Umbrella Virtual Appliances, running version 2.6 or prior, support receiving user-IP mappings from the Umbrella Active Directory Connector and the Umbrella Chromebook Clients only in unencrypted form on port 443. As a result, a mandatory pre-requisite for deployment has been that the AD Connector and VA or Chromebook Clients and VA communicate over a trusted network only.
Starting version 2.7, Umbrella Virtual Appliances can now receive AD user-IP mappings from the AD Connector over HTTPS, and similarly GSuite user-IP mappings from each Umbrella Chromebook Client over HTTPS.
This article details the configuration steps on each component to enable HTTPS communication. By default, HTTPS communication is disabled and the AD Connector and Chromebook Clients will communicate to the VA over HTTP only.
Important Note: Turning on this feature will increase the CPU and memory utilization on the VA and the Umbrella AD Connector and may result in reduced DNS throughput for the VA. As a result, it is recommended to turn on this feature only if mandated by any compliance requirements for your organization.
Private key creation, certificate creation, certificate signing and management are out of scope for the Umbrella components. This will need to be done external to these components.
You will need to create one certificate with a unique Common Name per Virtual Appliance. If you wish to use the same certificate for multiple Virtual Appliances, use multiple Subject Alternate Names in the certificate, one for each Virtual Appliance.
If you are using a unique Common Name per Virtual Appliance, you will need to add an A record in your internal DNS server, pointing this Common Name to the IP address of the Virtual Appliance.
If you are using a single Common Name but a unique Subject Alternate Name per Virtual Appliance, you will need to add an A record in your internal DNS server, pointing the Subject Alternate Name to the IP address of its corresponding Virtual Appliance.
If the IP address of a Virtual Appliance needs to be changed, this A record should also be correspondingly changed.
The FQDN corresponding to the certificate should be configured as a local domain on the Umbrella dashboard, so that the VA recognizes this as a local domain.
Private key and certificates need to be created in the .key and .cer format respectively.
You can use either self-signed certificates or CA-signed certificates for this purpose.
For this functionality to work correctly, your Virtual Appliance must be running version 2.7 or later, Umbrella AD Connector must be running version 1.5 or later and the Umbrella Chromebook Clients must be running version 1.3.3 or higher. If your VA or AD Connector are running previous versions, you may open a support ticket with Umbrella to get them upgraded to the respective supported versions.
Add the private key to the VA using the command config va ssl key "<copy the contents of the .key file>"
Ensure to copy the entire private key including the -----BEGIN RSA PRIVATE KEY----- all the way to the -----END RSA PRIVATE KEY-----
Add the certificate to the VA using the command config va ssl cert "<copy the contents from .crt file>"
Ensure to copy the entire certificate including the -----BEGIN CERTIFICATE----- all the way to the -----END CERTIFICATE-----
Enable HTTPS on the VA using the command config va ssl enable
Verify that HTTPS is enabled using the command config va show
Output of this command should include the HTTPS status as well as the SSL certificate details.
It can take up to 20 minutes for the VA to start receiving events over HTTPS. You can check after around 20 minutes using the config va status command. The AD Connector status will be in yellow (stalled) state in the intermediate period and will move to green state once the VA starts receiving events over HTTPS.
If you wish to disable HTTPS and revert to HTTP, use the command config va ssl disable
If you want to re-enable HTTPS, you will need to add the private key and certificate again and then use the config va enable command.
If you are using a CA-signed certificate for each VA, make sure the root certificate and issuing CA certificates for each VA certificate are installed on each system running the AD Connector in the same site as the VA.
If you are using self-signed certificate for each VA, make sure each VA certificate is installed on each system running the AD Connector in the same Umbrella site as the VA. (Note: Only certificates for VAs in the same Umbrella site as the AD Connector need to be installed on the AD Connector).
It may take up to 20 minutes for the VA to sync the HTTPS status to Umbrella, which is then synced to the AD Connector. As a result, it may take up to 20 minutes for the Connector to start sending data to the VA over HTTPS. Any user-IP mappings sent during this period will be discarded by the VA. It is therefore recommended to make the configuration change on the VA only during downtime hours, when no user logins are expected.
Umbrella Chromebook Client
If you are using CA-signed certificates for VAs, make sure the root certificate and issuing CA certificates for each VA certificate are pushed to and installed on each Chromebook.
If you are using self-signed certificates for VAs, make sure each VA certificate is pushed to and installed on each Chromebook.
Once the certificate is available, the Umbrella Chromebook Client will start using this certificate to set up an HTTPS channel with the VA.
Configuration sequence: Once HTTPS is enabled on the VA, the VA will not accept user-IP mappings sent in plaintext over HTTP. As a result, any user logins sent over HTTP will be discarded and user attribution for DNS requests from these users will not be available. It is therefore recommended to configure these components in the following order:
- Create the certificate and private key for each VA based on a CA signed or self signed certificate.
- Add the certificate and private key to each VA respectively.
- Make sure the root certificate and intermediate parent certificates for each VA certificate (or VA self-signed certificate) are installed on each system running the AD Connector in the same site as the VA, and on each Chromebook.
- During downtime hours, enable HTTPS on the VA.
Note: Certificate on the VA will need to be replaced before it expires, and the intermediate parent and root certificates will need to be installed on the AD Connector and Umbrella Chromebook Clients. If this is not done, the AD Connector and Umbrella Chromebook Clients will not be able to communicate with the VA.