The DNS Edge Identity service allows you to collect User Principal Name (UPN) information by parsing directory event logs stored in an Azure Event Hub. Once the Identity service has been granted credentials and given details for the appropriate Azure Event Hub where the logs are stored, it collects a map of UPN to IP address information. This information is then embedded in EDNS in DNS queries forwarded to Cisco Umbrella for processing. This enables Cisco Umbrella to enforce user or group policies on queries and is intended to be a replacement for Cisco Virtual Appliances (VA).
- This feature is only available for Cisco Umbrella users.
- The Identity service uses the Cisco Umbrella organization ID configured within Edge. You must have the Cisco Umbrella integration configured in Edge before you can configure identity services. For more information, refer to Cisco Umbrella integration.
- Identity services can only be deployed to Service Point v4 instances running version 4.5.0 or greater.
To configure identity services
- In the top navigation bar, click and select Identity services.
- To add a new identity service, click .
- Enter the name of the identity service.
- Under Forward type, select one of the following forward
- DoT: DNS packets are encrypted and forwarded to Cisco Umbrella using DNS over TLS.
- DoH: DNS packets are encrypted and forwarded to Cisco Umbrella using DNS over HTTPS.
- DNS: DNS packets are forwarded to Cisco Umbrella unencrypted.
- Only the User Principal Name (UPN) of the DNS packets sent to Cisco Umbrella is hashed. Other information, including the Org_ID, Internal_IP, and Device_ID, are not hashed.
- If you select DNS as the Forward type, or if the DoT and DoH channels are unavailable, the DNS packets will be forwarded unencrypted; however, the identity data remains hashed.
- Under Hub name, enter the Azure Event Hub name. Ensure that
this value is correctly copied and pasted from Azure.Attention: The Azure Event Hub entered must have a message retention period set where events expire within 24 hours. If the events expiration is greater than 24 hours, the identity service can consume old events, resulting in the identity service operating off of incorrect stale events while it catches up to newer events.
- Under Consumer group, enter the Azure Event Hub consumer group. Ensure that this value is correctly copied and pasted from Azure.
- Under Partition ID, enter the Azure Event Hub partition ID. Ensure that this value is correctly copied and pasted from Azure. The default value is 0.
- Under Connection string, enter the Azure Event Hub connection string. Ensure that this value is correctly copied and pasted from Azure.
- Under Service Point, enter the name of a Service Point v4 VM that will pull the identity service configuration. As you enter the service point name, they appear below the Service point field.
- Under Service IPs, you can optionally select the following
groups of IP addresses to bind to the identity service:Note: If you do not select any additional IP addresses, the identity service will bind to the primary IP address of the service point.
- Select the checkbox next to the Primary IP address to associate with the identity service.
- If you have configured Anycast service on the service point, select the
checkbox next to the Anycast IP address to bind to
the identity service.
For more information on configuring Anycast service on the service point, refer to Configuring Anycast service on Service Point v4.
- If you configured any Alias IP addresses, select the checkbox next to the Aliases IP address to bind to the identity service.
- If you have configured DSR VIPs on the service point, select the checkbox
next to the Direct server return (DSR) IP address to
bind to the identity service.For more information on configuring DSR VIPs on the service point, refer to Configuring the DSR VIP on Service Point v4.Attention: If you bind the DSR VIP to the identity service, the service point should not receive queries over the DSR VIP. Any queries sent to the service point on the DRS VIP are not answered by the service point, but are answered by the identity service.
- Click Deploy.