Identity services - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

The BlueCat Edge Identity service allows you to collect User Principal Name (UPN) information by parsing directory event logs stored in an Azure Event Hub. Once the Identity service has been granted credentials and given details for the appropriate Azure Event Hub where the logs are stored, it collects a map of UPN to IP address information. This information is then embedded in EDNS in DNS queries forwarded to Cisco Umbrella for processing. This enables Cisco Umbrella to enforce user or group policies on queries and is intended to be a replacement for Cisco Virtual Appliances (VA).

Attention:
  • This feature is only available for Cisco Umbrella users.
  • The Identity service uses the Cisco Umbrella organization ID configured within Edge. You must have the Cisco Umbrella integration configured in Edge before you can configure identity services. For more information, refer to Cisco Umbrella integration.
  • Identity services can only be deployed to Service Point v4 instances running version 4.6.0 or greater.

To configure identity services

  1. In the top navigation bar, click and select Identity services.
  2. To add a new identity service, click .
  3. Enter the name of the identity service.
  4. Under Hub name, enter the Azure Event Hub name. Ensure that this value is correctly copied and pasted from Azure.
    Attention: The Azure Event Hub entered must have a message retention period set where events expire within 24 hours. If the events expiration is greater than 24 hours, the identity service can consume old events, resulting in the identity service operating off of incorrect stale events while it catches up to newer events.
  5. Under Consumer group, enter the Azure Event Hub consumer group. Ensure that this value is correctly copied and pasted from Azure.
    Note: Only a single consumer can use a consumer group at one time. For example, if you configure two identity services with the same consumer group, only one identity service instance receives events. If the primary identity service instance that received the events goes down, the second identity service instance will start receiving events.
  6. Under Partition ID, enter the Azure Event Hub partition ID. Ensure that this value is correctly copied and pasted from Azure. The default value is 0.
  7. Under Connection string, enter the Azure Event Hub connection string. Ensure that this value is correctly copied and pasted from Azure.
  8. Under Service Point, enter the name of a Service Point v4 VM that will pull the identity service configuration. As you enter the service point name, they appear below the Service point field.
  9. Under Service version, select the version of identity service that you would like to deploy. For more information on the changes introduced in identity service versions, refer to Identity service version change log.
  10. Under Service IPs, select one of the following options to bind IP addresses to the identity service:
    • Listen on all primary (IPv4 and IPv6) addresses: the identity service listens for queries on all configured primary IP addresses configured on the Service Point v4 instance.
    • Don't listen on any addresses: the identity service does not listen for queries on any IP addresses configured on the Service Point v4 instance.
    • Listen only on specific addresses: the identity service listens for queries on specified IP addresses. Once you select this radio button, the select the following IP addresses:
      1. Select the checkbox next to the Primary IP address to associate with the identity service.
      2. If you have configured Anycast service on the service point, select the checkbox next to the Anycast IP address to bind to the identity service.

        For more information on configuring Anycast service on the service point, refer to Configuring Anycast service on Service Point v4.

      3. If you configured any Alias IP addresses, select the checkbox next to the Aliases IP address to bind to the identity service.
      4. If you have configured DSR VIPs on the service point, select the checkbox next to the Direct server return (DSR) IP address to bind to the identity service.
        For more information on configuring DSR VIPs on the service point, refer to Configuring the DSR VIP on Service Point v4.
        Attention: If you bind the DSR VIP to the identity service, the service point should not receive queries over the DSR VIP. Any queries sent to the service point on the DRS VIP are not answered by the service point, but are answered by the identity service.
  11. Click Deploy.