Prerequisites for Virtual Appliances

The Cisco Secure Access Virtual Appliance is a lightweight virtual machine that acts as a non-caching, conditional DNS forwarder. Virtual Appliance images are configured with the Ubuntu OS.

Before you deploy the Cisco Secure Access Virtual Appliances in your environments, we recommend that you review the requirements and prerequisites.

Table of Contents

Endpoint Software

  • You are not required to install client-side software for Virtual Appliance deployments.
  • You do not have to reconfigure image operating systems.

Virtual Appliance Requirements

  • For information about license and package requirements, see Determine Your Current Package.
  • At a minimum, to process millions of DNS queries per day, allocate these resources for each VA:
    • Two virtual CPU cores
    • 2GB RAM (recommended)
    • 7GB of disk space
  • Deploy two Virtual Appliances in a Site.
    VAs must be deployed in pairs to ensure redundancy at the DNS level and to allow for updates without downtime.
  • Download a fresh image from Secure Access for each deployment.
  • Ensure your hypervisor host has the correct date and time. The incorrect date or time can cause update or sync issues with the VAs. The VA syncs time independently and is always set to UTC by default. For more information, see, Network Time Protocol Servers.
  • Each VA can process millions of DNS requests in a single day. If your network could exceed this number, see Virtual Appliance Sizing Guide.
  • VAs deployed on platforms such as Amazon Web Services and Google Cloud Platform require a minimum of 1GB RAM per CPU core.
  • Secure Access does not support deployments on VMWare ESXi 8.0 U3.

Networking Requirements

Once VAs are deployed, endpoint clients must exclusively resolve DNS through the VAs and not your local DNS forwarders. This is usually accomplished through the network's DHCP configuration. For more information, see Local DNS Forwarding.

Allow Connections to Various Domains and Services

You must allow connections to certain domains and URLs for the Virtual Appliances to communicate with the Secure Access cloud services and local DNS servers. These requirements apply to each platform where the VA is deployed.

Network Time Protocol Servers

Allow connections from your Virtual Appliances to NTP servers on UDP port 123.

  • ntp.ubuntu.com
    • 91.189.94.4/32
    • 91.189.89.199/32
    • 91.189.91.157/32
    • 91.189.89.198/32

Note: If you have configured custom NTP servers on the VA, use the custom NTP server IPs instead.

Intrusion Protection Systems (IPS) and Deep Packet Inspection (DPI)

If you have deployed an IPS or DPI, ensure that traffic on port 53 TCP/UDP to and from the VAs is excluded from packet inspection. The Secure Access DNS encryption methods might be flagged and dropped. If the VAs can not successfully send and receive encrypted DNS packets, Secure Access displays a warning.

Network Address Translation (NAT)

If a routing device running a separate NAT is placed between the endpoints and VAs in your organization, than Secure Access displays the NAT device's IP address for the endpoint's IP address. The endpoints must reach the VAs without being subjected to a separate NAT. If you are unable to remove a routing device with a separate NAT, you may have to run a separate set of VAs within that NAT. If you have any questions regarding this matter, contact Support.

Encrypting Traffic with DNSCrypt

Virtual Appliances support DNSCrypt between the virtual machine and the Secure Access public DNS resolvers. This means that any information contained in the EDNS packets forwarded from the VA are encrypted by DNSCrypt and cannot be intercepted. For optimum protection, this feature is enabled by default.

Unencrypted traffic is considered a problem that should be resolved. When encryption can not be established between your VA and the Secure Access DNS servers, Secure Access displays a warning. Encryption is established with a probe sent on port 53 (UDP/TCP) to 208.67.220.220 and 208.67.222.222 and if you have a firewall or IPS/IDS doing deep packet inspection and expecting to see only DNS traffic, the probe may fail.

If the probe fails, it is retried on 443 (UDP/TCP) and then on 5353 (UDP). Thus, the encrypted packets may not match the expected traffic on that port. Review your firewall configuration if that is the case and open a case with Support if you believe that you are allowing this traffic.


Get Started with Virtual Appliances < Prerequisites for Virtual Appliances > Virtual Appliance Deployment Guidelines