Articles in this section

See more

Active Directory Integration – Multiple AD Sites and Sites for Umbrella

Avatar
Matt Prytuluk
  • Updated
Follow

Back to Table of Contents | Previous section: Step 5: Route DNS Traffic through the Virtual Appliances

 

 

Umbrella Sites

 

The Sites feature in Umbrella allows administrators to segregate their Umbrella deployments. Each Umbrella Site is an isolated deployment in which the components will only communicate with other components in the same Umbrella Site. Umbrella sites are a container to isolate sections of a large multi-site network into groups which only sync to the other components in the container. For example, Umbrella sites may be North America, Asia, and Europe or Northeast, California, Atlanta office, South Region, and London (and each Umbrella site may be one or a combination ofActive Directory (AD) Sites.)

This is primarily useful in AD environments containing locations with high-latency connections, or in environments with locations whose internal IP space overlaps.

 

Active Directory Sites and Umbrella Sites

 

A Site represents a set of computers that are connected by a high-speed network, such as a local area network (LAN). Typically, all computers in the same physical site reside in the same building or perhaps the same campus network. Active Directory and Umbrella both use the term "Sites", and while related, have slightly different meanings:

 

Active Directory Sites and Services

 
  • In AD, a Site object represents the actual directory data that is replicated between domain controllers.
  • AD Sites are used to manage the objects that represent the Site, and the servers that reside in the Site.

 

Umbrella Sites

 
  • In Umbrella, a Site refers to a set of components (VAs, Connectors, and DCs) which communicate only with each other.
  • An Umbrella site is more than a label and is more like a container; however, is not the same as an AD Site. Multiple AD sites can be part of an Umbrella Site, but one AD site should not be split into multiple Umbrella sites.
  • A Site must have a minimum of two VAs, and one Connector and DC each for AD integration.

Because Umbrella Sites do act as isolated deployments, each Umbrella Site must have a minimum of two Virtual Appliances (VA's). If AD integration is also being used, then each Site must additionally contain a minimum of one AD Connector, and ALL domain controllers against which a user in that location would authenticate.

When you want to use Umbrella Sites

  • You need to limit WAN traffic between locations that are using Active Directory Sites to limit authentication to local servers (http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx)
  • Your locations communicate between a NAT device, which causes the internal IP address of an end machine to be lost when communicating between locations.
  • Your locations use overlapping internal IP ranges.
  • You have locations which have high-latency connections between them (for example, branches in different continents.) High latency connections, especially between the Connector and the VAs, can result in delays to updates for user mappings.

 

Caveats

  

The isolation of the components in a given Umbrella Site means that a specific VA will only be aware of users who have authenticated against Domain Controllers assigned to the same Umbrella Site. As a result, we do not recommend using multiple Umbrella Sites in a single AD Site, even if that AD Site spans multiple geographical locations. In such a scenario, users in location may still authenticate against a DC in a different location, and thus the Umbrella components may miss user mappings.

 

Using Umbrella Sites

 

Individual Umbrella Sites should be configured as if they were complete deployments. So, for each Umbrella Site:

  • Follow the previous steps of this guide again, and after each sub-step to verify that the component has synced or reported to the dashboard, assign the component to a Site by clicking on its name and selecting an existing Site or creating a new Site. 
  • You may also rename the default or any existing Sites.
    Note: Ensure that there are at least two VAs, one AD Server, and one AD Connector assigned to each Site. Please verify a complete, functioning deployment at each Site before moving on to the next Site.

To assign a Site to a component, navigate to Settings > Sites and Active Directory, click an Insights identity. When the identity expands, you can to add a new Site, or change the site of the component.

Active Directory Only: If you change the location of an Insights component after you've already installed the Connector service, you will have to Stop/Start the connector service on each Connector in both the new and old Umbrella Sites through the Services management tool in Windows.

 

Next section: Appendix A: Prepare a Separate non-AD Server to Install the Connector

Related articles

Comments

0 comments

Article is closed for comments.