Identity services configuration scenario - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

Once you have configured the Identity services, you can configure a namespace to forward the DNS traffic from the DNS resolver service to the Identity service, ensuring that the information is then embedded in EDNS in DNS queries forwarded to Cisco Umbrella for processing. The following section outlines a configuration scenario:

Configuring Identity security

The Identity security feature enhances your query logs by appending identity information. Additionally, the identity metadata is sent with queries to Cisco Umbrella, allowing for policy enforcement based on user IDs.

Prerequisites

Before you begin, ensure that you have the following:
  • The Service Point v4 instance must be running version 4.6.0 or higher. For more information on provisioning Service Point v4 instances, refer to Service Point v4.
  • The DNS resolver service deployed must be running version 3.10.0 or higher. For more information on deploying DNS resolver service, refer to DNS resolver services.
  • You must have deployed Identity service version 2.1.0 or higher. The identity service connects to the Azure Event Hub to retrieve the event logs. For more information on configuring Identity service, refer to Identity services.

Once you have deployed the identity service and DNS resolver service on the Service Point v4 instance:

Enable the Add identity information to queries parameter
  1. In the top navigation bar, click and select Sites.
  2. Click to add a site, or select an existing site and click Edit.
  3. To add identity information to queries, enable the Add identity information to queries parameter.
  4. If required, configure any additional information required within the site.
  5. Click Save to save the changes to the site.

Identity data will be added to the matching IP address for the ID-enabled sites.

Integrate the identity information with Cisco Umbrella

Namespaces that include the Cisco Umbrella integration and are part of ID-enabled sites will send identity information, if available for the client, to Cisco Umbrella for policy enforcement based on ID and will be shown in the Umbrella console for queries.
  1. In the top navigation bar, click and select Namespaces.
  2. Click to add a namespace, or select an existing site and click Edit.
  3. Select Cisco Umbrella integration to configure the namespace to use the Cisco Umbrella integration. When you select this option, you can also select Encrypt queries using DNS over HTTPS which ensures queries that are routed to Cisco Umbrella are encrypted.

    Selecting Cisco Umbrella integration displays a message indicating that the two applicable Cisco Umbrella IP addresses have been added to the Forwarders field.

  4. If required, configure any additional information required within the namespace.
  5. Click Save.

Verifying identity logs

Once you have enabled the feature to add identity information to queries, you can verify that the identity data is being captured as part of the logs.

  1. Click the DNS activity tab.
  2. Click to select the columns you want displayed in the tab. In the Select Columns window, select the available columns on the left, then click Update Tab. You can click and drag a selected column on the right to re-order the columns.

    Add the User ID entry to the Selected column to include information about user identities in the DNS activity feed.



The queries populated in the Query Log table include the user identity information under the User ID column.