browse
Introduction
This article explains how to exclude a server from being identified as an AD User in Umbrella. The server can then receive a dedicated policy and will be identified by either its IP Address (Option 1) or AD Computer name (Option 2).
Background
Umbrella AD integration works by monitoring Active Directory Login events to determine which user is logged on to each IP address on the network. The Virtual Appliance caches this information and then uses the source IP address (in the DNS packet) and translates this to an Active Directory user.
This process works well for normal domain workstations and servers where each user has a unique source IP address. However, this may not be suitable for servers in the following scenarios:
Dedicated application servers
Servers running dedicated applications need to receive a consistent policy regardless of which user is logged on. These servers typically do not have a real user logged on interatively and might not be identified as a user by Umbrella, or may be identified as a service account user.
Servers with multiple users
Some servers will allow multiple users to login remotely using AD credentials. Often these are not real interative logins but simply users authenticating to access an application. This can include Intranet servers, Email portals, VPN systems, Wireless Access points, RDS Terminal Servers, etc.
When multiple users are sharing the same IP address we cannot accurately determine the user.
Internal Network Policy
Part 1 - Internal Network Policy
Create a policy using an "Internal Network" identity to uniquely identity an individual server based on its source IP address.
Benefits:
- The server can be given a consistent policy regardless of which user is logged on.
- The primary identity in reports (Identity used by policy) will be consistent
How:
- Create an Internal Network identity for the /32 internal IP address of your server.
- Use the Umbrella 'Policies' wizard to apply the Internal Network identity to a new policy. Follow the wizard as normal to configure policy settings for the server.
- Re-order the policies so this policy is at a higher precedence than any policies based on AD Users/Computers/Groups
Warning:
The AD Username will still appear as a secondary 'Identity' in the Umbrella Activity Search. The user will also be included in some reports which count traffic against all matched identities, such as the 'Identities' report. To prevent this behavior also use the AD Exception below.
Part 2 - AD Exception (Optional)
Use the "AD User Exceptions" function in the Umbrella Dashboard to exclude this server IP from being monitored for AD login events. This is the best option when multiple users are sharing the same IP address.
Benefits:
- The Umbrella system completely ignores any AD logons on this server.
- The server is never identified as the AD User/Computer regardless of policy ordering
- AD User/Computer information for this server is not tracked anywhere in Umbrella reports, even as a secondary identity.
How:
- Use the 'Active Directory User Exceptions' system. Instead of entering a username, add the server IP address.
Part 3 - Clear Appliance Cache
It is recommended to clear the Appliance cache after creating the above exception in Step 2. This will remove any knowledge of currently logged on users. This step requires v2.4.6+ of the Umbrella Virtual Appliance:
- Enter the restricted shell of the Virtual Appliance by pressing CTRL+B on its console.
- Run the following command to clear the IP mapping for the server IP address:
config admap clear <IP> - Repeat this step for each Virtual Appliance
AD Computer Policy
Part 1 - AD Computer Policy
Instead of using the IP address to identify a server, you can use its AD Computer Identity.
Benefits:
- The server can be given a consistent policy regardless of which user is logged on.
- The primary identity in reports (Identity used by policy) will be consistent
- This policy will continue to work if the server IP address changes
How:
- Use the Umbrella 'Policies' wizard to apply the AD Computer identity to a new policy. Follow the wizard as normal to configure policy settings for the server.
- Re-order the policies so this policy is at a higher precedence than any policies based on AD Users/Groups
Warning:
The AD Username will still appear as a secondary 'Identity' in the Umbrella Activity Search. The user will also be included in some reports which count traffic against all matched identities, such as the 'identities' report.
Part 2 - Cache optimization for AD Computers
If multiple users are sharing the server (eg. Terminal Server) you must make a change to optimize the Virtual Appliance for caching AD Computer names. This prevents the Appliance from clearing its cache when new users logon and retains the AD computer info for longer. These steps require version 2.4.6+ of the Virtual Appliance:
- Enter the restricted shell of the Virtual Appliance by pressing CTRL+B on its console.
- Run the following command to clear the IP mapping for the server IP address:
config admap set-host-timeout 600 - Repeat these steps for each Virtual Appliance.