Roaming Client: Deployment Guide for Umbrella Roaming Client
Overview The Roaming Client serves to protect laptops regardless of where they are in the world or how they connect to the Internet. The client works by securely redirecting DNS queries bound for the Internet via one of the OpenDNS Global Network data centers distributed worldwide so that your policies are enforced as you choose and security is applied, preventing your computers from becoming compromised. Several scenarios include computers accessing the Internet through 3g/4g wireless carrier networks, untrusted networks via Wi-Fi hotspots (e.g. airport, café, hotel, home), and within office environments behind trusted network gateways or Umbrella-protected networks via Virtual Appliances. This guide explains how to install the client on your organization s Windows and Mac laptops (and desktop systems, if desired) and verify that it is working properly. Roaming Client Deployment Guide for Umbrella Page 2
Prerequisites To use the roaming client, you must have: Supported Operating Systems Windows 8, 7, XP or Vista with.net 3.5 or newer. Mac OSX 10.7 or newer.!important! Some anti-virus or other software programs may cause conflicts or prevent the Roaming Client from functioning properly. Please test representative systems before deploying to a large number of machines. Network Access Open these outbound ports to allow encrypted DNS requests to be routed through the OpenDNS Global Network: o TCP/UDP 53 to opendns.com, api.opendns.com, 208.67.222.222, 208.67.220.220 o TCP/UDP 443 to opendns.com. api.opendns.com, 208.67.222.222, 208.67.220.220!NOTE: The IP addresses for opendns.com and api.opendns.com are currently the same 67.215.92.210, but this is subject to change. As such as we advise allowing access to the domain if possible.!note: Within some Wi-Fi networks these ports may not be accessible. At such times the Roaming Client will follow a back off protocol as described in Appendix B. Software If you have the OpenDNS DNSCrypt client on the machine(s) you plan to install the Roaming Client on, it must be uninstalled prior to installing the Roaming Client. Otherwise, the Roaming Client will not function properly. Roaming Client Deployment Guide for Umbrella Page 3
Whitelisting your Internal Domains first When using the roaming client, all of your DNS lookups are sent directly from your computer to the OpenDNS resolvers. This is generally a good thing, but will cause issues for users who want to access internal network resources such as printers, or internally hosted websites that rely on internal DNS resolvers. To ensure uninterrupted access these resources, administrators should add the appropriate domains to the Internal Domains section of the dashboard, found under System Settings > Internal Domains. This will create an internal domain whitelist that will be synced to your roaming users. Once the whitelist has been synced (it usually takes between 5-10 minutes), the client should automatically forward any requests for those internal resources to the proper internal DNS server. Which Domains Should I Whitelist? Domain whitelists can be an entire domain or a specific subdomain as well as reverse lookup zones. Entry Whitelists Does Not Whitelist zombo.com zombo.com, anything.possible.zombo.com notzombo.com everything.zombo.com everything.zombo.com zombo.com 192.in-addr.arpa networks within the 192 range other RFC 1918 subnets This means that you can choose to direct an entire domain, or only specific subdomains, to be resolved using the default DNS servers. This is particularly useful in cases where some subdomains are publicly accessible, but others only accessible when connected to your Internal network (or VPN). Simply add the internal subdomains to your whitelist, and those lookups will never be sent to Umbrella. If the clients are part of an active directory domain we also recommend adding the reverse lookup zone for your internal network to make sure dynamic DNS updates and other active directory related tasks are not affected. Roaming Client Deployment Guide for Umbrella Page 4
Step 1: Download & Install!IMPORTANT! Downloaded installers are unique to your organization. Do not distribute them outside of your organization. Manual Installation to Single Machine (Windows or Mac) 1. Using the machine you would like to install the Roaming Client on, ensure it has Internet access, and log into the Umbrella dashboard and navigate to Configuration > Identities > Roaming Computers 2. Click the Provision Roaming Computers button and then the Download for Windows or Download for Mac button (depending on what type of system you are installing to), and save it to the location of your choice. 3. Navigate to the downloaded installer (.ZIP file). 4. Optional: Hide the End-User UI (Tray Icon). The.ZIP file contains a README (Windows) or PLIST file (Mac). Reference them for details if you do NOT want your users to see a tray icon with status information about the Roaming Client. By default it is visible. 5. Optional: Hide the Roaming Client from Add/Remove Programs (Control Panel). The.ZIP file contains a README (Windows). Reference this for details if you do NOT want your users to see information about the Enterprise Roaming Client in the Add/Remove Programs applet. By default it is visible. 6. If you skipped step 4 or 5, simply double-click the file to begin the installation. 7. Click through the steps in the setup wizard, answering any questions appropriately. 8. Click the Finish button to complete the installation of the Roaming Client. Distributed Installation for Multiple Machines (via Windows Group Policy Object) 1. Using the machine you would like to distribute the Roaming Client to target machines from, log into the Web Admin Dashboard and navigate to Configuration > Identities > Roaming Computers,. 2. Click the Provision Roaming Computers button and then the Download for Windows button, and save it to the location of your choice. 3. Navigate to the downloaded installer (.ZIP file) and extract the MSI & README files. 4. Open the README file. Inside you should see the command you can use to deploy the Roaming Client to multiple computers via GPO or SCCM/SMS. You may also optionally hide the end-user UI (tray icon) if you prefer users to NOT see status information about the Roaming Client. By default it is visible. You can optionally hide the Windows client from Add/Remove Programs. Roaming Client Deployment Guide for Umbrella Page 5
Step 2: Verify Operation To check that the Roaming Client successfully installed and connected to Umbrella: 1. Skip to the next step if you chose to make the tray icon invisible. By default, the tray icon is visible. Verify this on the machine you installed the Roaming Client. Clicking on the icon will expand it as follows: Windows Mac Note: If the tray icon is not visible and you did not disable it when you performed the installation, please contact OpenDNS Technical Support at support@opendns.com. 2. Log into the Umbrella dashboard and navigate to Configuration > Identities > Roaming Computers 3. The hostname of each machine you installed the Roaming Client on, as well as its status and policy information, should be listed. If so, you may skip to step 3 on the following page. If not, follow the next tasks.!note: For details on the meanings of different status indicators and information on the Identities->Roaming Computers, see Appendix A. 4. Double-check that the machine has Internet access with the appropriate network permissions. If after a few minutes the hostname still does not appear following the troubleshooting tips provided in Appendix C. 5. If the tasks in the Appendix fail to resolve the issue, please contact technical support at support@opendns.com. Roaming Client Deployment Guide for Umbrella Page 6
Step 3: Policy Configuration Once verifying that the Roaming Clients are operating successfully, define and apply security and content usage policies to them. 1. Navigate to Configuration>Policies, and click add a new policy or click the name of an existing policy. 2. Check the Roaming Computers box if you want to apply a single policy for all installed roaming clients, or check the box next to one or more roaming computers (by hostname) via the identity picker. To remove a selected computer, either uncheck its box via the identity picker or click the red X icon to the right of its name. Then click next. 3. Select the 'Policy Settings', then 'Block Page Settings' you would like enforced for this policy. Then click next.!note: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings' pages to do so. 4. Set a meaningful description for the policy, then click save.!note: The policy you created will be applied within 60-90 seconds to any new connections coming into Umbrella from the selected computers. 5. Click and hold the drag handle icon to re-order the policy above or below any other existing policies.!note: Policy execution follows a top-down, first-match order of operations. The first policy assigned to an identity is enforced. Any subsequent policies assigned to the same identity are ignored. There is an editable, but immutable, default [Organization Name] Policy always ordered last, which is a catchall for any identity.!important: When testing the policy enforcement, some DNS responses may already be cached for several minutes to days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the cached responses to expire. Roaming Client Deployment Guide for Umbrella Page 7
Appendix A: Status From the Umbrella dashboard, click the Configuration tab. In the left sidebar section, click the Identities menu and choose Roaming Computers. COLUMN Name Primary Policy Last Sync DESCRIPTION Hostname of the machine. Policy that the machine is governed by, and a colored protection status icon as follows: Green (Okay): Machine is protected by the enforced policy. Yellow (Warning): Machine is unprotected since the policy is not currently being enforced (e.g. machine is unable to connect to Umbrella). Grey (Offline): Protection is unknown since the machine has been powered down, off the Internet, or Roaming Client uninstalled for a period of time. Lapsed time since the roaming computer last contacted Umbrella. Encryption Shows a locked or unlocked icon indicating whether the DNS queries between Umbrella and the machine are encrypted or not. Note: Roaming computers behind a Virtual Appliance do not need to be in an encrypted state. Version Currently installed software version of the Roaming Client. Note: If no version is reported, that machine has never successfully synchronized with Umbrella. A red x icon is present to allow you to remove that machine from the list of machines managed by your organization s policy. How Roaming Computers Change States When the Roaming Client first detects a new network connection, it attempts to contact the Umbrella Service via a special encrypted DNS query. If this succeeds, the Roaming Client will operate under Protected/Encrypted mode. If it fails, the Roaming Client will back off by attempting to connect to Umbrella via an unencrypted version of the same special DNS query. If the unencrypted DNS query succeeds, the Roaming Client will operate under Protected/Unencrypted mode. If it fails, the Roaming Client will attempt to use whatever DNS settings were provided by the DHCP or static network settings the machine was initially configured with, effectively entering Unprotected/Unencrypted mode. When in the Unprotected/Unencrypted mode the Roaming Client will continue to periodically test whether it can connect to Umbrella via either encrypted or unencrypted DNS queries. If it can, it will return to the Protected/Encrypted mode. For example, in situations where a user must join a public Wi-Fi network and click through an acceptable use agreement or pay a fee for network access. Following the completion of getting access to the Internet, the Roaming Client will return to the Protected/Encrypted mode, if possible. Roaming Client Deployment Guide for Umbrella Page 8
Appendix B: Roaming Clients Behind Virtual Appliances Your Organization may use Virtual Appliances for additional reporting and granularity on internal networks and Active Directory. Virtual Appliances (VA) forward all on-network machines DNS queries to Umbrella via the OpenDNS Global Network. If a machine running the Roaming Client enters that network, the Roaming Client will detect the VA presence and allow the machine to be governed by the policies for that site instead of sending the queries directly to the OpenDNS Global Network. Thus, policies specific to Roaming Computers will only be applied when outside of your internal networks that use a VA. This state is reflected in the Configuration->Identities->Roaming Computers policy status. When hovering over the GREEN policy status icon for a particular machine, a message will read Determined by VA. Roaming Client Deployment Guide for Umbrella Page 9
Appendix C: Troubleshooting Below are the locations of logs, commands, or other tools that can help troubleshoot the Roaming Client.!IMPORTANT! You will most likely need administrator access to perform the following functions. FUNCTION WINDOWS ROAMING CLIENT MAC ROAMING CLIENT Verify It is Running View the Log File Check that the "OpenDNS Enterprise Roaming Client" service is "Started" via the Services control panel. Open "C:\ProgramData\OpenDNS\ERC\OpenDNS _ERC_Service.log". You should see a few log entries like this: The Roaming Client Service has started successfully. The config file was loaded successfully. That a Device ID was acquired from the OpenDNS cloud service. The Roaming Client is successfully syncing to the cloud. Open up a command prompt by pressing CMD + space bar and typing terminal, then click the Enter key. Run the command: ps -ef grep dns-updater grep -v grep You should see something like this: 0 11487 1 0 8:40AM?? 1:07.79 /Library/Application Support/OpenDNS Roaming Client/dns-updater Run the command: cat /var/log/system.log grep -E "(dns-updater DNSCrypt)" The system.log will include information such as state changes and errors, and should indicate the state of the Roaming Client on the machine. You should see a log entry like this: Aug 30 13:45:30 machinename dns-updater[553]: <INFO>: --- current proxy state: transparent Restart It Open the Services control panel and restart the OpenDNS Enterprise Roaming Client service. Run the command: sudo killall dnsupdater Roaming Client Deployment Guide for Umbrella Page 10
Umbrella is brought to you by OpenDNS. Trusted by millions around the world. The easiest way to prevent malware and phishing attacks, contain botnets, and make your Internet faster and more reliable. OpenDNS, Inc. www.umbrella.com 1.877.811.2367 Copyright 2012 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of OpenDNS, Inc. Information contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no responsibility for its use.