browse
Table of Contents
|
Virtual Appliances and Protected Networks Special Considerations when using standalone and CSC + Roaming Security Module |
Introduction
The Cisco Umbrella Roaming Client works with most VPN software, but there are instances when additional steps are required to have both types of software work as expected.
Cisco Umbrella recommends deploying the Cisco Secure Client + Roaming Security module for maximum compatibility. This can be deployed without the VPN components.
This article refers to the standalone Umbrella Roaming Client. For a companion article on the Umbrella Roaming Security Module for Cisco Secure Client (and legacy AnyConnect) - click here.
This document provides technical information and additional context for specific VPN clients which may require further configurations. This document serves as general guidance and does not serve as an official list of supported software.
Cisco Umbrella does not test, validate, or certify functionality with any 3rd party software or VPN client.
For a list of known incompatible VPN software, see the Incompatible VPNs section of this article.
It is also worth noting that, while this article refers specifically to the standalone Roaming Client, any DNS incompatibility with the Roaming Client will also cause Cisco Secure Client + Roaming Security module with SWG to fail, as the SWG client also depends on successfully establishing a DNS connection to work properly.
How the Umbrella Roaming Client Works with VPN Clients
The Umbrella Roaming Client binds to all network adapters and changes DNS settings on the computer to 127.0.0.1 (localhost). This allows the Umbrella Roaming Client to forward all DNS queries directly to Umbrella while allowing the resolution of local domains through the Internal Domains feature.
Upon establishing a connection to a VPN server, the Umbrella Roaming Client detects a new network connection in the system and changes the connection's DNS settings to point toward the Umbrella Roaming Client. The Umbrella Roaming Client relies on being able to perform DNS lookups to Umbrella's AnyCast DNS IP addresses (208.67.222.222/208.67.220.220).
If you are connecting to a VPN, the firewall associated with the VPN should allow access to Umbrella.
Umbrella Roaming Client Incompatibilities
At present, the Umbrella Roaming Client delivers DNS layer enforcement. The DNS layer is the primary function of the Roaming Client, applying DNS-based security policies on any network. This function of the Roaming Client may experience known software incompatibilities as follows:
The DNS Layer of the Umbrella Roaming Client is incompatible with the following clients based on support team testing. These clients are not verified or tested by Cisco Umbrella Engineering and all entries are subject to review.
| This article refers to the standalone Umbrella Roaming Client. For a companion article on the Umbrella Roaming Security Module for Cisco Secure Client (and legacy AnyConnect)- click here. |
| VPN | Issue/Incompatibility | Resolution |
| Pulse Secure | On disconnect, saved local DNS may remain VPN values rather than WiFi/Ethernet values due to Pulse modification during VPN connection. |
Resolved with the Umbrella module - included in most licenses |
| Avaya VPN | Incompatible |
Resolved with the Umbrella module - included in most licenses |
| Windows VPN, notably Always on VPN | May result in local DNS failing to resolve to the internal answer despite the DNS hostnames being on the internal domains list. |
Resolved with the Umbrella module - included in most licenses |
| VPNs "apps" built on top of the Windows Universal Platform | These apps must utilize a Microsoft connection API that requires DNS be sent to the local NIC, not 127.0.0.1 and therefore will display an error that it cannot connect. |
Resolved with the Umbrella module - included in most licenses |
| OpenVPN | Incompatible |
No fix available |
|
Palo Alto GlobalProtect VPN |
Does not work with any standalone roaming client version after 3.0.110. |
Fixed by using the Umbrella module - included in most licenses |
|
F5 VPN |
Incompatible |
Fixed by using the Umbrella module - included in most licenses |
|
Checkpoint VPN |
macOS Only, Split-tunnel mode only |
Disable split-tunnel on macOS |
| SonicWall NetExtender |
Incompatible |
Fixed by using the Umbrella module - included in most licenses |
| Zscaler VPN |
Incompatible |
Fixed by using the Umbrella module - included in most licenses |
| Akamai endpoint protection (ETPclient) |
Incompatible |
Fixed by using the Umbrella module - included in most licenses |
| NordVPN |
Use workaround |
Two options exist for adding compatibility. Firstly, use the OpenVPN connection method as outlined at https://nordvpn.com/tutorials/windows-10/openvpn/. Second, allow custom DNS under Advanced settings©©. Set DNS to 208.67.220.220 and 208.67.222.222. |
| Azure VPN |
Incompatible |
Fixed by using the Umbrella module - included in most licenses |
| AWS VPN |
Use workaround |
Edit the config file (downloaded from AWS manually) to have a second line of |
| Pritunl VPN |
Incompatible |
Fixed by using the Umbrella module - included in most licenses |
| Avaya VPN |
Incompatible |
Fixed by using the Umbrella module - included in most licenses |
Virtual Appliances and Protected Networks
The Umbrella roaming client behaves differently when connected to a network that utilizes the Umbrella Virtual Appliances (VA) or the Protected Networks feature. This is true whether you're connected to the network locally or through a VPN.
For more information, see Roaming Client and Virtual Appliances and/or Protected Networks.
Special Considerations When Using Cisco Secure Client(CSC) and the Standalone Roaming Client
Please note the information provided are specific to the standalone Umbrella roaming client and does not extend to the CSC + Roaming Security Module.
Looking for an easy plugin install? Then Umbrella Roaming integrated into CSC is for you!
Cisco Secure Client VPN users must migrate to the CSC + Roaming Security Module in the event of a functional issue with the VPN. Cisco Umbrella will require validation on the CSC + Roaming Security Module and recommend a full migration.
The Cisco Secure Client VPN software provides options for how DNS should be handled by the system when a VPN connection is established. Cisco has published a complete article with this information: Behavioral Differences Regarding DNS Queries and Domain Name Resolution in Different OSs
The following information is based on our experience with using Cisco Secure Client and the Umbrella roaming client. Your experience may differ, and we recommended testing the Umbrella roaming client with Cisco Secure Client VPN enabled to ensure that internal and external DNS resolution work according to your expectations.
We require that you use the CSC + Roaming Security Module if you are also using Cisco Secure Client for DNS service compatibility. The following steps are for the non-integrated roaming client only if required. These steps are not required for the CSC + Roaming Security Module.
In both full and split tunnel modes, special instructions are required to allow the roaming client to work while Cisco Secure Client is connected. This is required in order to allow DNS to flow to the roaming client rather than being overridden by CSC's kernel driver. For full tunnel, the symptom will be that the client will be forced to disable. For split tunneling, the symptom is a loss of internal DNS while connected to the VPN.
VPNs (including Cisco Secure Client) + Standalone Roaming Client + Windows 10 and 11: DNS Binding Order VPN compatibility mode:
Currently, there is a limited set of users on Windows 10 who encounter a specific issue where the local LAN will bind above the VPN NIC for DNS. In this event, local DNS on the internal domains list for the roaming client will fail to resolve while public DNS will work without issue. This affects versions 2.0.338 and 2.0.341 (by default) and above. The issue also did not occur on version 2.0.255.
Sophos VPN
|
Results for: resolv.confs C:\ProgramData\OpenDNS\ERC\Resolver1-76F52CE47B124D9FB05591D162777829-resolv.conf nameserver 192.168.2.1 |
|
C:\ProgramData\OpenDNS\ERC\Resolver1-76F52CE47B124D9FB05591D162777829-resolv.conf nameserver 10.1.1.27 |
Special Considerations when using third-party VPNs
Always-On VPN
The standalone roaming client is incompatible with the Cisco Secure Client Always On VPN setting when Trusted DNS servers are defined. When running, the standalone roaming client will always set DNS to 127.0.0.1 when active, eliminating all trusted DNS servers from the NIC settings. The roaming client may be disabled on the network to restore DHCP settings; however, all roaming client-related protections will shut off when configured. Contact Umbrella support to learn more about disabling the client on a trusted network.
Solutions:
- The CSC + Roaming Security Module (roaming client for Cisco Secure Client) is not affected and will work great with an Automatic VPN policy
- Add 127.0.0.1 to the trusted DNS servers list.
- Ensure that alternate methods of trusted detection are defined - DNS names and servers to avoid all networks from being declared trusted.
- Ensure that alternate methods of trusted detection are defined - DNS names and servers to avoid all networks from being declared trusted.
Viscosity VPN
Viscosity VPN requires a change in the settings to work with the Umbrella roaming client. If this change is not made, Viscosity's default behavior mimics that of other Incompatible VPNs. This change tells Viscosity that it will use the DNS settings pushed via the Umbrella server for all domains in the search domain and 127.0.0.1 will still be used for any other requests.
In Viscosity, navigate to Preferences > Connections > <your connection> (site specific) > Networking > DNS Settings and select Automatic (Default).
When using an OpenVPN server, be sure that "persist-tun" is not enabled server-side to ensure network changes are triggered on disconnect/reconnect.
Tunnelblick
Tunnelblick requires two changes in order to:
- allow changing of the DNS servers for the adaptor
- apply DNS settings after the tunnel has been established.
By ensuring the following settings in the "Advanced" menu, Tunnelblick will work with the Umbrella roaming client:
In the Connecting and Disconnecting tab, ensure the following two settings are enabled:
- Flush DNS cache after connecting or disconnecting (default)
- Set DNS after routes are set instead of before routes are set
In the While Connected tab, change the following to "Ignore".
DNS: Servers > When changes to the pre-VPN value, When changes to anything else.
When using an OpenVPN server, be sure that "persist-tun" is not enabled server-side to ensure that network changes are triggered on disconnect/reconnect.
Tunnelblick VPN Disconnect Issues
With some tunnelblick versions, the Roaming Client is unable to properly identify the correct Internal DNS servers following a VPN Disconnect. We recommend the following steps if you encounter problems with "Internal Domains" following a Disconnect of the VPN.
The following change causes Tunnelblick to bring the primary network interface down/up after the VPN disconnect. This is managed on the Settings tab of the Tunnelblicks configuration panel:
-
In older versions of Tunnelblick (prior to 3.7.5beta03), use the "Reset the primary interface after disconnecting" checkbox
-
On newer versions of Tunnelblick, 3.7.5beta03 and higher), set both the "On expected disconnect" and the "On unexpected disconnect" settings to "Reset Primary Interface".
Lightspeed Rocket
Lightspeed Rocket has select features which are not compatible with the Roaming Client. Specifically, the DNS modification for "No SSL Search" and "SafeSearch" CNAME redirection of www.google.com -> nosslsearch.google.com and forcesafesearch.com respectively causes all www.google.com DNS resolution to fail as long as Lightspeed Rocket's DNS redirection is enabled.