Virtual Appliances. Virtual Appliances: Setup Guide for Umbrella on VMWare and Hyper-V. Virtual Appliance Setup Guide for Umbrella Page 1

Virtual Appliances Virtual Appliances: Setup Guide for Umbrella on VMWare and Hyper-V Virtual Appliance Setup Guide for Umbrella Page 1

Table of Contents Overview... 3 Prerequisites... 4 Virtualized Server Environment on VMware or Hyper-V... 4 Network Environment... 4 Create the Virtual Appliance (VA) in VMWare... 5 Create the Virtual Appliance (VA) in Hyper-V... 7 Create the Virtual Appliance (VA) in Windows 2008 R2 Server with the Hyper-V Role, or Hyper-V Server 2008.... 7 Create the Virtual Appliance (VA) in Hyper-V for 2012 R2... 10 Configure the Virtual Appliance... 18 Verify the Virtual Appliance Syncs with the Dashboard... 19 Configure the Redundant Virtual Appliance... 19 Route Local DNS Queries... 20 Configure your Settings for Active Directory or Internal Networks... 22 Route DNS Traffic through the Virtual Appliances... 22 Virtual Appliance Setup Guide for Umbrella Page 2

Overview When configuring either the Umbrella for Internal Networks or Umbrella for Active Directory, the first step is to configure a Virtual Appliance (a "VA" for short). The purpose of Virtual Appliances is to map internal source IP addresses to internals AD users and computers then forward external DNS queries from your network to one of the OpenDNS Global Network data centers. The Virtual Appliance performs the following functions: Runs in a virtualized server environment and forwards local DNS queries to your existing DNS servers and remote DNS queries to OpenDNS. If Internal Networks integration is enabled, captures the local IP of the computer making the external DNS request and reports it to the OpenDNS Global Network. If Active Directory Integration is enabled, the VA forwards external DNS queries with non-sensitive metadata to the OpenDNS Global Network to identify the AD user or computer.!note: The recommended requirements for installation include a second VA for redundancy (not shown in the diagram) to ensure uptime during upgrade and high availability. We require a second VA for high availability during downtime associated with upgrading.!important! In order for the Virtual Appliance to properly route local DNS queries and external DNS queries, all clients that are to be managed by Umbrella need to have their DNS addresses be the addresses of your VAs. This guide explains how to install the VAs on the supported virtualization platforms and verify that they are working properly before pointing DNS traffic to them. Virtual Appliance Setup Guide for Umbrella Page 3

Prerequisites To support virtual appliances, you must have either VMWare ESX or Microsoft Hyper-V, or a combination of both. Virtualized Server Environment on VMware or Hyper-V Requirements for VMware: VMWare ESXi 4.1 update 2 or newer to create the Virtual Appliances. Your ESXi server host is set to the correct date and time for predictable VA behavior. Your ESXi server host has at least one CPU core, 512Mb of RAM and 6.5Gb of hard disk drive space available to be provisioned per Virtual Appliance instance. We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA and the network. Requirements for Hyper-V: Windows 2008 R2 Server with the Hyper-V Role, or Hyper-V Server 2008. Windows Server 2012 (Standard or Data Center), Window Server 2012 SP1 (Standard or Data Center) or Windows Server 2012 R2 (Standard or Data Center) with the Hyper-V role installed, or Hyper-V Server 2012, or Hyper-V Server 2012 R2. Your Windows server is set to the correct date and time for predictable VA behavior. In addition to the minimum required hardware to run your Windows Server, we recommend: o An additional 512Mb of RAM for each Virtual Appliance o Allocation of 7GB of disk space for each Virtual Appliance o An additional CPU core for each Virtual Appliance. (Note: This may not be necessary if the server provisioned for Hyper-V is highly spec'd). We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA and the network. Network Environment The following requirements are for your Network Environment to ensure you can communicate with OpenDNS. These requirements apply to both VMware and Hyper-V. Set the following outbound ports to be open from the VAs to the 67.215.92.0/24 subnet and the OpenDNS DNS resolvers: 53 TCP & UDP (208.67.220.220 and 208.67.222.222) 443 TCP & UDP (67.215.92.0/24) 80 TCP (67.215.92.0/24) 2222 TCP (67.215.92.0/24) Virtual Appliance Setup Guide for Umbrella Page 4

Do not place devices with network address translation (NAT), or that in any manner obfuscates the internal IP address(es) between the computers and the Virtual Appliance at each site. Make sure you do not have transparent proxies on your network to avoid issues. Create the Virtual Appliance (VA) in VMWare 1. On any network PC with the ability to log into your ESXi server using the VMware vsphere client, point your browser to https://dashboard2.opendns.com and log in with your Umbrella credentials. 2. From the Dashboard, navigate to Configuration > System Settings > Sites & Active Directory. 3. Click the download components button in the upper-right corner and select the download button for the VA for VMware ESXi 4.1 Update 2.!NOTE: If you already downloaded this file a few days ago, please re-download it in case of a newer version. System prompts will update you on the status of the download of the OpenDNS.ova file. 4. Log onto your VMware vsphere client. 5. Select the File tab, and click Deploy the OVF Template. 6. Follow the deployment wizard prompts; taking note of: a. For the source, browse to the.ova file you just downloaded. b. Verify that your VMware server host is running version 4.1 or newer. c. Specify a unique name and location of your Virtual Appliance. d. Select the disks appropriate to your environment. e. Make sure you select the Thin Provision radio button. f. Specify the network.!note: If using Active Directory Integration, this is the same network that includes your Domain Controller Virtual Appliance Setup Guide for Umbrella Page 5

(DC) and VA instances. These two components must be able to communicate with each other. 7. Click Finish after completing the deployment configuration. System prompts will update you on the status. 8. Select the device just created and right-click. Select Power > Power on. 9. Right-click the device just created, and select Open Console. Virtual Appliance Setup Guide for Umbrella Page 6

Create the Virtual Appliance (VA) in Hyper-V Hyper-V Configuration depends on the version of Hyper-V server you re running: 2008R2 or 2012 and 2012 R2. Please jump to the appropriate virtual server environment. Create the Virtual Appliance (VA) in Windows 2008 R2 Server with the Hyper-V Role, or Hyper-V Server 2008. The following instructions are for the Virtual Appliance on Microsoft Server 2008 R2 with the Hyper-V Role installed, or Hyper-V Server 2008 R2. These steps also assume a working knowledge of Microsoft Hyper-V server. First, download the Hyper-V installer from within your Dashboard, under Configuration > System Settings > Sites and Active Directory. Click on the download components button in the upper right: This will expand to show the selection of Virtual Appliance downloads for Sites & Active Directory. Select the download button for VA for Hyper-V for Windows Server 2008 R2, 2012, and 2012 R2: 1. Once you've downloaded the file, extract the contents to a folder. There are two folders - virtual hard disks and virtual machines. There is also one configuration file. You should have something an extraction path similar to this: 2. Next go to the Hyper-V Manager. Select your Hyper-V server, then select Import Virtual Machine.. from the Actions menu on the right-hand side: Virtual Appliance Setup Guide for Umbrella Page 7

3. Browse to the location that you extracted the download to and select the top-level folder, normally called \OpenDNS-Virtualmachine-<date>\. Do not select either of the two subfolders: Ensure the import settings are as above: Select the radio button "Copy the virtual machine (create a new unique ID)" Select the checkbox for "Duplicate all files so the same virtual machine can be imported again." If you selected the wrong folder, when you click Import you will see an error message regarding there being no virtual machine present: If you selected the correct folder and options, you should see the Import proceed: Once the import is complete, do not start the Virtual Machine. 4. Ensure you change the network adapter. In Settings for the Virtual Appliance select the Network Adapter and then assign a virtual switch that has Internet access: Virtual Appliance Setup Guide for Umbrella Page 8

4. The next steps are critical to being able to install more than one VA, which is the properly supported configuration. Without changing the name, you will be unable to import a second VA easily. First, navigate to the folder where the virtual hard disks are stored by default. If you're uncertain, click on your Hyper-V Settings: Navigate to the folder, and then rename the two files on disk that have been imported. Simply adding a number to the filename is sufficient, but it can be whatever you'd like. Rename dynamic.vhd to dynamic-2.vhd Rename forwarder-va.vhd to forwarder-va-2.vhd Once that's been done, the next step is to change the Settings for the Virtual Machine. Select the newly created Virtual Machine "forwarder-va", then select Settings on the right-hand side. Navigate to your IDE Controller for the hard disks (IDE Controller 0 by default), and change the Media path to the VHD file to be forwarder-va-2.vhd and the second hard drive to be dynamic-2.vhd: Virtual Appliance Setup Guide for Umbrella Page 9

Note: Be careful that the filenames match and you don't accidentally add additional file extensions. 5. Change the name of the Virtual Machine itself to reflect the changes in the filenames, and to help better organize your VAs for future reference. Select the "Rename.." option the right-hand menu pane, then append -2 to the name: 6. Then power-on on the virtual machine, which will bring you to the command line to configure your VA. If all is well, you'll start by seeing the boot screen for the Hyper-V resolver. 7. To build your second VA, you will not have to rename the files on disk. Simply import the VA following steps 1 through 4 above. However, if you're interested in building more than 2 VAs, you should follow all of the steps above. The next stage of the process is to configure the VAs to match your network, or you can build a second VA following these steps before proceeding. Skip to page 18 to configure. Create the Virtual Appliance (VA) in Hyper-V for 2012 R2 1. On the computer running Hyper-V, point your browser to https://dashboard2.opendns.com and log in with your Umbrella credentials. 2. Download the Hyper-V installer from within your Dashboard, under Configuration > System Settings > Sites and Active Directory. Click the download components button in the upper-right corner and select the download button for the VA for Hyper-V for Windows Server 2012 and Windows 2012 Server R2.!NOTE: The download may take some time to begin as the file is generated on a per-customer basis. If you already downloaded this file a few days ago, please re-download it in case of a newer version. 3. Once you've downloaded the file, extract the contents to a folder. There are two folders - virtual hard disks and virtual machines. There is also one configuration file. You should have an extraction path similar to this: Virtual Appliance Setup Guide for Umbrella Page 10

4. If you are using Windows 2012 R2 with Hyper-V, please note: Microsoft has changed the VM format on Hyper-V Windows 2012 R2. As a result the "import" steps below will fail on import. Instead, we recommend that you create a new virtual machine under Generation 1 and attach the hard drives (step 7 in the steps below). 5. Next go to the Hyper-V Manager. Select your Hyper-V server, then right-click on it's name and select Import Virtual Machine from the menu: 6. Navigate to extraction folder from your download and select that folder to import: Virtual Appliance Setup Guide for Umbrella Page 11

7. Click Next to move to the next part of the wizard At this point, you should see "forwarder-va" as the name of the virtual machine to import. Select this name and click next: 8. You'll be asked to choose the type of import to perform. Select the radio button to "Copy the virtual machine (create a new unique ID)" as below, and click Next: Virtual Appliance Setup Guide for Umbrella Page 12

9. Next, choose Destination folders to install to. These will be the Hyper-V Configuration folders by default but you can pick another folder if you'd like:!note: If selecting a different folder, pick a drive with sufficient space and create a folder with a specific name for the virtual machine, such as \opendnsfowarder-1\. This can be helpful to ensure you're able to distinguish between the two virtual appliances in your file structure. Click Finish to end the wizard. 10. The next steps are very important. Virtual Appliance Setup Guide for Umbrella Page 13

First, navigate in Windows Explorer to the \Virtual Hard Disks\ subfolder within the extracted download folder created earlier (step 1). Copy the two files from that location to the Virtual Machine Configuration Folder you specified in the "Choose destination" step of the wizard (step 6) There will be two files, dynamic and forwarder-va. You should rename these files in accordance with the VA that is being installed. For instance, re-name the file "dynamic" to "Dynamic-VA-1" and rename "forwarder-va" to "Forwarder-VA-1. If configuring your second VA, change the number accordingly. This can help ease management of multiple virtual appliances and avoids conflicts between filenames when configuring your second VA. Next, go back to your Hyper-V Manager. Select the virtual machine you've created right-click and choose "Settings " In Settings for Hardware, select the Network Adapter and then assign a virtual switch that has Internet access, as below: Virtual Appliance Setup Guide for Umbrella Page 14

11. Next, in Settings for Hardware select the hard-drives. Ideally, they should be under the same IDE controller. For hard-drive settings, browse to the Virtual Machine Configuration Folder and the first hard drive should be set to the forwarder file (Forwarder-va) and the second hard drive should be set to the dynamic (Dynamic) file, as shown in this example: Virtual Appliance Setup Guide for Umbrella Page 15

Virtual Appliance Setup Guide for Umbrella Page 16

12. At this point, apply the configuration in the wizard. Then power-on on the virtual machine, which will bring you to the command line to configure your VA. If all is well, you'll start by seeing the boot screen for the Hyper-V resolver. The next stage of the process is to configure the VAs to match your network, or you can build a second VA following these steps before proceeding. Virtual Appliance Setup Guide for Umbrella Page 17

Configure the Virtual Appliance The configuration of the Virtual Appliance is the same for both VMWare and Hyper-V. However the troubleshooting may vary, especially in regard to networking setup on the virtual server side. 1. From the VMware console after a brief boot up process, you are prompted to configure the DNS forwarder by tabbing between fields. 2. For the Name: field, this is the Name that will appear next to the managed VA in your Umbrella Dashboard. It may help you to include the IP address in the Name for ease of reference. 3. For the IP, Netmask and Gateway fields, give the VA a static IP on the same network / site as you d like to manage with the VAs along with the appropriate netmask and gateway for that network. The IP should match that provisioned already in VMWare or Hyper-V. 4. For the Local DNS 1 and 2 fields, enter your local DNS servers, which are often the IP addresses of your Windows Servers with both the Active Directory Domain Services and DNS Server roles installed. 5. Press Return. 6. Tab to Save and press Return.!NOTE: You should see a sync message indicating that the VA and Umbrella are communicating as below: Virtual Appliance Setup Guide for Umbrella Page 18

If you receive any error messages, or would like to know more about what each of these tests are, you can tab to the test and hit Return: The information here can help you understand what possible network issue could exist between the VA and the OpenDNS Secure Cloud Gateway. In this example, the SSL test to the host 'disthost.opendns.com' on port 443 timed out. If you were unable to complete the tests, please check the ESX or Hyper-V network configuration to ensure you've matched it properly. Once you've identified and resolved the issue, the tests continue to run in the background and the test will subsequently succeed without intervention. If you'd like to ensure the tests are run successfully, you can reboot the VA by going to the System Menu (CTRL+S) Verify the Virtual Appliance Syncs with the Dashboard When you return to the Umbrella dashboard, System Settings > Sites & Active Directory, you should see your VAs listed with the name you gave it earlier in the VA Console configuration. It may show as an Inactive state in your Dashboard. This should eventually change to a Sync state within a few minutes. Configure the Redundant Virtual Appliance Repeat the above steps to configure a secondary Virtual Appliance, which is required for continuous operation. Set up the Redundant VA as the secondary DNS server for your network in the IP settings for the DHCP scope being given to clients (or static IP if your configuration requires that) Virtual Appliance Setup Guide for Umbrella Page 19

!NOTE: Having a secondary VA ensures 100% uptime in the event of any critical issues, as well as, enabling auto-upgrades to stagger any necessary reboots. Depending on your setup, you can place each VA on a separate VMware or Hyper-V host. Please make sure you deploy the secondary virtual appliance by following the steps, do not clone the already deployed virtual appliance onto a new one.. Route Local DNS Queries To ensure correct DNS responses to local hosts inside your internal network, you will want to add local DNS domains in your Umbrella Dashboard. Once added, these domains will automatically sync to both VAs (or more than two, if you have 2 VAs per physical site.) You only need to do this step once in the dashboard and the change should sync to both your primary and secondary virtual appliance. It's important to note that certain zones and domain prefixes have already been added, both for the Virtual Appliance and the OpenDNS Roaming client. The following have already been added for you: RFC1918 local Non-publicly routable address spaces used only for reverse DNS on internal networks All *.local domains For All Appliances and Devices For All Appliances and Devices The RFC-1918 reverse DNS zones that are already added are: 10.in-addr.arpa, 16.172.in-addr.arpa through to 31.172.in-addr.arpa inclusive and 168.292.in-addr.arpa, which will cover all internal IP address range. However, if your internal domain name doesn't end in *.local, you should add it here. To add internal DNS zones and domains 1. Open your Umbrella Dashboard and navigate to System Settings > Internal Domains. 2. Enter any internal DNS zone or domains: Virtual Appliance Setup Guide for Umbrella Page 20

You have a choice whether to apply this internal domain to All Appliances and Devices, or only the Virtual Appliances. An example of where you may wish to specify only the Virtual Appliances is with a mail server. If Roaming Devices off the network are expected to resolve "Mail.YourCompany.Com" to an external IP, but then when they are on the network, to resolve it to an internal IP, it's best to ensure that "Mail.YourCompany.com" is applied to Virtual Appliances only. If you're not sure what your domains for forward zone lookups or reverse lookups are, you can find out by going to the Domain Controller(s) that is the primary internal DNS resolver for your network. Login with a privileged account and open Control Panel > Administrative Tools > DNS Manager or go to Start > Run > and type "dnsmgmt.msc" Expand the Server name to show the Forward and Reverse Zones for your Domain, then drill through to see the inaddr.arpa domain address for your network. In this example, the network "10.122.6.44" would be covered by the 10.in-addr.arpa and the domain "butter.local" would be covered by the *.local domain, so there's actually no need for these to be added. Once you've confirmed things are working as expected, you can begin to point your DNS traffic from your endpoints toward the VA. Start with a single workstation to test to ensure local internal resolution is working Expand the testing to a subset of users, such as local I.T. or trustworthy Deploy the change to all of the workstations at the site / subnet associated with the VA. Virtual Appliance Setup Guide for Umbrella Page 21

Configure your Settings for Active Directory or Internal Networks At this point, you may wish to configure your settings for Active Directory or Internal Networks, depending on which configuration you are planning to use the Virtual Appliances for. By integrating with your Active Directory environment and securely forwarding DNS queries to the OpenDNS Global Network, you can enforce and report on users, computers and groups. To learn more, please read the Active Directory Setup Guide for Umbrella, or click here: https://support.opendns.com/entries/22214871 Integration with the Internal Networks configuration allows you to manage Umbrella policy for subnets of computers based on the internal IP addresses of your network. To learn more, please read the Sites and Internal Networks Setup Guide for Umbrella, or click here: https://support.opendns.com/entries/21850935 Route DNS Traffic through the Virtual Appliances In order for you to begin enforcing your settings, all DNS traffic should be routed through your Virtual Appliances. 1. First, start by testing on a few devices by manually configuring their DNS settings to use the Virtual Appliances. Try different operating systems or hardware types to ensure compatibility with all your devices.!important: When testing the policy enforcement, some DNS responses may already be cached for several minutes to days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the cached responses to expire. 2. If possible, a good next step is to change the DNS settings for a specific DHCP server pool or scope in your organization. 3. Once you ve verified correct enforcement of policies with your pilot group of computers, you can either stage the cut over to using the Virtual Appliances for DNS or cut over the entire organization. The best time to affect the cut over is typically after users log out for the day. 4. When users log in after the installation is complete, they should begin sending all DNS queries to the one of the VAs forwarding DNS traffic.!note: Most stub DNS resolvers, those that reside on endpoint devices, do not have a true primary vs. secondary DNS server relationship. Stub DNS resolvers behavior on many operating systems are undocumented in regards to which DNS server they will use at any time. Virtual Appliance Setup Guide for Umbrella Page 22