Enterprise. Insights. Active Directory Integration: Installation and Setup Guide. v1.0.5

Enterprise Insights Active Directory Integration: Installation and Setup Guide v1.0.5

This guide explains how to install and configure the Active Directory Components provisioned and maintained from the Dashboard with OpenDNS Enterprise Insights. By integrating with your Active Directory environment and forwarding DNS queries to OpenDNS, you can enforce and report on users, computers and groups. For many customers, only instructions on pages 4-19 are required. Table of Contents Overview... 3 Prerequisites... 4 Virtualized Server Environment Active Directory Environment Network Environment Step 1: Setup DNS Forwarding via Virtual Appliances... 5 Create the Virtual Appliance (VA) Configure the Virtual Appliance Verify the Virtual Appliance Syncs with the Dashboard Create the Redundant Virtual Appliance Route Local DNS Queries Step 2: Prepare your Active Directory Environment... 10 Run the Configuration Script on the AD Server Verify the AD Server Reports to the Dashboard Repeat for Each AD Server Step 3: Connect Active Directory to OpenDNS... 12 Install the Connector Verify the Connector Syncs with the Dashboard Verify all Active Directory Components are Operational Step 4: Configure Settings in Dashboard... 14 Define Internet Access Settings Assign Settings to AD Groups Step 5: Route DNS Traffic through the Virtual Appliances... 19 Multiple AD Sites... 20 Create a New Site After Each Installation, Assign Component to the New Site Appendix A: Prepare a Separate non-ad Server to Install the Connector... 21 Appendix B: Configuring AD Servers on Windows Server 2003 R2... 22 Setting the Manage auditing and security log Group Policy Setting DCOM permissions Setting WMI permissions Page 2

Overview The Active Directory integration consists of two components that must reside in your network at each independent AD site: I NOTE: An Active Directory site in the context of this document means an independent location with its own AD server(s), DNS server(s), and connection to the Internet. 1. The Virtual Appliance ( VA for short), which Runs in a virtualized server environment, Forwards local DNS queries to your existing DNS servers and Forwards external DNS queries with non-sensitive metadata to the OpenDNS service. I NOTE: The recommended installation includes a redundant VA (not shown in the diagram). 2. The Connector, which Runs in your Active Directory environment, Securely communicates non-sensitive user and computer login info to the Virtual Appliances. Securely communicates non-sensitive user and computer group info to the OpenDNS service. I NOTE: If your security policy requires it, the Connector can be installed on a different non-ad server (see Appendix A for details). This guide explains how to install each of these components and verify that they are working properly before you deploy them. Page 3

Prerequisites To support the OpenDNS Active Directory integration, you must have: Virtualized Server Environment VMware ESXi 4.1 or newer to create the Virtual Appliances. Your ESXi server host is set to the correct date and time for predictable VA behavior. Your ESXi server host has one CPU core, 512Mb of RAM and 6.5Gb of hard disk drive space available to be provisioned per Virtual Appliance instance. Active Directory Environment Windows Server 2003 R2, 2008 or 2008 R2 with the latest service packs and 100Mb free hard disk drive space. Only a single domain environment. I IMPORTANT! When deploying OpenDNS Active Directory Components at more than one WAN-linked (MPLS-type network) AD site, repeat steps 1-5 after verifying a complete, functioning installation at current site before moving on to the next. A new user account with: o o o o The logon name (aka. samaccountname) set to OpenDNS_Connector. The box Password never expires checked. A password entered without backslash or quotation characters. Make sure the OpenDNS_Connector user is a member of the following groups and if not, please add the missing ones: Event Log Readers Distributed COM users Enterprise Read-only Domain Controllers I IMPORTANT! For environments on Windows Server 2003 R2, several manual steps are required (see Appendix B for instructions). Network Environment Set the following ports to be open from the Active Directory server to the Virtual Appliances: o 443 Set the following outbound ports to be open from the VAs and connectors to OpenDNS.com: o 53 o 443 o 2222 Do not place devices with network address translation (NAT), or that in any manner obfuscates the internal IP address, between hosts and the Virtual Appliance per site. Page 4

Step 1: Setup DNS Forwarding via Virtual Appliances The purpose of Virtual Appliances is to map internal source IP addresses to AD users and computers then forward external DNS queries from your network to one of the OpenDNS datacenters. Local DNS queries are forwarded to your internal DNS servers. Create the Virtual Appliance (VA) 1. On any network PC with the ability to log into your ESXi server using the VMware vsphere client, point your browser to https://dashboard2.opendns.com and log in with your OpenDNS credentials. 2. From the OpenDNS Dashboard, click Active Directory Components tab. 3. Click the download the Virtual Machine button. I NOTE: If you already downloaded this file a few days ago, please re-download it in case of a newer version. System prompts will update you on the status of the download the OpenDNS.ova file. 4. Log onto your VMware vsphere client. Page 5

5. Select the File tab, and click Deploy the OVF Template. 6. Follow the deployment wizard prompts; taking note of: a. For the source, browse to the.ova file you just downloaded. b. Verify that your VMware server host is running version 4.1 or newer. c. Specify a unique name and location of your Virtual Appliance. d. Select the disks appropriate to your environment. e. Make sure you select the Thin Provision radio button. f. Specify the network. I NOTE: This is the same network that includes your AD servers (also referred to as the Domain Controller, or DC) and VA instances. These two components must be able to communicate with each other. 7. Click Finish after completing the deployment configuration. System prompts will update you on the status. Page 6

8. Select the device just created and right-click. Select Power > Power on. 9. Right-click the device just created, and select Open Console. Configure the Virtual Appliance 1. From the VMware console after a brief boot up process, you are prompted to configure the DNS forwarder by tabbing between fields. I NOTE: For Local DNS 1 and 2 enter your local DNS servers, which is often the IP addresses of your Windows Servers with both the Active Directory Domain Services and DNS Server roles installed. 2. At the Add Domain prompt enter the name of your domain (adding internal zones is described below). 3. Press Return. 4. Tab to Save and press Return. I NOTE: You should see a sync message indicating that the VA and the OpenDNS service are communicating. Page 7

Verify the Virtual Appliance Syncs with the Dashboard When you return to the OpenDNS Dashboard, you will see the VA you just created in the Info state on the Active Directory Components page. Create the Redundant Virtual Appliance Repeat the above steps to create a secondary Virtual Appliance, which is required for continuous operation. I NOTE: It ensures 100% uptime in the event of any critical issues, as well as, enabling auto-upgrades to stagger any necessary reboots. Depending on your setup, you can place each VA on a separate VMware host. Route Local DNS Queries To ensure correct DNS responses to local hosts inside your internal network, you will want to configure your VAs to route queries to your existing DNS servers. To add internal DNS zones: 1. From the VMWare console, select Edit. 2. Use Tab until you have highlighted the Add domain option. 3. Add your internal zone(s) (e.g. example.com). 4. Add your reverse zone(s) (e.g. if your network is 192.168.1.0/24 you should add: 1.168.192.in-addr.arpa). 5. Select Save and hit Enter. To add A & PTR records for your VAs 1. On your local DNS server, click Start, Run and type dnsmgmt.msc 2. Navigate to your forward lookup zones for your local domain (e.g. corp.domain.com). 3. Select the local zone (e.g. corp.domain.com). 4. On the right hand side right-click, select New Host. 5. Enter a hostname for the OpenDNS forwarder, an IP and make sure the box Create associated pointer (PTR) record is checked. 6. Click Add Host. To verify if the records were created correctly, you can test with nslookup: 1. Enter: nslookup (IP ADDRESS of the VA). For example: Ø nslookup 192.168.1.2 Server:192.168.1.1 Address:192.168.1.1#53 Non-authoritative answer: 1.168.192.in-addr.arpaname = opendns01.corp.domain.com. Page 8

2. Enter: nslookup (HOSTNAME of the VA). For example: Ø nslookup forwarder01.sjc.opendns.com Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: Name: forwarder01.sjc.opendns.com Address: 67.215.92.152 Page 9

Step 2: Prepare your Active Directory Environment Running the script on each of the AD servers (also referred to as the Domain Controller, or DC) prepares them to communicate with the Connector. I IMPORTANT! For environments running on Windows Server 2003 R2, several manual steps are required before completing step 2 (see Appendix B for instructions). Run the Configuration Script on the AD Server 1. From the Active Directory Components page, click the download the Windows configuration script button. 2. Download the file and save it to a location on the machine you plan to run it on. I NOTE: The configuration script is written in Visual Basic Script and is human readable. For reference, it automates the instructions you ll find in Appendix B, plus more. Contact support for more details. 3. As Admin, open an elevated command prompt. 4. Enter: cscript <filename> where <filename> is the name of the configuration script you downloaded in Step 2. The script will display your current configuration, then offer to auto-configure the AD Server for operation. If the auto-configure steps are successful, the script will register the AD Server with the OpenDNS Dashboard. I NOTE: The OpenDNS_Connector user must be created before running the script, as detailed in the prerequisites. There are also several Group Policies that affect system operation that may need manual configuration. The script will display the status of these settings and, if needed, provide instructions on changing them. Page 10

Verify the AD Server Reports to the Dashboard When you return to the Dashboard, you will see the hostname of the AD Server you just ran the script on in the Info state on the Active Directory Components page. I NOTE: The configuration script only runs once; it is not an application or service. If you change the IP address or hostname of the AD Server, remove the previous instance of the AD Server by clicking the round X icon, and repeat tasks 1-4. Repeat for Each AD Server Repeat the above steps to prepare additional AD Servers (or DCs) in your single domain environment to successfully communicate with the Connector. Page 11

Step 3: Connect Active Directory to OpenDNS The purpose of the Connector is to monitor one or more AD servers. It listens to user and computer logins via the security event logs, and subsequently enables IP-to-user and IP-to-computer mappings on the Virtual Appliances. It synchronizes user-to-group, computer-to-group and group-to-group memberships with the OpenDNS service, enabling you to create and enforce group-based settings and view user, computer and group-based reports. I NOTE: You only need to install one Connector per site, but you may install more than one. If your security policy does not allow you to install software directly on your AD Server, you can install it on a separate Windows machine (see Appendix A), otherwise it is recommended to install the Connector on one or more of your AD Servers. Install the Connector 1. From the Active Directory Components page, click the download the Windows service button. I IMPORTANT! You must download the zip file to the local machine where you plan to run it. Issues have been observed attempting to install the connector from networked drives. 2. As Admin, select the zip file and extract the setup.msi file. 3. Run setup.msi. 4. Enter the password you configured for the OpenDNS_Connector user you created. (see Prerequisites). 5. Follow the setup wizard prompts. 6. When finished, click Close. 7. Return to the Dashboard. Verify the Connector Syncs with the Dashboard 1. When you return to the Dashboard, you will see the hostname of the AD Server or other machine that you installed the Connector on the Active Directory Components page. 2. The OpenDNS service automatically configures and connects the VAs to the AD Servers via the Connectors for each configured site, and the status of all of your VAs, AD Servers, and Connectors should change from Info to Okay. If not, contact support. Page 12

3. Click the Configuration tab. The AD Servers should automatically synchronize user and computer group memberships, and any subsequent changes, with the OpenDNS service via the Connector. You can verify that this has occurred successfully by clicking the add a new policy button and confirming that your groups are present. As such, you should see all of your AD Groups within the identity picker of the policy wizard. If you don t see your groups, check the Active Directory Components tab to see if the status of all components is OK. If not, contact support. I NOTE: It can take up to 10 minutes for large numbers of AD user, computer and group objects to synchronize for the first time. Verify all Active Directory Components are Operational 1. Before you deploy your OpenDNS configuration, confirm that you can resolve DNS traffic by entering the following command that sends a query to opendns.com through your VA: C:\>nslookup > server {{enter the IP of one of your VA's}} > opendns.com 2. You can further verify DNS traffic by entering the following command to send a TXT Record query to debug.opendns.com through the VA: > set type=txt > debug.opendns.com > exit This query returns a string of information if you are going through the VA. If you receive a non-existent domain result from that query, there is still something wrong with your configuration and you should contact support. Page 13

Step 4: Configure Settings in Dashboard Once you have installed all of the OpenDNS components, you can now create Internet Access Settings, such as policies, within the OpenDNS Dashboard based on user and computer groups within your organization. Define Internet Access Settings 1. From the OpenDNS Dashboard, click the Configuration tab and then the Policy Settings tab. 2. From the Domain Lists panel, click add a domain list. 3. Overwrite the New Domain List placeholder title, a type a name for this domain list (e.g. Bad Video Sites ). 4. Select Allow or Block. 5. Enter one or more domains, one at a time clicking Add after each. (see Policy Settings for category-based access controls) I NOTE: To add numerous domains, contact OpenDNS. 6. Click Save. 7. From the Policy Settings panel, click add a setting. 8. Overwrite the New Policy Setting placeholder title, type a name for your policy. Page 14

9. Select the policy level. Low, Moderate, or High block predefined categories of content. None allows all content. Custom allows you to select from the 56 categories of content to block. 10. Click Save. 11. When finished, click Save. 12. From the Security Settings panel, click add a setting. 13. Overwrite the New Security Setting placeholder title, and type a name for your security settings. 14. Select the options appropriate for your environment. 15. Click Save. 16. From the Blocked Page Settings panel, click add a setting. 17. Overwrite the New Block Page Setting placeholder title, and type a name for your blocked pages setting. Page 15

18. Specify how you want blocked pages to be treated. Selecting Treat all blocked requests the same applies the action you specify to all pages. Treat all blocked requests differently allows you to apply the action you specify by Policy (aka. AUP) Setting, by Domain List (aka. Setting), or by Phishing Protection (aka. Setting). 19. Specify the action to be taken. When a user attempts to navigate to a blocked page, you can display a default message, create a custom message, or redirect the user to a specified URL. 20. Click Preview in a new window to view what the user sees when your blocked page setting is applied. For example, selecting Show a block page with the default and clicking Preview in a new window displays: Create Policies for your AD Groups 1. From the dashboard, click the Configuration tab. 2. Click the add a new policy button. At this point all of the AD Groups in your domain should be visible. Page 16

If not, you may have to wait a few minutes while the user, computer, and group information is synchronized from your environment to the OpenDNS service. 3. Select the AD Group(s) to which to apply your Internet Access Settings and click the next button. 4. Select the settings you defined above and click the next button. Page 17

5. Provide a description of the policy that s meaningful to you and click the save button. 6. The policy for the AD Group(s) you selected is now active. Page 18

Step 5: Route DNS Traffic through the Virtual Appliances In order for you to begin enforcing your settings, all DNS traffic should be routed through your Virtual Appliances. 1. It is suggested that you test on a few devices by manually configuring their DNS settings to use the Virtual Appliances. 2. If possible, a good next step is to change the DNS settings for a specific DHCP server pool or scope in your organization. 3. Once you ve verified correct enforcement of policies with your pilot group of computers, you can either stage the cut over to using the Virtual Appliances for DNS or cut over the entire organization. The best time to affect the cut over is typically after users log out for the day. 4. When users log in after the installation is complete, they should begin sending all DNS queries to the one of the VAs forwarding DNS traffic. I NOTE: Most stub DNS resolvers, those that reside on endpoint devices, do not have a true primary vs. secondary DNS server relationship. Stub DNS resolvers behavior on many operating systems are undocumented in regards to which DNS server they will use at any time. Page 19

Multiple AD Sites I NOTE: Please verify a complete, functioning deployment at each site before moving on to the next site. Create a New Site From the OpenDNS Dashboard, click the Active Directory Components tab. In the left-hand Sites section, click add a site and replace the New Site placeholder title with your own site name. I NOTE: You may optionally change the default or new site names at any time by hovering the mouse over the name, which should make an edit icon appear, and clicking to enter a new name. After Each Installation, Assign Component to the New Site Follow steps 1-5 again, and after each sub-step to verify that the component has synced or reported to the dashboard, assign the component to a site by clicking on its name and selecting a site from the drop-down. Page 20

Appendix A: Prepare a Separate non-ad Server to Install the Connector If your security policy requires it, the Connector can be installed on a non-ad Server machine, but it must be joined to the same domain as the AD Servers that the Connector will be monitoring. 1. Provision a virtual or physical machine using a static IP. 2. Install one of the three supported Windows OS and other components below. a) Windows Server 2008 R2 SP1 (Preferred) i. Install AD Domain Services Snap-ins and Command-line Tools feature via ii. Remote Server Administration Tools > Role Administration Tools > AD DS & AD LDS Tools > AD DS Tools Install.NET v3.5 SP1* b) Windows Server 2008 SP2 i. Install Active Directory Lightweight Directory Services role ii. Install.NET v3.5 SP1* c) Windows 7 (non-home license) i. Install Remote Support Administration Tools - download available from http://go.microsoft.com/fwlink/?linkid=137379 ii. Install.NET v3.5 SP1* 3. Join machine to the same domain as the AD Server (domain controller) being connected to 4. Open WMI ports via the following command run as Administrator: netsh advfirewall firewall set rule group="windows Management Instrumentation (WMI)" new enable=yes 5. (Optional) If there is no access to a network file share to retrieve the file locally, download and/or unrestrict Internet Explorer (http://www.microsoft.com/download/en/details.aspx?id=25150) or install a different browser. Page 21

Appendix B: Configuring AD Servers on Windows Server 2003 R2 Setting the Manage auditing and security log Group Policy I NOTE: Adding the OpenDNS_Connector user to this group policy for all AD Servers (DCs) is also required in certain Windows Server 2008 configurations. 1. By default, Windows Server 2003 does not come with the Group Policy Management Console (GPMC) and it may be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=21895. I NOTE: Alternatively, 2008 R2 servers should have GPMC installed and you can apply the following permissions from this server to be replicated to the 2003 R2 server. 2. Open the GPMC (via Start > Administrative Tools), and select a Group Policy that applies to Domain Controllers. I NOTE: If you aren t sure what policy to change, open a command prompt and type the following command: "gpresult /scope computer /r". Look for the Applied Group Policy Objects line. Under it will be a list of policies applied to that Domain Controller. Make note of one that is likely to be applied to all Domain Controllers (e.g. Default Domain Controllers Policy ). 3. Right-click that policy and select Edit to bring up the Group Policy Management Editor. 4. Browse to the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment folder and select Manage audit and security log to view its properties. Page 22

5. Check "Define these policy settings", click "Add user or group", browse and select the OpenDNS_Connector user. 6. Run the "gpupdate" command on the Domain Controller to make sure the policy is applied. Setting DCOM permissions 1. From a command line run dcomcnfg. 2. Console Root > Component Services > Computers. 3. Right-click on My Computer and select Properties. 4. From My Computer Properties select COM Security tab. 5. In Launch and Activation Permissions area click Edit Limits. 6. Add OpenDNS_Connector user and allow Remote Launch and Remote Activation permissions. 7. Click OK to confirm and close My Computer Properties. Setting WMI permissions 1. Run wmimgmt.msc (Windows Management Infrastructure Control console). 2. Right-click on WMI Control. Click Properties > Security tab. 3. Select Root > CIMV2 namespace and click the Security button. 4. Add the OpenDNS_Connector user and Allow the following permissions: Enable Account, Remote Enable and Read Security. 5. Click OK to exit each dialog window, then click Save to apply changes. Page 23

Cloud-based Internet Security Trusted by millions around the world. The easiest way to prevent malware and phishing attacks, contain botnets, and make your Internet faster and more reliable. OpenDNS, Inc. www.opendns.com 1.877.811.2367 Copyright 2012 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of OpenDNS, Inc. Information contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no responsibility for its use. AD-Integration-Guide-V1.0.4