Controller to Install the Connector If your security policy requires it, the Connector can be installed on a non-domain Controller machine, but it must be joined to the same domain as the Domain Controllers that the Connector will be monitoring. 1. Provision a virtual or physical machine using a static IP. 2. Install one of the three supported Windows OS and other components below. a) Windows Server 2008 R2 SP1 (Preferred) i. Install AD Domain Services Snap-ins and Command-line Tools feature via Remote Server Administration Tools > Role Administration Tools > AD DS & AD LDS Tools > AD DS Tools ii. Install.NET v3.5 b) Windows Server 2008 SP2 i. Install Active Directory Lightweight Directory Services role ii. Install.NET v3.5 c) Windows 7 (non-home license) i. Install Remote Support Administration Tools - download available from ii. Install.NET v Join machine to the same domain as the Domain Controller (domain controller) being connected to 4. Open WMI ports via the following command run as Administrator: netsh advfirewall firewall set rule group="windows Management Instrumentation (WMI)" new enable=yes 5. (Optional) If there is no access to a network file share to retrieve the file locally, download and/or unrestrict Internet Explorer ( or install a different browser. 26

27 Appendix B: Configuring Domain Controllers on Windows Server 2003 and 2003 R2 Setting the Manage auditing and security log Group Policy!NOTE: Adding the OpenDNS_Connector user to this group policy for all Domain Controllers is also required in certain Windows Server 2008 configurations. 1. By default, Windows Server 2003 does not come with the Group Policy Management Console (GPMC) and it may be downloaded here: Alternatively, 2008 R2 servers should have GPMC installed and you can apply the following permissions from this server to be replicated to the 2003 or 2003 R2 server. 2. Open the GPMC (via Start > Administrative Tools), and select a Group Policy that applies to Domain Controllers.!NOTE: If you aren t sure what policy to change, open a command prompt and type the following command: "gpresult /scope computer /r". Look for the Applied Group Policy Objects line. Under it will be a list of policies applied to that Domain Controller. Make note of one that is likely to be applied to all Domain Controllers (e.g. Default Domain Controllers Policy ). 3. Right-click that policy and select Edit to bring up the Group Policy Management Editor. 4. Browse to the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment folder and select Manage audit and security log to view its properties. 27

28 5. Check "Define these policy settings", click "Add user or group", browse and select the OpenDNS_Connector user. 6. Run the "gpupdate" command on the Domain Controller to make sure the policy is applied. Setting DCOM permissions 1. From a command line run dcomcnfg. 2. Console Root > Component Services > Computers. 3. Right-click on My Computer and select Properties. 4. From My Computer Properties select COM Security tab. 5. In Launch and Activation Permissions area click Edit Limits. 6. Add OpenDNS_Connector user and allow Remote Launch and Remote Activation permissions. 7. Click OK to confirm and close My Computer Properties. Setting WMI permissions 1. Run wmimgmt.msc (Windows Management Infrastructure Control console). 2. Right-click on WMI Control. Click Properties > Security tab. 3. Select Root > CIMV2 namespace and click the Security button. 4. Add the OpenDNS_Connector user and Allow the following permissions: Enable Account, Remote Enable and Read Security. 5. Click OK to exit each dialog window, then click Save to apply changes. 28

29 Internal Networks Internal Networks Integration: Install and Setup Guide 29

30 Overview The purpose of the Internal Networks identity is to define a subnet that's non-routable (or RFC1918 compliant) as an Identity you can apply policy to. For instance, if your Internal Network is defined as /24, any computer, tablet or device with an IP on that subnet would receive the filtering policy defined for it whenever it made a request to access the Internet. For an overview on the process of setting up an internal network check out the getting started video here. Prerequisites These steps assume you have set up at least one Virtual Appliance (VA). Please ensure: An Insights Virtual Appliance (VA) has been deployed. Please follow page 5 in this guide to deploy your VA. Local clients are have been configured and are successfully able to route DNS queries to the VA. Please follow page 24 in this guide.!note: The recommended requirements for installation include a second VA for redundancy to ensure uptime during upgrade and high availability. For additional guidance on step-by-step configuration of a virtual appliance, please see our article here: Virtualized Server Environment Requirements for VMware: VMware ESXi 4.1 update 2 or newer to create the Virtual Appliances. Your ESXi server host is set to the correct date and time for predictable VA behavior. Your ESXi server host has at least one CPU core, 512Mb of RAM and 6.5Gb of hard disk drive space available to be provisioned per Virtual Appliance instance. We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA and the network. Requirements for Hyper-V: Windows Server 2012, Window Server 2012 SP1 or Windows Server 2012 R2 (Standard or Data Center) with Hyper-V. Your Windows 2012 server is set to the correct date and time for predictable VA behavior. In addition to the minimum required hardware to run Windows Server 2012, we recommend: o An additional 512Kb of RAM for each Virtual Appliance o Allocation of 7GB of disk space for each Virtual Appliance o An additional CPU core for each Virtual Appliance. (Note: This may not be necessary if the server provisioned for Hyper-V is highly spec'd). We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA and the network. 30

31 !IMPORTANT! In order for the VA to properly route local DNS queries and external DNS queries, all clients that are to be managed by Umbrella need to have their DNS addresses be the addresses of your VAs. o Your VA should already have DNS traffic flowing to it and be successfully installed in your Umbrella Dashboard before configuring the identities for the Internal Network Step 1: Provisioning a Subnet for Your VA The next step is to define a Site for your VA. Navigate to System Settings > Sites & Active Directory in your Umbrella Dashboard. By default, the first VA will be assigned to the Default Site. If you would like to change the Site for the VA, or if you would like to add a second Site for a second VA, you can change the Site for the VA by adding a new site. Just expand the VA, add a new Site or pick the Default Site: Step 2: Add an Internal Network for your Site Once you've set your first site up, in the Umbrella Dashboard go to Configuration > Identities > Internal Networks 31

32 To configure your first Internal Network, click 'add a new network'. You'll be asked to name your network and provide a valid subnet. In this case, we've picked a /24 subnet, so the final octet of the IP will be.0!important! If you re unfamiliar with traditional subnet masks, there are subnet calculating tools online to help. The final octet of your IP range should match the mask for that range. The Internal Networks setup will not allow an invalid range to be configured. Some examples of valid subnets, either very small or very large are: This control can be quite granular: you can assign an individual Internal Network policy to a single IP or to a DHCP scope that's already been configured for your network. Step 3: Policy Configuration for your Site By default the Internal Network you've configured will be assigned to the Default Site, which is given the Default Policy in your Umbrella. You can change this by assigning the Identity for your Site to a new Policy, which can take precedence if ordered first. 32

33 Alternately, you can create a unique Policy for the Identity for your site by drilling down through the Sites under the Policy section: Once you've selected the site that contains your Internal Networks, you can begin to select the parts of the policy to apply to these computers with the policy builder. 33

34 1. Navigate to Configuration >Policies, and click add a new policy or click the name of an existing policy. 2. Check the Sites box if you want to apply a single policy for all installed Sites, or check the box next to one or more sites by drilling down on the identity picker. To remove a selected Site, either uncheck its box via the identity picker or click the red X icon to the right of its name. Then click next. 3. Select the 'Policy Settings' for Security Settings, Content Settings and Domain Lists, then 'Block Page Settings' you would like enforced for this policy. Then click next.!note: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings' pages to do so. 4. Set a meaningful description for the policy, then click save.!note: The policy you created will be applied within seconds to any new connections coming into the Umbrella Service from the computers at this selected site. 5. Click and hold the drag handle icon to re-order the policy above or below any other existing policies.!note: Policy execution follows a top-down, first-match order of operations. The first policy assigned to an identity is enforced. Any subsequent policies assigned to the same identity are ignored. There is an editable, but immutable, Default Policy always ordered last, which is a catchall for any identity.!important: When testing the policy enforcement, some DNS responses may already be cached for several minutes to days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the cached responses to expire. You can confirm that your policy is being applied to the network in question by selecting Identities > Internal Networks, and ensuring that your network has the appropriate policy applied. 34

35 Step 4: Testing Traffic for your Internal Network A quick test to ensure your internal network is provisioned correctly for the network you ve set up is to check the reporting for that identity. First, ensure you ve used a computer or other device within the Internal Network s IP range to access the Internet to generate reporting data. Next, Go to Reports > Activity Report and then set the filter for the report to the Internal Network you created: Once you ve run the report, you should see the identity name listed along with Internet traffic coming from the IP addresses associated with your Internal Network. 35

36 Roaming Clients Windows and Mac Umbrella Roaming Clients: Install and Setup Guide 36

37 Overview The Umbrella Roaming Client serves to protect laptops regardless of where they are in the world or how they connect to the Internet. The client works by securely redirecting DNS queries bound for the Internet to the Umbrella Secure Cloud Gateway via one of the OpenDNS Global Network data centers distributed worldwide so that your policies are enforced as you choose and security is applied, preventing your computers from becoming compromised. Several scenarios include computers accessing the Internet through 3g/4g wireless carrier networks, untrusted networks via Wi-Fi hotspots (e.g. airport, café, hotel, home), and within office environments behind trusted network gateways or Umbrella-protected networks via Umbrella Insights Virtual Appliances. This guide explains how to install the client on your organization s Windows and Mac laptops (and desktop systems, if desired) and verify that it is working properly. Prerequisites To use the roaming client, you must have: Supported Operating Systems Windows 8, 7, XP or Vista with.net 3.5 or newer. Mac OSX 10.6 or newer.!important! Some anti-virus or other software programs may cause conflicts or prevent the Roaming Client from functioning properly. Please test representative systems before deploying to a large number of machines. Network Access Open these outbound ports to allow encrypted DNS requests to be routed through the OpenDNS Global Network: o TCP/UDP 53 to opendns.com, api.opendns.com, , o TCP/UDP 443 to opendns.com. api.opendns.com, , !NOTE: Within some Wi-Fi networks these ports may not be accessible. At such times the Roaming Client will follow a back off protocol as described in Appendix B. Software If you have the OpenDNS DNSCrypt client on the machine(s) you plan to install the Roaming Client on, it must be uninstalled prior to installing the Roaming Client. Otherwise, the Roaming Client will not function properly. 37

38 Whitelisting your Internal Domains first When using the roaming client, all of your DNS lookups are sent directly from your computer to the Umbrella resolvers. This is generally a good thing, but will cause issues for users who want to access internal network resources such as printers, or internally hosted websites that rely on internal DNS resolvers. To ensure uninterrupted access these resources, administrators should add the appropriate domains to the Internal Domains section of the dashboard, found under System Settings > Internal Domains. This will create an internal domain whitelist that will be synced to your roaming users. Once the whitelist has been synced (it usually takes between 5-10 minutes), the client should automatically forward any requests for those internal resources to the proper internal DNS server. Which Domains Should I Whitelist? Domain whitelists can be an entire domain or a specific subdomain as well as reverse lookup zones. Entry Whitelists Does Not Whitelist zombo.com zombo.com, anything.possible.zombo.com notzombo.com everything.zombo.com everything.zombo.com zombo.com 192.in-addr.arpa networks within the 192 range other RFC 1918 subnets This means that you can choose to direct an entire domain, or only specific subdomains, to be resolved using the default DNS servers. This is particularly useful in cases where some subdomains are publicly accessible, but others only accessible when connected to your Internal network (or VPN). Simply add the internal subdomains to your whitelist, and those lookups will never be sent to Umbrella. If the clients are part of an active directory domain we also recommend adding the reverse lookup zone for your internal network to make sure dynamic DNS updates and other active directory related tasks are not affected. 38

39 Step 1: Download & Install!IMPORTANT! Downloaded installers are unique to your organization. Do not distribute them outside of your organization. Manual Installation to Single Machine (Windows or Mac) 1. Using the machine you would like to install the Roaming Client on, ensure it has Internet access, and log into the Umbrella Dashboard and navigate to Configuration > Identities > Roaming Computers 2. Click the Provision Roaming Computers button and then the Download for Windows or Download for Mac button (depending on what type of system you are installing to), and save it to the location of your choice. 3. Navigate to the downloaded installer (.ZIP file). 4. Optional: Hide the End-User UI (Tray Icon). The.ZIP file contains a README (Windows) or PLIST file (Mac). Reference them for details if you do NOT want your users to see a tray icon with status information about the Roaming Client. By default it is visible. 5. Optional: Hide the Roaming Client from Add/Remove Programs (Control Panel). The.ZIP file contains a README (Windows). Reference this for details if you do NOT want your users to see information about the Enterprise Roaming Client in the Add/Remove Programs applet. By default it is visible. 6. If you skipped step 4 or 5, simply double-click the file to begin the installation. 7. Click through the steps in the setup wizard, answering any questions appropriately. 8. Click the Finish button to complete the installation of the Roaming Client. Distributed Installation for Multiple Machines (via Windows Group Policy Object) 1. Using the machine you would like to distribute the Roaming Client to target machines from, log into the Web Admin Dashboard and navigate to Configuration > Identities > Roaming Computers,. 2. Click the Provision Roaming Computers button and then the Download for Windows button, and save it to the location of your choice. 3. Navigate to the downloaded installer (.ZIP file) and extract the MSI & README files. 4. Open the README file. Inside you should see the command you can use to deploy the Roaming Client to multiple computers via GPO or SCCM/SMS. You may also optionally hide the end-user UI (tray icon) if you prefer users to NOT see status information about the Roaming Client. By default it is visible. You can optionally hide the Windows client from Add/Remove Programs. 39

40 Step 2: Verify Operation To check that the Roaming Client successfully installed and connected to the Umbrella Service: 1. Skip to the next step if you chose to make the tray icon invisible. By default, the tray icon is visible. Verify this on the machine you installed the Roaming Client. Clicking on the icon will expand it as follows: Windows Mac Note: If the tray icon is not visible and you did not disable it when you performed the installation, please contact OpenDNS Technical Support at 2. Log into the Umbrella Dashboard and navigate to Configuration > Identities > Roaming Computers 3. The hostname of each machine you installed the Roaming Client on, as well as its status and policy information, should be listed. If so, you may skip to step 3 on the following page. If not, follow the next tasks.!note: For details on the meanings of different status indicators and information on the Identities->Roaming Computers, see Appendix A. 4. Double-check that the machine has Internet access with the appropriate network permissions. If after a few minutes the hostname still does not appear following the troubleshooting tips provided in Appendix C. 5. If the tasks in the Appendix fail to resolve the issue, please contact technical support at [email protected]. 40

41 Step 3: Policy Configuration Once verifying that the Roaming Clients are operating successfully, define and apply security and content usage policies to them. 6. Navigate to Configuration>Policies, and click add a new policy or click the name of an existing policy. 7. Check the Roaming Computers box if you want to apply a single policy for all installed roaming clients, or check the box next to one or more roaming computers (by hostname) via the identity picker. To remove a selected computer, either uncheck its box via the identity picker or click the red X icon to the right of its name. Then click next. 8. Select the 'Policy Settings', then 'Block Page Settings' you would like enforced for this policy. Then click next.!note: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings' pages to do so. 9. Set a meaningful description for the policy, then click save.!note: The policy you created will be applied within seconds to any new connections coming into the Umbrella Service from the selected computers. 10. Click and hold the drag handle icon to re-order the policy above or below any other existing policies.!note: Policy execution follows a top-down, first-match order of operations. The first policy assigned to an identity is enforced. Any subsequent policies assigned to the same identity are ignored. There is an editable, but immutable, default [Organization Name] Policy always ordered last, which is a catchall for any identity.!important: When testing the policy enforcement, some DNS responses may already be cached for several minutes to days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the cached responses to expire. 41

42 Appendix A: Status From the Umbrella Dashboard, click the Configuration tab. In the left sidebar section, click the Identities menu and choose Roaming Computers. COLUMN Name Primary Policy Last Sync DESCRIPTION Hostname of the machine. Policy that the machine is governed by, and a colored protection status icon as follows: Green (Okay): Machine is protected by the enforced policy. Yellow (Warning): Machine is unprotected since the policy is not currently being enforced (e.g. machine is unable to connect to the Umbrella Service). Grey (Offline): Protection is unknown since the machine has been powered down, off the Internet, or Roaming Client uninstalled for a period of time. Lapsed time since the roaming computer last contacted the Umbrella Service. Encryption Shows a locked or unlocked icon indicating whether the DNS queries between the Umbrella Service and the machine are encrypted or not. Note: Roaming computers behind an Umbrella Insights Virtual Appliance do not need to be in an encrypted state. Version Currently installed software version of the Roaming Client. Note: If no version is reported, that machine has never successfully synchronized with the Umbrella Service. A red x icon is present to allow you to remove that machine from the list of machines managed by your organization s policy. How Roaming Computers Change States When the Roaming Client first detects a new network connection, it attempts to contact the Umbrella Service via a special encrypted DNS query. If this succeeds, the Roaming Client will operate under Protected/Encrypted mode. If it fails, the Roaming Client will back off by attempting to connect to the Umbrella Service via an unencrypted version of the same special DNS query. If the unencrypted DNS query succeeds, the Roaming Client will operate under Protected/Unencrypted mode. If it fails, the Roaming Client will attempt to use whatever DNS settings were provided by the DHCP or static network settings the machine was initially configured with, effectively entering Unprotected/Unencrypted mode. When in the Unprotected/Unencrypted mode the Roaming Client will continue to periodically test whether it can connect to the Umbrella Service via either encrypted or unencrypted DNS queries. If it can, it will return to the Protected/Encrypted mode. For example, in situations where a user must join a public Wi-Fi network and click through an acceptable use agreement or pay a fee for network access. Following the completion of getting access to the Internet, the Roaming Client will return to the Protected/Encrypted mode, if possible. 42

43 Appendix B: Roaming Clients Behind Virtual Appliances via Umbrella Insights Your Organization may use Umbrella Insights for their internal networks. Virtual Appliances (VA) forward all on-network machines DNS queries to the Umbrella Service via the OpenDNS Global Network. If a machine running the Roaming Client enters that network, the Roaming Client will detect the VA presence and allow the machine to be governed by the policies for that site instead of sending the queries directly to the Umbrella Service. Thus, policies specific to Roaming Computers will only be applied when outside of your internal networks that use a VA. This state is reflected in the Configuration->Identities->Roaming Computers policy status. When hovering over the GREEN policy status icon for a particular machine, a message will read Determined by VA. 43

44 Appendix C: Troubleshooting Below are the locations of logs, commands, or other tools that can help troubleshoot the Roaming Client.!IMPORTANT! You will most likely need administrator access to perform the following functions. FUNCTION WINDOWS ROAMING CLIENT MAC ROAMING CLIENT Verify It is Running View the Log File Check that the "OpenDNS Enterprise Roaming Client" service is "Started" via the Services control panel. Open "C:\ProgramData\OpenDNS\ERC\OpenDNS _ERC_Service.log". You should see a few log entries like this: The Roaming Client Service has started successfully. The config file was loaded successfully. That a Device ID was acquired from the OpenDNS cloud service. The Roaming Client is successfully syncing to the cloud. Open up a command prompt by pressing CMD + space bar and typing terminal, then click the Enter key. Run the command: ps -ef grep dns-updater grep -v grep You should see something like this: :40AM?? 1:07.79 /Library/Application Support/OpenDNS Roaming Client/dns-updater Run the command: cat /var/log/system.log grep -E "(dns-updater DNSCrypt)" The system.log will include information such as state changes and errors, and should indicate the state of the Roaming Client on the machine. You should see a log entry like this: Aug 30 13:45:30 machinename dns-updater[553]: <INFO>: --- current proxy state: transparent Restart It Open the Services control panel and restart the OpenDNS Enterprise Roaming Client service. Run the command: sudo killall dnsupdater 44

45 Add Predictive Intelligence, Threat Protection, and Security Enforcement Everywhere and non-malicious Internet events. This global intelligence and situational awareness reflecting over 2% of the world s Internet connections is used to predict, prevent, contain and obtain visibility into emerging threats before they happen. 80 million security events every day. It takes less than 30 minutes to deploy and less than 1 minute to view all the Internet activity occurring across your entire organization. Visit OpenDNS.com to Instantly Start a Free 2-Week Trial OpenDNS, Inc may be reproduced by any means nor translated to any electronic medium without the Prevention is no match for persistence: Rethinking Cyber-Security in the Age of Relentless Attacks