Disable Behind Protected Network Policies is a feature that allows administrators of Cisco Umbrella roaming clients to state that whenever an Umbrella roaming client's computer is connected to specific networks, the Umbrella roaming client automatically disables itself and lets the local DNS servers resolve DNS while the user is in that location. This essentially facilitates an "on-network" policy and an "off-network" policy if desired by the administrator. Mostly, this feature is used if you are looking to having different content filtering policies. If you do not use content filtering, this feature may not be desirable.
Confirm prerequisites before changing this setting!
Roaming Client Behavioral Changes
When on a protected network, DNS will function as though they are regular network users:
- Roaming users will be subject to the relevant network policy's settings
- Reporting will be at the network level: You will lose Umbrella roaming client's granular reporting while on the network.
- Umbrella roaming client disables itself: DNS settings will be reset back to the original DNS servers provided by DHCP.
- Outbound DNS will no longer be encrypted.
Protected Networks vs. Regular Networks
The main difference with protected networks is DNS will revert to what was provided by DHCP, instead of being encrypted and sent directly to Umbrella. With regular networks, you can still achieve an off-network and on-network policy by simply placing the network-based policy higher in the Policy builder. Using internal domains should prevent any issues with accessing internal resources while on a regular network.
Both protected network and regular network policies require that a network policy is configured with a higher precedence than any Umbrella roaming client policies if you want separate off-network and on-network policies. Without this, the Umbrella roaming client policy will still take precedence over the network policy.
The roaming client will only disable when the reporting and policy for a network will be identical to that of the client while encrypted.
In the Local Network
- The local DNS servers must be configured to use Umbrella as the sole DNS forwarders.
- The DHCP scope must be configured to hand out IPs of the internal DNS servers to the Umbrella roaming clients.
- The local network must allow direct access to either 53/udp or 443/udp with a destination of 18.104.22.168.
- The workstation's egress IP must match the configured local DNS server's egress IP's registered network. That is, the "originid" field in the results of the following two commands must match:
- nslookup -type=txt debug.opendns.com 22.214.171.124
- nslookup -type=txt debug.opendns.com [local DNS server IP]
Knowledge base article: Getting started protecting your networks with Umbrella
- Your subscription must include network protection.
- The network(s) in question must exist in the Umbrella dashboard.
- The network(s) in question must exist in an Umbrella policy with a higher precedence than your desired Umbrella roaming clients.
Note: The network policy does not need to enforce content filtering or have logging configured. Security filtering will be enabled by default, but can also be disabled inside the Policy editor. The presence and placement of the policy is all that matters.
To enable the feature in the Umbrella dashboard:
- Navigate to Identities > Roaming Computers
- Click the (Roaming client settings) icon.
- Check Disable Roaming Client when on an Umbrella Protected Network and click Save.
Double check to ensure you've met all the prerequisites as mentioned earlier in this article.
Once these steps are completed, the Umbrella roaming client will receive the change in ~10 minutes. You should see this reflected in your tray icon.
Please open a support ticket if you believe it should be working, but it is not.