When first implementing Active Directory integration for Umbrella, you might find that the AD Connector is not showing up in the Umbrella Dashboard under Sites & Active Directory. You may also have an HTTP proxy in your environment, or you have used an HTTP proxy in the past.
The AD Connector has never registered with the Cisco Umbrella API and therefore does not appear in the Dashboard. Additionally, viewing your Connector logs may reveal the following:
2/02/2017 12:55:32 AM: DoFirstRun() 2/02/2017 12:55:32 AM: URL: https://api.opendns.com/v2/OnPremAsset.register 2/02/2017 12:55:32 AM: POST DATA: api_key=XXXXXXXXXXXXXXXX&org_token=XXXXXXXXXXXXXXXX&type=connector&org_id=XXXXXX&ipaddress_internal=10.1.1.50&label=XXXXXXXXXXXXXXXX
2/02/2017 12:55:33 AM: Register() fail:
Technical Information (for support personnel)
- Error Code:407 Proxy Authentication Required. Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. (12209).
- IP Address:10.1.1.103
- Date:2/02/2017 12:55:33 AM [GMT]
2/02/2017 12:55:33 AM: Skipping SYNC due to failed register...
The above response reveals that the Register() function has failed due to an HTTP proxy in the environment intercepting requests to the Cisco Umbrella API.
How to Resolve
Please note the following about the AD Connector software:
- It runs as the SYSTEM user by default
- It does not hold or set proxy settings on the machine on which it is running. It uses .NET's WebRequest class for all HTTP/S connections. By default, WebRequest uses the Internet settings for the user the application is running as, and in the case of the Connector, it would be the SYSTEM user. The details around the WebRequest class are detailed here: https://msdn.microsoft.com/en-us/library/system.net.webrequest(v=vs.110).aspx
There are a few ways to find the proxy settings for the SYSTEM user on a machine:
- Run netsh winhttp show proxy, which will show any proxy settings in use by the SYSTEM user
- Run Internet Explorer as the SYSTEM user using either PSExec or the "Run As System" tool here: https://www.apreltech.com/Free/How_to_run_as_system_user
- Use Digicert's certificate utility as the SYSTEM user, which has a tool for displaying the proxy settings: https://www.digicert.com/util/about-ssl-certificate-utility.htm
- Check the HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings registry key for proxy settings.
If you have checked all of these settings, then it’s possible that the proxy is transparent or inline. In this case, you would want to ensure that the machine running the Connector is able to bypass the proxy altogether, or that the proxy allows the server to browse unauthenticated.
Please see this article for more information on configuring an HTTP proxy for use with Cisco Umbrella.
If you continue to have problems with this, please collect a packet capture while attempting to register the Connector, which is best done by restarting the Connector service. After that, send in the packet capture to Umbrella Support at firstname.lastname@example.org.