Labsec 2006 Mirza

LABSEC-2006 Introduction to Cisco Umbrella Solutions
(openCisco(Umbrella(OpenDNS
Introduction to Cisco Umbrella Solutions

LABSEC-2006
Speakers:
Hamid Mirza & Moumita Nath

Tech Support Engineer – Cloud Web Security
1|Page
Learning Objectives
Upon completion of this lab you, you will be able to:

 Understand and Integrate Active Directory with Cisco Umbrella Virtual Appliance(VA) to achieve user
granularity for reporting purpose for on-premise users.
 Learn to protect the “Roaming Users” by deploying AnyConnect Umbrella Roaming Client which is
always ON even when VPN is disconnected.
 Deploy and Demonstrate AnyConnect Umbrella Roaming Client still protect users and applies the
configured Umbrella Policies while off the corporate network.
 Learn about URC(Umbrella Roaming Client) for those not using Cisco AnyConnect products.
Disclaimer
This lab document is to familiarize with Cisco Umbrella deployment options. Although the lab design and configuration examples could
be used as a reference, it’s not a real design, thus not all recommended features are used, or enabled optimally. For the design related
questions please contact your representative at Cisco, or a Cisco partner.
2|Page
Learning Objectives .......................................................................................................................... 2

Disclaimer ................................................................................................................................................. 2
On-Premise Solutions ....................................................................................................................... 4
Network Protect - Umbrella Deployment ........................................................................................................ 4
Umbrella Virtual Appliance(VA) ....................................................................................................................... 4
Umbrella Virtual Appliance with AD integration .............................................................................................. 4
Cisco Umbrella Branch...................................................................................................................................... 4
Accessing the Lab ............................................................................................................................. 4
Connecting to Lab network using AnyConnect ............................................................................................ 5
Connecting to Lab VMs(RDP) ..................................................................................................................... 6
Scenario 1 - On Premise Solution ...................................................................................................... 6
Lab Exercise - Deploy Umbrella Virtual Appliance with AD integration ........................................................ 6
Network Diagram ...................................................................................................................................... 7
Prerequisites ............................................................................................................................................. 7
Step 1 – Deploy Umbrella Virtual Appliance (VA) using OVF Template ....................................................... 8
Step 2 – Prepare your Active Directory environment.................................................................................. 12
Step 3 – Integrate Active Directory with Umbrella ...................................................................................... 15
Step 4 – Verify the Connector Syncs with the Dashboard ............................................................................ 16
Step 5 – Configure Umbrella Policies for AD users ....................................................................................... 17
Task 1 – Create your policy...................................................................................................................... 17
Task 2 – Verify the polices post AD integration ........................................................................................ 20
Scenario 2 Off-Premise Solutions .................................................................................................... 21
Anyconnect Umbrella Roaming Client............................................................................................................ 21
Umbrella Roaming Client(URC) ...................................................................................................................... 21
Network Diagram .................................................................................................................................... 21
Lab Exercise 1 - Deploy and configure AnyConnect Umbrella Roaming Client .................................. 22
Prerequisites ........................................................................................................................................... 22
Step 1 – Configure AnyConnect Umbrella Roaming profile (Pre-Configured) ............................................ 22
Step 2 – Invoke Anyconnect Umbrella Roaming Client ............................................................................... 24
Step 3 – Verification - Anyconnect Umbrella Roaming Client ...................................................................... 25
Step 4 – Verification – by creating Polices and verify access ...................................................................... 26
Lab Exercise 2 - Deploy and configure Umbrella Roaming Clients(URC) ........................................... 27
Network Diagram .................................................................................................................................... 28
Prerequisites ........................................................................................................................................... 28
Step 1 – Downloading the Umbrella Roaming Client .................................................................................... 28
Step 2 – Installing the Umbrella Roaming Client(URC) ................................................................................. 29
Step 3 – Verification...................................................................................................................................... 29
Related Sessions at Ciscolive .................................................................................................................... 29
Summary: ............................................................................................................................................... 30
References: ............................................................................................................................................. 30
3|Page
On-Premise Solutions
Cisco Umbrella on-prem solutions include the following deployments, however this lab will only cover
Umbrella Virtual Appliance with AD integration, AnyConnect Roaming Client and Umbrella Roaming
Client deployments.
Network Protect - Umbrella Deployment
This is the simplest way of deploying Umbrella for protecting your network with baseline Umbrella
policies, in this deployment you just need to add your organization egress IP to Umbrella Dashboard and
point your DNS forwarders to Umbrella Resolvers 208.67.222.222 and 208.67.222.222.
Umbrella Virtual Appliance(VA)
With Virtual Appliances, the VAs record the internal IP address of every DNS request. Security and
DNS traffic-related investigations allow you to associate traffic to an individual, internal IP address.
Endusers points to VA where internal queries are sent to local DNS and external queries will be
encrypted and sent to Umbrella Resolvers.
Umbrella Virtual Appliance with AD integration
With Active Directory integration added as a supplementary feature, the Virtual Appliances will also
record the Active Directory user, group, or computer, depending on the Policies set in the Umbrella
dashboard.
Cisco Umbrella Branch
The Cisco Umbrella Branch feature enables cloud-based security service by inspecting the Domain
Name System (DNS) query that is sent to the enterprise DNS server through the Cisco 4000 Series
Integrated Services Routers (ISR). The security administrator configures policies on the Cisco Umbrella
Branch cloud to either allow or deny traffic towards the fully qualified domain name (FQDN). Cisco
4000 Series ISR acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic and
forwards the DNS queries to the Cisco Umbrella Branch cloud. This feature is available on Cisco IOS
XE Denali 16.3 and later releases.
Accessing the Lab
4|Page
Connecting to Lab network using AnyConnect

Connect the actual lab from participant laptop provided, using below information
1. Open Cisco Anyconnect VPN Client

2. Enter the server IP address “72.163.218.175”
3. Go to settings, uncheck the “Block connections to untrusted servers”
4. Click on “Connect”
5. When it prompts for a security warning, click “Connect Anyway”
6. Login with the following credentials:
Username: ciscolive1
Password: ciscolive1
5|Page
Connecting to Lab VMs(RDP)
After connecting to above Lab VPN, RDP icons are placed on your desktops to connect to mentioned
VMs with their credentials.
1. Check your Lab Access Guide for RDP details and connect to PODX-PC(Windows 10 Client) and
PODX-DC(Domain Controller(AD+DNS) Server) from attendee PC
2. Use your credentials as per your assigned POD, for example if you have assigned with POD1,
you can use username as “umbrella1\pod1-user” and password as Cisco123!
4. Click on “Yes” if above window appears
Scenario 1 - On Premise Solution

Lab Exercise - Deploy Umbrella Virtual Appliance with AD integration
6|Page
In this lab activity, you will learn about Umbrella Virtual appliance used with existing Active Directory
environment to enforce Umbrella policies to AD users, computers and groups and generate reports based on
same. The purpose of Virtual Appliances when being used with Active Directory is to map internal source IP
addresses to AD users and computers then forward external DNS queries from your network to the Umbrella
Servers.
Umbrella Virtual Appliances, or “VAs”, are very lightweight virtual machines, which are compatible with
VMWare ESX/ESXi and Windows Hyper-V hypervisors. When utilized as conditional DNS forwarders on your
network, Virtual Appliances record the internal IP address information of DNS requests for usage in Reports,
Security Enforcement, and Category Filtering policies in the Umbrella dashboard. Additionally, Virtual Appliances
encrypt and authenticate DNS data for enhanced security.
Network Diagram
Prerequisites
Virtual Appliance Requirements
7|Page
 2 VAs per Umbrella Site - VAs must be deployed in pairs for automatic updates to occur without downtime, and to
ensure redundancy at the DNS level.
 1 Virtual CPU, 512MB of RAM, 7GB of disk space
 VMware ESX or ESXi 4.1 update 2 (or newer)
 Host A and PTR record for Virtual Appliance in internal DNS Server
 Correct Date/Time - The incorrect date or time can cause update or sync issues with the VAs.
 The following firewall/ACL requirements ensure VAs can communicate with the Cisco Umbrella cloud services and
local DNS forwarders/servers. These requirements apply to both VMWare and Hyper-V deployments.
Port Source / Destination Note
53, TCP 208.67.220.220/32, Standard and Encrypted DNS—If utilizing a default deny firewall ruleset for local
+ UDP 208.67.222.222/32, traffic, add the internal IP addresses of any local DNS forwarders/servers to the
208.67.222.220/32, firewall ruleset, so the VAs forward local queries accordingly.
208.67.220.222/32,
Your DNS Forwarder IPs
443, TCP 67.215.92.0/24, HTTPS—Used for registration, health checks, and updates from Umbrella.
+ UDP 67.215.71.201/32, ocsp.digicert.com and crl4.digicert.com use a CDN and are not assigned static
ocsp.digicert.com, IP addresses, thus are subject to change. Currently, these domains resolve to
crl4.digicert.com the following IPs: 72.21.91.29, 117.18.237.29, 93.184.220.29, 205.234.175.175
80 TCP 67.215.92.0/24, HTTP—Used for fetching the SSL revocation list to initiate the HTTPS
ocsp.digicert.com, connection
crl4.digicert.com
123 UDP 91.189.94.4/32, NTP—Protocol to synchronize time.
91.189.89.199/32
2222 67.215.92.28/32 SSH Support Tunnel—Optional. Provides Umbrella Support with remote access
TCP for troubleshooting purposes. See next section for important information
Note: Above requirements has been taken care for this lab exercise.
Step 1 – Deploy Umbrella Virtual Appliance (VA) using OVF Template
 Virtual Appliance VM in VMware ESX host is already deployed in this lab and powered on.
 It takes less than 5 minutes to deploy Virtual Appliance using OVF template
 All the IPs are assigned as per your POD IP assignment details given in the separate Lab Access Guide
provided.
 Following screenshot shows the time taken to deploy Virtual Appliance OVF using VMware ESXi
8|Page
 If you would like to see how we have setup the Virtual Appliances in ESXi host, you may connect to VA
using VMware v-Sphere client icon on your PODX-PC, with IP address 10.0.0.222 and click login as show
below.
 Click “Ignore” for any Security Warnings.
 Click on Inventory icon as below and expand the highlighted in blue to view your respective PODs
9|Page
Umbrella VAs.
 To open the Virtual Appliance(VA) console, identify your respective VA, for example for attendees using
POD3 will right click on “POD3-VA1” and Open Console as given below.
 Following screenshot shows the console of Virtual Appliance no other configuration is needed on VA
other than Hostname and IP assignments which is pre-configured for this lab exercise.
10 | P a g e
 Login to “Umbrella Dashboard” with url http://dashboard.umbrella.com (to find your login credentials
for Umbrella Dashboard refer to “Accounts & IP Configuration Info” section from the Lab Access Guide
and Choose your respective PODs Umbrella login credentials.
 Virtual Appliance status will be similar to the screenshot as mentioned below, you can review this in
your respective Umbrella Dashboard by clicking on blue highlighted box.
 Navigate to Settings > Sites and Active Directory
Note: Above status will only show green when 2 Virtual Appliances are deployed.
11 | P a g e
Bonus Lab Exercise:
You can point to your respective VA IP address in your client machine(PODX-PC) as preferred DNS server and
browse few websites and check your Reporting > Activity Search with your source IP 10.0.0.X in Umbrella
Dashboard.
Learning:
Umbrella Virtual Appliances can be deployed without AD integration as well which will give you IP address of the
end-user machines, with this you can create internal networks as Identity and apply the polices to respective
subnets in your organization. With Virtual Appliances, the VAs record the internal IP address of every DNS
request. Security and DNS traffic-related investigations allow you to associate traffic to an individual, internal IP
address.
Step 2 – Prepare your Active Directory environment
12 | P a g e
2.1 Route Local DNS Queries, by navigating to Umbrella Dashboard > Settings > Internal Domains and
add umbrellaX.lab as internal domain as shown in below image, replace X with your POD#.
2.2 Click on the RDP icon from Attendee Laptop(located on Desktop), or you can RDP to PODX-DC IP
address following the “Lab VMs Management(RDP) IP address Cheat sheet”
2.3 Download the script from Umbrella Dashboard > Settings > Sites and Active Directory > DOWNLOAD
COMPONENTS > click on DOWNLOAD at Windows Configuration – Domain Controller as shown below
and save it to C: drive or move it to C drive once downloaded.
2.4 Open a Command Prompt on PODX-DC and type cd\ and enter, it will take you to C:\> drive where your
windows script is downloaded.
2.5 Type cscript OpenDNS-WindowsConfigurationScript…” as shown below(this will the full file name)
13 | P a g e
Identify your DC IP(10.0.0.x) and select it when prompted.
2.5 Wait until you get “Update success!” in command prompt as above.
2.6 Verify the AD Server added to Umbrella Dashboard > Settings > Sites and Active Directory, it should
show the hostname of your AD Server (PODX-DC) registered as shown below. When you return to the
Dashboard, you will see the hostname of the Domain Controller on which you just ran the script in the
[Inactive] state on the [Sites & Active Directory] page type as “AD Server”
Note: For information on what changes are made by the script, please read this article
14 | P a g e
Step 3 – Integrate Active Directory with Umbrella
The purpose of the Connector is to monitor one or more Domain Controllers. It listens to user and computer
logins via the security event logs, and subsequently enables IP-to-user and IP-to-computer mappings on the
Virtual Appliances (VAs). It synchronizes user-to-group, computer-to-group and group-to-group memberships
with the Umbrella Security Cloud, enabling you to create and enforce group-based settings and view user,
computer and group-based reports.
3.1 On PODX-DC, download the “Windows Service” (Connector) installer from Umbrella
Dashboard > Settings > Sites and Active Directory > DOWNLOAD COMPONENTS as highlighted below.
3.2 Click on DOWNLOAD and save the file on your desktop and extract the downloaded file to a location
3.3 Open the extracted folder and click on Setup.exe
3.4 Enter the password “Cisco123!” for user OpenDNS_Connector which is pre-configured in Active
Directory for this lab, click next then it will be verified as shown in below image.
15 | P a g e
3.5 Follow the setup wizard prompts to install, click Finish when completed.
3.6 Return to the Umbrella Dashboard.
Step 4 – Verify the Connector Syncs with the Dashboard
4.1 When you return to the Umbrella dashboard, you will see the hostname of the Domain Controller that
you installed OpenDNS Connector (Windows Service) at Settings > Site and Active Directory
Configuration page as ”AD Connector”
4.2 Navigate to Configuration > Policies, verify the users, groups and computers are appearing by clicking
add a new policy as shown below and close the Policy page once done.
4.3 The Connector should automatically sync user and computer group memberships, and any subsequent
changes, with Umbrella Dashboard.
4.4 Move back to PODX-PC RDP session and perform nslookup by opening the command prompt > type
nslookup and hit enter, which should show the name resolution for noted websites and default server
as your Umbrella Virtual Appliance podx-va1.umbrellax.lab
16 | P a g e
Step 5 – Configure Umbrella Policies for AD users
Policies control the level of protection and logging, including which types of sites should be filtered. The Policy
Wizard is the best way to start applying policies to the Identities you've created. By default, there's always a
single policy — the Cisco Umbrella Default policy. This policy applies to all identities when no other policy takes
precedence for that identity. In other words, the Cisco Umbrella Default policy is a catch all to ensure all
identities within your organization receive a baseline level of protection.
A policy can be applied to any combination of identities available in the Dashboard, and some categories (such
as AD Computers) can be expanded to more selectively choose which
identities will be affected by a policy.
Task 1 – Create your policy

1.1 Navigate to Policies > Policy List
1.2 Click the Plus “+” (Add) icon
17 | P a g e
1.3 At 1. Select Identities Click on AD Users and select the user PODX-User.
1.4 At Section 2.Select Policy Settings Click on “add new setting” at “Category setting to enforce” section as
shown below
1.5 At “Create New Category Setting” window, type Category name PODX-Lab Exercise-Block Gambling or
any other category to block in the given field at the top as shown in below example.
1.6 Select Gambling or any category you would like to block from the “Create New Category Settings”
and click “ADD”
18 | P a g e
1.7 At Section 2.Select Policy Settings at “Security setting to enforce” and click on “Default Settings” and
check the box for “Enable Intelligent Proxy” and click SAVE and Click NEXT “
What is Intelligent Proxy?

Traditionally, blocking web content at the URL-level requires proxying all connection which adds latency
and complexity, negatively impacting your network performance. Umbrella does not send all connections
through a proxy. With Umbrella, safe connections are allowed and malicious requests are blocked. Web
connections to partially malicious or suspicious domains are transparently routed to Umbrella’s
intelligent proxy for deeper inspection. So, users don’t experience any slow or broken internet access.
1.8 At section 3. Select Block Page Settings , select “add new setting” at “Block Page Setting to enforce”
1.9 At “Create New Block Page Setting” window Type your block page name as per your POD details for
example as per below image
1.10 Add a custom message to identify the correct policy match as below, replace X with your POD
number, click on SAVE when done.
19 | P a g e
Message “This block page belongs to Cisco Umbrella PODX, requested URL is blocked due to your
configured Policy "PODX - Lab Exercise 1 Policy"
1.11 At policy description name it as “PODX - Lab Exercise 1 Policy” replace X with your assigned POD#
1.12 Click SAVE once done
1.13 Please make sure the created policy is placed at the top, if not you can drag the Policies as shown
below
Note: It may take upto 30 minutes for the custom block page (newly created block page) messages to be
reflected at userend.
Task 2 – Verify the polices post AD integration
Please make sure your PODX-PC NIC (Network Adaptor Vlan-197-10) points to Virtual Appliance’s IP address
10.0.0.1xx assigned as per your assigned POD IP configuration (Refer to “Lab VMs IP address Cheat Sheet”
section from Lab Access guide provided.
2.1 On your PODX-PC navigate to browser and access any Gambling website or sites which you chose to
block and observe the block page configured.
2.2 Access www.internetbadguys.com and verify phishing sites are also blocked.
2.3 Access http://proxy.opendnstest.com/ follow the instructions on the page to test to see how we can
block an image within an otherwise good website, or block entire websites using the Intelligent Proxy.
2.4 You can view activities at Umbrella Dashboard >Reporting, for traffic generated by your AD user.
20 | P a g e
Scenario 2 Off-Premise Solutions
Umbrella Roaming is a cloud-delivered security service for Cisco's next-generation firewall. It protects your
employees even when they are off the VPN. No additional agents are required. Simply enable the Umbrella
functionality in the Cisco AnyConnect client. You’ll get seamless protection against malware, phishing, and
command-and-control callbacks wherever your users go.
Cisco Umbrella has 2 deployment options for roaming users.
Anyconnect Umbrella Roaming Client
The Cisco Umbrella Roaming Security module provides always-on security even when no VPN is active for
existing AnyConnect setup, the Roaming Security module enforces security at the DNS and IP layers to block
malware, phishing, and command and control callbacks over any port. Umbrella provides real-time visibility into
all Internet activity per hostname when a computer is off the network and off the VPN.
Umbrella Roaming Client(URC)
The Umbrella roaming client is a very lightweight DNS client that runs on your Windows or Mac OSX computers.
It is not a VPN client or a local anti-virus engine. It allows Umbrella security and policy-based protection,
including our Intelligent Proxy, to be enforced no matter to which network you are connected.
Network Diagram
21 | P a g e
Lab Exercise 1 - Deploy and configure AnyConnect Umbrella Roaming Client
This exercise covers deployment of Cisco’s AnyConnect Umbrella Roaming Security Client on and off the
corporate network. Your goal is to deploy the service on your current network and device, then generate DNS
traffic to populate the reports for further lab exercise.
Each participant has a separate VPN profile to complete this Lab Exercise, connect to your respective connection
profiles names after your POD number,
Prerequisites
Below pre-requisites are already met for this Lab exercise.
 Either of the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x,
 ASA with ASDM image 7.6.2 Software image 9.4.1 and above,
 ASA with AnyConnect VPN configured
 Windows 7 (or later) x86 (32-bit) and x64 (64-bit) operating system
 The VPN Module requires Visual Studio 2015 32-bit runtime, which is bundled with our installation
package.
 The Roaming Security Module requires a .NET framework (3.5 at the minimum)
Step 1 – Configure AnyConnect Umbrella Roaming profile (Pre-Configured)

Step 1 has been pre-configured for this lab, for your reference you can go through the process of deploying
Umbrella Anyconnect Roaming Client for existing VPN users.
Downloading AnyConnect Umbrella profile
1.1 Log to Umbrella Dashboard https://dashboard.Umbrella.com with provided credentials.

1.2 Navigate to Configuration > Identities > Roaming Computers > Click on Plus + sign as below.
1.3 Scroll down to the section marked AnyConnect Roaming Security Module and click MODULE PROFILE
and download to local machine and rename to PODXProfile.json
22 | P a g e
1.4 Click on ASDM launcher icon from desktop. Enter the credentials
1.5 In ASDM Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect
Client Profile and Click on Add, and give profile a name “PODX-Umbrella” (where x will be your POD
number)
1.6 Choose the “Umbrella Security Roaming Profile” type from the Profile Usage drop-down menu. Select
the “POD1Profile.json” file populates in the Profile Location field.
1.7 Click Upload and browse to the location of the OrgInfo.json file that you downloaded from the
23 | P a g e
dashboard.
1.8 Associate it with the existing Group policy from the drop-down menu as shown above.
Note: Existing Cisco AnyConnect users can take advantage of deploying AnyConnect Umbrella Roaming client
using their ASA, for non-AnyConnect customers can use Umbrella Roaming Clients(URC)
Step 2 – Invoke Anyconnect Umbrella Roaming Client
2.1 On your attendee PC, open AnyConnect Secure Mobility client and disconnect existing VPN connection.
2.2 Once disconnected, use IP 72.x.x.x.x to connect to your internal LAB network via VPN
(Please ask your proctor for another VPN server IP address if you are not able to connect to above IP)
2.3 You may receive the following window, please select “Connect Anyway”
2.4 Please select the appropriate Group: from the drop, down corresponding to your POD name, for
example if your POD is POD1 select ConectionProfile-POD1, for POD2 select ConectionProfile-POD2
2.5 Use username as ciscolive and password as Cisco123! to connect to Lab network (10.0.0.x)
24 | P a g e
2.6 Once login is done, it will start installing AnyConnect Umbrella roaming module and it will be enabled
with the following status once installation is done.
Step 3 – Verification - Anyconnect Umbrella Roaming Client
3.1 While connected to VPN, you should be able to verify that your DNS connections are being routed through
the Cisco Umbrella global network by going to the following page in browser:
https://www.opendns.com/welcome/
Note: If you get the message “OOPS you aren’t using OpenDNS yet...” Please restart the attendee PCand repeat
Step 3, 3.1.
3.2 Disconnect the VPN and observe Anyconnect Umbrella Roaming Client is still connected and shows the
25 | P a g e
status as “You are Protected by Umbrella” as shown below.
3.3 Again verify that you are still protected by going to https://www.opendns.com/welcome/
Step 4 – Verification – by creating Polices and verify access
26 | P a g e
4.1 Navigate to Umbrella Dashboard > Settings > Roaming Computers and make sure the status shows as
online with Green radio button.
4.2 Create a new policy and select “Roaming Computers” and create a new block page with your custom
message.
4.3 Verify the polices are taking effect
4.3.1 Navigate to Anyconnect Umbrella Roaming client installed client machine (Attendee laptop)
4.3.2 Access websites belong to the category you have selected to block, respective website should be
blocked with you customized block page or default block page will appear if not customized
4.3.3 Access http://proxy.opendnstest.com/ follow the instructions on the page to test to see how we can
block an image within an otherwise good website, or block entire websites using the Intelligent Proxy.
4.3.4 Check the Reporting at Umbrella Dashboard for your AnyConnect Umbrella Roaming client
Lab Exercise 2 - Deploy and configure Umbrella Roaming Clients(URC)

The purpose of this Lab Exercise is to provide a high-level overview of the Cisco Umbrella roaming client and
allow you to get started deploying the client to your organization’s Windows and Mac laptops (and desktop
27 | P a g e
systems, if desired) and verify that it is working properly.
The Umbrella roaming client is a very lightweight DNS client that runs on your Windows or Mac OSX computers.
It is not a VPN client or a local anti-virus engine. It allows Umbrella security and policy-based protection,
including Umbrella Intelligent Proxy, to be enforced no matter to which network you are connected. Whether
you're at the office, your hotel, a coffee shop, or using a mobile hotspot, the Umbrella roaming client enforces
policies set by you in Umbrella.
Network Diagram
Prerequisites
Supported Operating Systems
 Windows 10 with .NET 4.5

 Windows 8 (includes 8.1) (64-bit) with .NET 4.5
 Windows 7 (64-bit/32-bit) with .NET 3.5.
 Windows Vista (64-bit/32-bit) with .NET 3.5
 Mac OS X 10.9 or newer.
 DNS ports 53/UDP and 53/TCP to open in Firewall for 208.67.222.222 / 208.67.220.220
 DNSCerypt(Optional) 443/UDP to open in Firewall 208.67.222.222 / 208.67.220.220
 Internal domains added in “Internal Domains” in Umbrella Dashboard
Before beginning this lab exercise, please refer to Lab Access Guide section “Connecting to Lab network using
AnyConnect” and connect back to your Lab VPN using IP address 72.x.x.x.
Step 1 – Downloading the Umbrella Roaming Client
1.1 RDP to your PODX-PC using IP address from Lab VMs Management(RDP) IP address Cheat sheet
from Lab Access Guide and login to https://dashboard.umbrella.com
2.2 Navigate to Identities > Roaming Computers and Click the + (Add) icon and click DOWNLOAD
under Windows Client
28 | P a g e
Step 2 – Installing the Umbrella Roaming Client(URC)
The manual single installation method is best for small organizations which plan to install the Roaming Client on
a limited number of computers, as it can be faster to simply install the software manually than to automate it.
2.1 Extract downloaded “OpenDNS-URC-win-2.0.255.zip” file

2.2 Navigate to Extracted folder and double click on setup.exe
2.3 Follow instructions to install with default options.
2.4 Click Finish once the installation is completed
Step 3 – Verification
3.1 Navigate to taskbar and find Umbrella Roaming Client(URC) tray icon which should show the following
status as protected
Note: DNS query status may show unencrypted due to LAB DMZ firewall blocking connection.
3.2 At Umbrella Dashboard navigate to Identities > Roaming Computers you should be able to see your
PODX-PC reported as shown below.
3.3 Repeat the verification steps from the previous Anyconnect Umbrella Roaming Client (Senario-2, Lab
Exercise 1 Step 4.
Related Sessions at Ciscolive
http://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=umbrella&showEnrolled=false
29 | P a g e
Summary:
This Lab is designed to familiarize you with the Cisco Umbrella Solutions for On-premise and Off-premise
deployments, you can quickly deploy on-premise solutions by just changing your DNS forwarders to Cisco
Umbrella DNS resolvers 208.67.222.222 and 208.67.220.220, also you can take advantage of Umbrella roaming
solutions by deploying AnyConnect Umbrella Roaming Client or Non-AnyConnect Umbrella Roaming Client.
Similarly, you can achieve granularity in user reports by integrating existing Active Directory with Umbrella
Virtual Appliance.
References:
Cisco Umbrella Roaming

http://www.cisco.com/c/en/us/products/security/firewalls/umbrella-roaming.html
Cisco Umbrella Deployment Documentations

https://docs.umbrella.com/product/umbrella/welcome-to-cisco-umbrella/
Cisco Umbrella Intelligent Proxy

https://umbrella.cisco.com/products/features/intelligent-proxy
Cisco Umbrella Case studies

https://learn-umbrella.cisco.com/case-studies
30 | P a g e

Labsec 2006 Mirza

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Labsec 2006 Mirza

Hochgeladen von

Copyright:

Verfügbare Formate

LABSEC-2006 Introduction to Cisco Umbrella Solutions

Introduction to Cisco Umbrella Solutions

Hamid Mirza & Moumita Nath

Upon completion of this lab you, you will be able to:

Learning Objectives .......................................................................................................................... 2

Network Protect - Umbrella Deployment

Umbrella Virtual Appliance(VA)

Umbrella Virtual Appliance with AD integration

Cisco Umbrella Branch

Accessing the Lab

Connecting to Lab network using AnyConnect

1. Open Cisco Anyconnect VPN Client

3. Go to settings, uncheck the “Block connections to untrusted servers”

Connecting to Lab VMs(RDP)

4. Click on “Yes” if above window appears

Scenario 1 - On Premise Solution

Virtual Appliance Requirements

Port Source / Destination Note

Step 1 – Deploy Umbrella Virtual Appliance (VA) using OVF Template

 Navigate to Settings > Sites and Active Directory

Step 2 – Prepare your Active Directory environment

Step 4 – Verify the Connector Syncs with the Dashboard

Step 5 – Configure Umbrella Policies for AD users

Task 1 – Create your policy

1.2 Click the Plus “+” (Add) icon

What is Intelligent Proxy?

Task 2 – Verify the polices post AD integration

Cisco Umbrella has 2 deployment options for roaming users.

Anyconnect Umbrella Roaming Client

Umbrella Roaming Client(URC)

Lab Exercise 1 - Deploy and configure AnyConnect Umbrella Roaming Client

Step 1 – Configure AnyConnect Umbrella Roaming profile (Pre-Configured)

Downloading AnyConnect Umbrella profile

1.1 Log to Umbrella Dashboard https://dashboard.Umbrella.com with provided credentials.

Step 2 – Invoke Anyconnect Umbrella Roaming Client

Step 3 – Verification - Anyconnect Umbrella Roaming Client

Step 4 – Verification – by creating Polices and verify access

4.3 Verify the polices are taking effect

Lab Exercise 2 - Deploy and configure Umbrella Roaming Clients(URC)

 Windows 10 with .NET 4.5

Step 1 – Downloading the Umbrella Roaming Client

Step 2 – Installing the Umbrella Roaming Client(URC)

2.1 Extract downloaded “OpenDNS-URC-win-2.0.255.zip” file

Related Sessions at Ciscolive

Cisco Umbrella Roaming

Cisco Umbrella Deployment Documentations

Cisco Umbrella Intelligent Proxy

Cisco Umbrella Case studies

Das könnte Ihnen auch gefallen