What is the communication flow with Umbrella's Active Directory implementation?
When the AD Connector script is run on a DC:
The windows script will make a one-time connection from the domain controller (DC) to the cloud on port TCP/443 using HTTPS to register the DC to the dashboard so the connector knows about it. We make a call to: https://api.opendns.com with some specific parameters.
Once the script successfully registers the DC you should see it on the dashboard.
At times, we often see issues that can be related to the "Root Certificate Updates" on Windows, a quick way to determine that is to open Internet Explorer and point the browser to: https://api.opendns.com/v2/OnPrem.Asset that should print a message like "1005 Missing API key". If you see any certificate errors or warnings on that page, then make sure you have the latest "Root Certificates Update" from Microsoft installed.
How the AD Connector communicates with the Umbrella Cloud service or a Virtual Appliance:
Connector > Cloud
It will upload all the Active Directory (AD) data every two minutes if there are changes, using an https connection on port TCP/443 and we are only uploading information on Groups/Users/Computers, no passwords are uploaded and all user information is hashed locally so the data is unique to us.
Connector > Virtual Appliances
The connector is constantly sending (AD) events to the virtual appliances using port TCP/443 (Unencrypted), this is also a one-way communication, the appliances will not talk back to the connectors. Logs from the connector are sent to the virtual appliances on port TCP/8080.
Connector > Domain Controllers
The connector will talk to all domain controllers that are located in the same site using ports TCP/389 and 3268 for LDAP sync. The connector also talks to the domain controllers using WMI/RPC
Which usually means, TCP/135 is the standard port for RPC.
It also uses a randomly assigned port between TCP/1024 and 65535 for Windows 2003 and older, and between TCP/49152 and 65535 for Windows 2008
The virtual appliances will usually communicate on port TCP/443 to api.opendns.com frequently as well as to TCP/UDP 53 for DNS queries/probes and TCP/2222 to establish the support tunnel.
If any issues are seen around communication, we usually recommend checking for any Layer-7 application proxies that might be blocking/dropping some data, a common case is the inspect feature on Cisco devices that act on protocols such as DNS/HTTP/HTTPS:
Virtual Appliances (VA) > Cloud
The virtual appliances will talk to the cloud using ports 53 UDP/TCP, 443 TCP , 80 TCP and 2222 TCP. They receive data from the connectors on port 443 but do not require communication back to them. Ports 53 are used for DNS resolution and port 2222 TCP enables the support tunnel.