Articles in this section

See more

Using the AD Connector with an HTTP Proxy

Avatar
Ashley Williams
  • Updated
Follow

Overview

When first implementing Active Directory integration for Umbrella, you might find that the AD Connector is not showing up in the Umbrella Dashboard under Sites & Active Directory. You may also have an HTTP proxy in your environment, or you have used an HTTP proxy in the past. 

Symptoms

The AD Connector has never registered with the Cisco Umbrella API and therefore does not appear in the Dashboard. Additionally, viewing your Connector logs may reveal the following:

 

2/02/2017 12:55:32 AM: DoFirstRun()

2/02/2017 12:55:32 AM: URL: https://api.opendns.com/v2/OnPremAsset.register

2/02/2017 12:55:32 AM: POST DATA: api_key=𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽&org_token=𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽&type=connector&org_id=𑂽𑂽𑂽𑂽𑂽𑂽&ipaddress_internal=10.1.1.50&label=𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽𑂽

2/02/2017 12:55:33 AM: Register() fail: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>

<title>The page cannot be displayed</title>

<meta http-equiv="content-type" content="text/html; charset=utf-8" />

<style>

body {

   background:#e5eaf5 url(/Wbo-F0B0168B-74FA-4B2F-A27F-224925E0A1EC/bg.gif) top left repeat-x ;

   margin:0px 0px 0px 0px;

   font-family:Arial, Helvetica, sans-serif;

   min-width:1000px;

   font-size:12px;

   color:#000000;

   direction:ltr;

   }

img {border:none}

   .main {

       width:100%;

       background:url(/Wbo-F0B0168B-74FA-4B2F-A27F-224925E0A1EC/topright.gif) top right no-repeat;

       min-width:1000px;

       min-height:400px;

       margin-left:auto;

       margin-right:auto;

       text-align:left;

   }

    .logo {float:left;  height:103px; }

   .sidetext {float:right; width:182px; height:52px; background:url(/Wbo-F0B0168B-74FA-4B2F-A27F-224925E0A1EC/sidetext.png) top left; border:1px solid #2a2e31; margin-right:20px; margin-top:20px; padding:4px; }

   .sidetextNone {visibility:hidden; }

 

   .whiteline {float:left; clear:both; font-size:20px; margin-left:47px; margin-top:17px; color:#ffffff; white-space:nowrap; }

   .bold {font-weight:bold;}

 

   .maintext {float:left; margin-top:20px; clear:both; color:#000; margin-left:47px;}

 

   .color1 {color:#677183;}

 

   ul {margin-top:0; padding-left:15px; padding-top:5px; padding-bottom:5px;}

 

   ul li {list-style-image:url(/Wbo-F0B0168B-74FA-4B2F-A27F-224925E0A1EC/bullet.gif)}

   A {

   FONT-WEIGHT: bold; COLOR: #005a80;

}

A:hover {

   FONT-WEIGHT: bold;COLOR: #0d3372;

}

</style>

 </head>

<body>

   <div class="main">

       <div class="logo"><img src="/Wbo-F0B0168B-74FA-4B2F-A27F-224925E0A1EC/logo.png" alt="ForeFront" /></div>

       <div class="whiteline"><td id=L_dt_1><span class="bold">Network Access Message:</span> The page cannot be displayed </td></div>

   <div class="maintext">

<br />

 <td id=L_dt_2><span class="bold color1">Technical Information (for support personnel)</span></td><br />

<ul>

<li><td id=L_dt_3><span class="bold">Error Code:</span></td> 407 Proxy Authentication Required. Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. (12209).</li>

<li><td id=L_dt_4><span class="bold">IP Address:</span></td> 10.1.1.103</li>

<li><td id=L_dt_5><span class="bold">Date:</span></td> 2/02/2017 12:55:33 AM [GMT]</li>

<li><td id=L_dt_6><span class="bold">Server:</span></td> PROXY.example.com </li>

<li><td id=L_dt_7><span class="bold">Source:</span></td> proxy  </li>

</ul>

   </div>

</div>

</body>

</html>

2/02/2017 12:55:33 AM: Skipping SYNC due to failed register...

The above response reveals that the Register() function has failed due to an HTTP proxy in the environment intercepting requests to the Cisco Umbrella API. 

How to Resolve

Please note the following about the AD Connector software:

  • It runs as the SYSTEM user by default
  • It does not hold or set proxy settings on the machine on which it is running. It uses .NET's WebRequest class for all HTTP/S connections. By default, WebRequest uses the Internet settings for the user the application is running as, and in the case of the Connector, it would be the SYSTEM user. The details around the WebRequest class are detailed here: https://msdn.microsoft.com/en-us/library/system.net.webrequest(v=vs.110).aspx

There are a few ways to find the proxy settings for the SYSTEM user on a machine:

  1. Run netsh winhttp show proxy, which will show any proxy settings in use by the SYSTEM user
  2. Run Internet Explorer as the SYSTEM user using either PSExec or the "Run As System" tool here: https://www.apreltech.com/Free/How_to_run_as_system_user
  3. Use Digicert's certificate utility as the SYSTEM user, which has a tool for displaying the proxy settings: https://www.digicert.com/util/about-ssl-certificate-utility.htm
  4. Check the HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings registry key for proxy settings. 

If you have checked all of these settings, then it’s possible that the proxy is transparent or inline. In this case, you would want to ensure that the machine running the Connector is able to bypass the proxy altogether, or that the proxy allows the server to browse unauthenticated.

Please see this article for more information on configuring an HTTP proxy for use with Cisco Umbrella.

If you continue to have problems with this, please collect a packet capture while attempting to register the Connector, which is best done by restarting the Connector service. After that, send in the packet capture to Umbrella Support at umbrella-support@cisco.com.

Related articles

Comments

0 comments

Article is closed for comments.