Multiple AD Domains with Secure Access Sites

Cisco Secure Access Sites let administrators create separate Secure Access deployments. Each Secure Access Site is an isolated deployment where components only communicate with other components in the same Secure Access Site. Secure Access Sites are a container to isolate sections of a large multi-site network into groups which only sync to the other components in the container. For example, Secure Access sites may be North America, Asia, and Europe or Northeast, California, Atlanta office, South Region, and London, and each Secure Access Site may be one or a combination of Active Directory (AD) sites. 

This is useful in AD environments containing locations with high-latency connections, or in environments with locations whose internal IP space overlaps.

Table of Contents

Prerequisites

Active Directory Sites and Secure Access Sites

A site represents a set of computers connected by a high-speed network, such as a local area network (LAN). Typically, all computers in the same physical site reside in the same building or perhaps the same campus network. AD and Umbrella both use the term "sites", and while related, have slightly different meanings.

Active Directory Sites and Services

  • For AD, a site object represents the actual directory data that is replicated between domain controllers.
  • AD sites are used to manage the objects that represent the site, and the servers that reside in the site.

Secure Access Sites

  • A Secure Access Site refers to a set of components—Virtual Appliances (VAs), Cisco AD Connectors, and domain controllers—that communicate only with each other.
  • A Secure Access Site is more than a label and is more like a container. A Secure Access Site is not the same as an AD site. Multiple AD sites can be part of an Secure Access Site, but one AD site should not be split into multiple Secure Access Sites.
  • A site must have a minimum of two VAs, and one connector and domain controller for an AD integration.

Because Secure Access Sites act as isolated deployments, each Secure Access Site must have a minimum of two VAs. If AD integration is also being used, each site must additionally contain a minimum of one AD connector and ALL domain controllers against which a user in that location authenticates.

When to Use Secure Access Sites

  • You need to limit WAN traffic between locations and are using AD sites to limit authentication to local servers
    http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx.
  • Your locations communicate between a NAT device, which causes the internal IP address of an end machine to be lost when communicating between locations.
  • Your locations use overlapping internal IP ranges.
  • You have locations which have high-latency connections between them—for example, branches in different continents. High latency connections, especially between the connector and the VAs, can result in delays to updates for user mappings.

Caveats

The isolation of the components in a given Secure Access Site means that a specific VA will only be aware of users who have authenticated against domain controllers assigned to the same Secure Access Site. As a result, we do not recommend using multiple Secure Access Sites in a single AD site, even if that AD site spans multiple geographical locations. In such a scenario, users in a location may still authenticate against a DC in a different location, and thus the Secure Access components may miss user mappings.

Use Secure Access Sites

Configure individual Secure Access Sites as if they are complete deployments. Ensure that there are at least two VAs, one AD server and one AD Connector assigned to each site. Verify a complete, functioning deployment at each site before moving on to the next site. For more information, see Manage Site for VA.

Active Directory Only

If you change the location of a Secure Access VA, the AD Connector, or domain controller after you've installed the connector service, you must Stop/Start the AD Connector service on each connector for the Sites through the Services management tool in Windows.


Manage Deployed AD Components < Multiple AD Domains and Secure Access Sites > Manage User Authentication