browse
Overview
This article is intended to set out the process for rolling back or removing an Umbrella Insights deployment.
Due to the nature of the product the deployment can be split into 'sites' which operate independently from each other, so for larger deployments the removal process can be broken down into smaller 'per-site' tasks.
Solution
1 - Switching DNS away from Umbrella
If Insights has been correctly deployed, your network clients will be exclusively using virtual appliances (VAs) as their DNS servers. If you remove your virtual appliances before changing your DHCP settings to point DNS back to your local DNS servers, DNS resolution will fail both internally and externally. Therefore, this is a particularly important step.
The second point on switching DNS settings, is that your local DNS servers should be using the Umbrella anycast IP addresses as their forwarders. If this is the case, policy will still be applied to DNS queries leaving the network until you either change the forwarders to point to another public or ISP DNS service, or delete all "networks" (i.e. the public egress IPs of your DNS servers) from your Umbrella dashboard. If Umbrella resolvers receive DNS queries from a network that is registered to a customer organisation, it will enforce the policy which applies to that 'network' identity.
Note that the default policy cannot be deleted from the Dashboard, and has default security settings applied therefore will always block some destinations.
NOTE:
Once you're no longer using the Umbrella service then it doesn't really matter which order the removal is done in. We'll go through each of the components.
2 - Uninstall the AD Connector
The connector is normally only installed on a couple of servers on the network and can just be uninstalled through Add/Remove programs. This is a quick and painless process and often all that is required.
If your organisation has a large number of connectors to remove you may wish to consider using Group Policy to run the task. No reboot is required. If you had a large number of servers to uninstall from you could investigate using Group Policy or a small PowerShell script like the one below to automate the task:
$app = Get-WmiObject -Class Win32_Product `
-Filter "Name = 'Software Name'"
$app.Uninstall()
3 - OpenDNS_Connector user and Domain Controllers
The only service that should be using this account is the OpenDNS Connector service, therefore deleting the account after the service has been uninstalled should have no adverse affect at all. The Domain Controller configuration script performed two tasks:
- Set permissions for the OpenDNS_Connector user account to allow the connector to read logon events from other DCs' security event logs
- Ran an API call to register the domain controller to the Umbrella dashboard which in turn allowed the connector to learn which DCs' to connect to in order to capture logon events.
You can undo the effects of the script by simply deleting this user in AD.
4 - Delete the Virtual Appliances
Each instance of the VA can simply be deleted. If the first step has been followed, they should be serving no DNS requests so deleting them should have zero impact on the network. It would be advisable to first shut down the VA's and ensure all services remain operational before deleting the virtual machines.
5 - Delete AD components from Umbrella Dashboard
When a VA or Connector is installed, it registers a corresponding object to the dashboard under:
--> Deployments --> Sites and Active Directory
The Domain Controller configuration script also registers each DC it is run on to the dashboard.
All of these objects can be deleted from "Sites and Active Directory" page. It is worth noting that the page is also where Umbrella "sites" can be created, and where the AD components are assigned to these sites. If you are removing on a site-by-site basis, ensure you only delete the components that are assigned to that site.