As our integration spans several areas of your Active Directory (AD) configuration, it can be helpful to understand the flow of communication between each of the operational components. This can assist in troubleshooting and in ensuring that your environment is properly configured pre-deployment.
Communication Flow with Umbrella's Active Directory Implementation
When the AD Connector script is run on a DC:
The windows script will make a one-time connection from the domain controller (DC) to the cloud on port TCP/443 using HTTPS to register the DC to the dashboard so the connector knows about it. We make a call to: https://api.opendns.com with some specific parameters.
Once the script successfully registers the DC you should see it on the dashboard.
At times, we see issues that can be related to the "Root Certificate Updates" on Windows. A quick way to determine that is to open Internet Explorer and point the browser to: https://api.opendns.com/v2/OnPrem.Asset. That should print a message like "1005 Missing API key". If you see any certificate errors or warnings on that page, then make sure you have the latest "Root Certificates Update" from Microsoft installed.
How the AD Connector communicates with the Umbrella Cloud service or a Virtual Appliance:
Connector > Cloud
It will upload all the Active Directory (AD) data every two minutes if there are changes, using an HTTPS connection on port 443 TCP, and we are only uploading information on Groups/Users/Computers. No passwords are uploaded and all user information is hashed locally so the data is unique to us.
Connector > Virtual Appliances
The connector is constantly sending (AD) events to the virtual appliances using port 443 TCP (Unencrypted). This is also a one-way communication; the appliances will not talk back to the connectors. A mandatory pre-requisite is that the connector and VA should communicate over a trusted network.
Connector > Domain Controllers
The connector will talk to all domain controllers that are located in the same site using ports 389 TCP and 3268 TCP/UDP for LDAP sync. The connector also talks to the domain controllers using WMI/RPC. Port 135 TCP is the standard port for RPC and WMI.
WMI also uses a randomly assigned port between 1024 TCP and 65535 TCP for Windows 2003 and older or between 49152 TCP and 65535 TCP for Windows 2008 and above.
As of version 1.1.24, the connector also communicates with the domain controller using LDAPS (LDAP over SSL) over ports 636 TCP and 3269 TCP.
If any issues are seen around communication, we usually recommend checking for any Layer-7 application proxies that might be blocking/dropping some data. A common case is the inspect feature on Cisco devices that act on protocols such as DNS/HTTP/HTTPS:
Virtual Appliances (VA) > Cloud
The virtual appliances will frequently communicate on port 443 TCP to api.opendns.com frequently as well as to 53 TCP/UDP for DNS queries/probes and 22 25 53 80 443 or 4766 TCP to establish the support tunnel.
The virtual appliances will talk to the cloud using ports 53 UDP/TCP, 443 TCP, 123 TCP, and 80 TCP. They receive data from the connectors on port 443 TCP (not an HTTPS connection) but do not require communication back to them.