Getting Started
Encapto MSP can integrate with Cisco Umbrella to empower your customers to self-provision and manage the application of pre-defined polices. Currently this works with MSLA licensing, for DNS and Secure Internet Gateway (SIG) based security.
The customer portal allows your customers to create their own sites and remote workers, allocate Cisco Umbrella User licenses to a site; and set policies predefined by you to their roaming clients and equipment.
Each Cisco Umbrella user seat maps to a Cisco Umbrella User License in Encapto MSP. These licenses track the number of underlying seats the customer has purchased, and also enable Umbrella functionality when allocated to a site.
Encapto MSP groups Umbrella roaming clients into sites, along with compatible devices like Meraki MXs and Z3s. When one or more Umbrella User licenses are allocated to a site, the customer portal will then allow the customer to assign Umbrella policies to that site. Encapto MSP automatically sets those Umbrella policies to all the roaming clients and compatible devices under that site.
Defining policies, and making any changes to them will still need to be made by you, the MSP, in consultation with your customer. This ensures that changes are controlled and your customer cannot accidentally make themselves vulnerable.
Requirements
- MSLA licensing
- DNS and/or Secure Internet Gateway (SIG) based security.
Enabling Umbrella Integration
The MSP first time setup wizard will guide you through the process for integrating Encapto MSP with Cisco Umbrella. The details needed are as follows:Create API Keys
A managed service provider management “API key” and “API Secret” need to be provided. This gives access to Encapto MSP so that it can manage licenses and create customer sub-accounts. This fields can be obtained from the Umbrella dashboard by:
- Login to your Cisco Umbrella account
- Click “Settings” on the top navigation bar
- Click “API Keys” in the secondary navigation bar
- Select “API keys”
- Click the “Add” icon on the top left
A form will now show to add the API key:
- Enter a recognisable name, for instance “Encapto MSP”
- Select all they entries under “Key scope”
- Click Generate Key
- Copy and paste the API Key and Secret into the Encapto MSP form
Customer License Type
The “customer license type” controls the initial license type created by Encapto MSP for your customers. You can choose trial here if you are offering your customers a trial first. Trial customers can be promoted to full license in the Cisco Umbrella Dashboard.
Default tunnel location
This is the IP address of the Cisco Umbrella data center to use as the default when a new tunnel is created for a customer.
The data centres are listed here.
This should be set to the most appropriate data center for the location of your customers (e.g. the Singaporean data centre for a South East Asian MSP).
Complete the integration in Encapto MSP
Now that you have the API credentials, switch back to the Encapto MSP On-boarding wizard and complete the 'Set up Umbrella' form. You can use the link in the Encapto MSP activation email you received to bring up the wizard.
Product Configurator
Encapto MSP automatically provisions Umbrella SASE licenses. You will need to navigate to the inventory catalogue guide and create the license types [’Umbrella DNS Security Essentials’, ‘Umbrella SIG Essentials’] you want to sell. Note that you can sell multiple different types of Umbrella licenses, but once a particular customer purchases one type, they cannot purchase other types of Umbrella licenses into their account.
After creating the inventory catalogue items, you can attach these items to your webstore, see product configurator guide for how this works.
Order processing
Customers purchasing their first license(s)
When an Encapto MSP order provisions the first Umbrella license to a customer, it will automatically create a sub-account for them in Umbrella, and link that account to their company account in Encapto MSP.
The order will then stop with a manual step:
You will now need to create API keys and policies for the customer sub account- this must be done from the Cisco Umbrella dashboard for that customer:
- In Encapto MSP, from the order, click the ‘Customer Dashboard’ link, this will open the customer’s Umbrella dashboard in a new window. If you are not logged in Cisco Umbrella, it will direct you to the login page. After logging in, click the link again to navigate directly to the page.
- Assuming this is the first time you are opening the customers dashboard in Cisco Umbrella, you will be presented with a Welcome popup. As Encapto MSP will be setting the customer up, please skip this step.
- Open the ‘Admin’→’Api Keys’ Page.
- Click “API Keys” on the left hand side menu
- Select the “API Keys” box
- Click the “Add” icon
- Follow the instructions to generate an API key, and paste it into the Encapto MSP order for the customer
- Next you will need to create a “Umbrella Network Devices” legacy key - not to be confused with a the “Legacy Network Devices” key.
- Select the “Legacy Keys” box
- Select the “Umbrella Network Devices” option (not “Legacy Network Devices”)
- Click “Generate Token”
- Copy the token and paste it into the Encapto MSP order for that customer
- IMPORTANT: You should store this "Umbrella Network Device" customer key somewhere secure - as it is required in the Meraki Dashboard to link the customer's Meraki network to Umbrella.
- Finally you will need to create policies for the customer in their Umbrella dashboard. The customer will be able to assign these policies to their devices and roaming clients themselves from their Encapto MSP portal.
- In the Encapto MSP order, you will be able to see if the customer has purchase DNS or SIG based security. In this example, they have purchased SIG, so we will need to create “Web Policies” in Umbrella
- In Umbrella, Select “Polices” from the left hand navigation menu
- As this example is a SIG customer, select “Web Policies” from the sub-menu. For DNS customers, please select “DNS Policies”
- Click the “Add” icon on the top left.
- For additional help, please follow the help link in the Umbrella dashboard.
This process needs to be done once for each customer.
Once this is complete, the licenses will be added to the customers inventory, and they will be able to use their all sites security page from their Encapto MSP portal to allocate the Umbrella licenses into sites, and assign the policies you defined to the sites. Relevant inventory under that site will have those policies applied, be it a Meraki security appliance or roaming clients.
The customer’s Umbrella sub-account is licensed under a Managed Service License Agreement (MSLA) which is post-paid monthly based on the allocated number of seats. The license is owned by you, the service provider.
Customers purchasing additional licenses
Customers buying additional licenses will already have an Umbrella sub-account linked to the Encapto MSP company account. You will not need to create API keys for them, as they will already exist. Note that these customers will not be able to buy Umbrella licenses of a different type.
In terms of MSLA licensing, the Umbrella sub-account will be updated with the appropriate number of seats for the additional services requested.
Once this is complete, the licenses will be added to the customers inventory, and they will be able to use their Security page to allocate the Umbrella licenses into sites.
Binding Umbrella DNS to MX/Z3 devices
Unfortunately, there is not yet an automated way to configure Umbrella DNS with MX/Z3 yet. Until then - this will need to be done manually by following these steps:
- Grab a copy of your 'Umbrella Network Devices' API key from your Umbrella Account (created as here of setting the customer up).
- Apply the Umbrella API Key to their Meraki Network
- Open the customers Meraki organisation in the Meraki dashboard
- Select the network to link Umbrella to
- Navigate to Network-wide > Configure > General
- Scroll down to the bottom of the page and click New credentials under the Cisco Umbrella account header
- Paste the Umbrella API key and secret in the appropriate fields and click "Save Changes"
- Now you need to link the device to Umbrella
- For Z3s, Navigate to "Teleworker Gateway", then "Traffic Shaping"
- For MX, Navigate to "Security & SD-WAN" then "Threat Protection"
- Click "Enable Umbrella Protection"
Note that you can make this change to the customers Network template so that new sites will automatically get this configuration. For more information see the guide here. Please note that do not need to link any policies - as this is all handled by Encapto MSP
Unbinding Umbrella DNS from MX/Z3 devices
Unfortunately, there is not yet an automated way to configure Umbrella DNS with MX/Z3 yet. Until then - this will need to be done manually by following these steps:
- Open the customers Meraki organisation in the Meraki dashboard
- Navigate to Network-wide > Configure > General
- Scroll down to the bottom of the page and check the 'Delete linked account' box under 'Cisco Umbrella Account' and select Save Changes
For more information see the guide here. Please note that do not need to link any policies - as this is all handled by Encapto MSP
Creating remote workers and sites
Customers can use their self-service Security page to provision their own sites and remote workers, as well as allocate Umbrella licenses to those sites. These will appear in the ‘sites’ tab of the customer in the MSP admin portal.
Requests by the customer to creates sites and remote workers will create an order (visible in Orders) and will be automatically processed by Encapto MSP.
Assigning policies
Once a site/remote worker has one or more Umbrella user licenses allocated to it, it will enable the site security page on the site, allowing end customers view usage on that site, and to download and install a roaming client. The roaming client will automatically be associated to the site it was downloaded from and automatically have the policies configured against that site applied.
Requests by the customer to assign policies will create an order (visible in Orders) and will be automatically processed by Encapto MSP.
Managing the Umbrella Integration
You can view and edit the Cisco Umbrella integration details by:
- Login to your MSP account
- Click ‘Admin’ on the left hand side navigation menu
- Select the ‘Integrations’ tab
- Expand the ‘Cisco Umbrella’ row
- Click ‘Edit’
Customer Portal
The customer portal enables your customer to:
- Create their own remote workers and sites
- Allocate Umbrella licenses to sites and remote workers
- Assign policies to sites and remote workers (which are automatically applied to devices and roaming clients under those sites)
- Download and install roaming clients, which are automatically linked to the relevant site and have the relevant policies applied
- View security analytics and statistics
Customers have two views of their Umbrella setup: