Remove an Umbrella Insights Deployment

Introduction

This document describes how to roll back or remove an Umbrella Insights deployment.

Overview

Due to the nature of the product the deployment can be split into 'sites' which operate independently from each other, so for larger deployments the removal process can be broken down into smaller 'per-site' tasks.

Solution

1 - Switch DNS away from Umbrella

If Insights has been correctly deployed, your network clients exclusively use virtual appliances (VAs) as their DNS servers. If you remove your virtual appliances before changing your DHCP settings to point DNS back to your local DNS servers, DNS resolution fails both internally and externally. Therefore, this is a particularly important step.

The second point on switching DNS settings, is that your local DNS servers need to use the Umbrella anycast IP addresses as their forwarders. If this is the case, policy is still applied to DNS queries leaving the network until you either change the forwarders to point to another public or ISP DNS service, or delete all "networks" (that is, the public egress IPs of your DNS servers) from your Umbrella dashboard. If Umbrella resolvers receive DNS queries from a network that is registered to your organisation, it enforces the policy which applies to that 'network' identity.

Note that the default policy cannot be deleted from the Dashboard, and has default security settings applied therefore always blocks some destinations.

Note: Once you are no longer using the Umbrella service then it does not really matter which order the removal is done in. Let us go through each of the components.

2 - Uninstall the AD Connector

The connector is normally only installed on a couple of servers on the network and can just be uninstalled through Add/Remove programs. This is a quick and painless process and often all that is required.

If your organisation has a large number of connectors to remove, consider using Group Policy to run the task. No reboot is required. If you had a large number of servers to uninstall from you could investigate using Group Policy or a small PowerShell script like this one to automate the task:

$app = Get-WmiObject -Class Win32_Product `                     -Filter "Name = 'Software Name'"

$app.Uninstall()

3 - OpenDNS_Connector User and Domain Controllers

The only service using this account is the OpenDNS Connector service, therefore deleting the account after the service has been uninstalled is expected to have no adverse affect at all. The Domain Controller configuration script performed two tasks:

• Set permissions for the OpenDNS_Connector user account to allow the connector to read logon events from other DCs' security event logs.
• Run an API call to register the domain controller to the Umbrella dashboard which in turn allowed the connector to learn which DCs' to connect to in order to capture logon events.

You can undo the effects of the script by simply deleting this user in AD.

4 - Delete the Virtual Appliances

Each instance of the VA can simply be deleted. If the first step has been followed, they are not serving DNS requests so deleting them is expected to have zero impact on the network. It would be advisable to first shut down the VA's and ensure all services remain operational before deleting the virtual machines.

5 - Delete AD components from Umbrella Dashboard

When a VA or Connector is installed, it registers a corresponding object to the dashboard under: --> Deployments --> Sites and Active Directory

The Domain Controller configuration script also registers each DC it is run on to the dashboard.

All of these objects can be deleted from "Sites and Active Directory" page. It is worth noting that the page is also where Umbrella "sites" can be created, and where the AD components are assigned to these site. If you are removing on a site-by-site basis, ensure you only delete the components that are assigned to that site.