Overview
The Cisco Umbrella roaming client is a great tool for protecting remote users but it can also protect users on your corporate network, adding another layer of security. Depending on the needs of the business some admins will want the continued protection of the Umbrella roaming client on the corporate network, whereas other admins will prefer to have the Umbrella roaming client 'back off' in favor of other Umbrella policies.
Umbrella offers flexibility on how the Umbrella roaming client operates when it enters your network. This article outlines these different approaches.
Table of Contents
- Goals
- Operating Modes
- Always ON
- Use Regular Network Policy
- Disable behind Protected Networks
- Disable behind trusted network domain (Limited Availability)
- Using the Umbrella Roaming Client with an Umbrella Virtual Appliance
- Cisco AnyConnect Umbrella Roaming Security Module
- More Information
Goals
Why would I disable the Umbrella roaming client on my company network?
There's normally no need to disable the Umbrella roaming client to have internal and external DNS work. The Umbrella roaming client uses an Internal Domains feature to direct your internal DNS traffic to your normal DNS servers. You retain protection while the Umbrella roaming client runs on your endpoints on the network. However, there are some cases where you might need the roaming client disabled:
- To provide a different 'on-network' and 'off-network' policy to roaming users who leave the network.
- Using an internal DNS server on a company network offers some benefits in terms of caching and reduced outgoing DNS traffic.
- The Umbrella roaming client periodically sends probe messages to verify the connection to Umbrella. This additional traffic may be unwanted when you have a very large number of clients.
Why would I want the Umbrella roaming client to remain enabled on my company network?
On the other hand, there are some very good reasons to keep the roaming client enabled at all times:
- Ensure the Umbrella roaming client computer uses the same policy at all times.
- Always having the Umbrella roaming client's computer hostname always identifiable in reports (instead of the network identity) for granular reports.
Operating Modes
The Umbrella roaming client can remain on even when used on the company network. In this mode, policies are configured using the Umbrella roaming client Identity, and this Identity will appear in reports.
|
Policy |
The Umbrella roaming client Identity is used always. |
|
Reporting |
The Umbrella roaming client Identity will always appear in reports offering per-machine granularity
|
|
DNS Traffic |
|
|
Probe Messages |
The Umbrella roaming client continues to send probe messages to determine the availability of Umbrella. |
How to configure the 'Always ON' mode:
- Navigate to Identities > Roaming Computers.
- Click the
(Roaming client settings) icon. - Clear Disable DNS redirection while on an Umbrella Protected Network and click Save.
- Create a separate policy for your Umbrella roaming clients and ensure that it is the highest priority (the very top of the list). Your Umbrella roaming client policy must be at a higher precedence than any policies based on Network Identities.
Use Regular Network Policy
The Umbrella roaming client is enabled and continues to talk directly to Umbrella, however, the Network Identity is used for both policy and reporting purposes. This mode is activated simply by placing the network policy at a higher precedence than the Umbrella roaming client policy.
| Policy |
The network policy will be used when on the protected network. This allows for different on/off network policies. |
| Reporting |
|
|
DNS Traffic |
|
|
Probe Messages |
The Umbrella roaming client continues to send probe messages to determine the availability of Umbrella. |
How to 'Use Regular Network Policy':
- Navigate to Identities > Roaming Computers.
- Click the (Roaming client settings) icon.
- Clear Disable DNS redirection while on an Umbrella Protected Network and click Save.
- Create a separate policy for your Network(s). Ensure the policy for your Network(s) is at a higher precedence then any policies based on the Roaming Client.
Disable behind Protected Networks (Ideal for smaller networks)
The Umbrella roaming client can 'back-off' when it detects that it is on a protected network. This means that Network Identity will be used for both policy and reporting purposes.
This mode is similar in behavior to the 'Use Regular Network Policy' mode except that the Umbrella roaming client actually disables itself and does not interfere with DNS traffic.
| Policy |
The network policy will be used when on the protected network. This allows for different on/off network policies. |
|
Reporting |
When on the protected network there is no per-machine granularity to the reporting. Reporting will be associated with the Network Identity only.
|
|
DNS Traffic |
When on the protected network the Umbrella roaming client doesn't interfere with DNS queries and they go to the normal internal DNS server. |
|
Probe Messages |
The Umbrella roaming client continues to send probe messages to determine that it is on a protected network. |
How to configure Disable behind protected networks:
- Navigate to Identities > Roaming Computers.
- Click the (Roaming client settings) icon.
- Select Disable DNS redirection while on an Umbrella Protected Network and click Save.
- Navigate to Policies > Policies List.
- Create a separate policy for your Network(s). Ensure the policy for your Network(s) is at a higher precedence than any policies based on the Umbrella roaming client.
- Your local DNS servers must be forwarding to Umbrella resolvers and must be correctly registered in the Umbrella dashboard.
- For this feature to work, the egress IP used by the client workstation must be registered to the same network identity as the egress IP used by your internal DNS servers. For full details, see this article.
Disable behind trusted network domain (limited availability - ideal for larger networks)
The roaming client may also be configured to disable behind a known trusted local domain. This is ideal for larger networks. Unlike the protected network mode - egress of DNS and the DNS server need not match. Contact Umbrella support for further details.
Using the Umbrella Roaming Client with an Umbrella Virtual Appliance
As part of the Umbrella 'Insights' product (in the Platform and Insights packages) we provide a Virtual Appliance (VA) which acts as a DNS forwarder within your network. This VA is the key to gaining visibility about the source of DNS requests on your network and is also required for our Active Directory integration.
The Umbrella roaming client will always disable itself if it detects that a VA is being used for DNS forwarding. If the VA has been assigned as the DNS server (either using DHCP or static settings) then the Umbrella roaming client will detect this and disable itself.
| Policy |
The Umbrella roaming client is always disabled when behind a VA. A VA Identity will be used to decide the chosen policy. Policies can be created based on the following Identities:
Click here for more information on policy precedence. |
| Reporting |
The Umbrella roaming client is always disabled when behind a VA and will not be shown in reports. Reporting will be logged as either:
In addition, the internal client IP address will be logged for each request.
|
|
DNS Traffic |
|
|
Probe Messages |
The Umbrella roaming client still sends probe messages to Umbrella but does so at a reduced rate. |
Cisco Umbrella AnyConnect Roaming Security Module
The Umbrella module for Cisco AnyConnect supports all the same operating modes as described above. Two additional AnyConnect specific modes are also available. Both of these modes can be enabled in your Umbrella Dashboard on the Identities > Roaming Computers page, however, additional configuration is required within the AnyConnect VPN profile.
- Respect AnyConnect Trusted Network Detection.
This feature causes the Umbrella Security module to disable when Cisco AnyConnect determines it is on a Trusted Network. This relies on AnyConnect's Trusted Network Detection feature to identify the network. Trusted domains, DNS servers, and URLs can be used to identify your company network. For more information please see the AnyConnect documentation. - Disable Roaming Client while full-tunnel VPN sessions are active
With this feature enabled, the Umbrella module will be disabled when AnyConnect is connected to a Full Tunnel (or Tunnel All DNS) VPN.
When disabled the Roaming Client does not filter DNS traffic, so it is important to ensure that your network is covered by other security like our Network Protection feature.
More Information
If you wish to disable the Roaming Client on your company network but need more control, or wish to discuss other options, please contact Cisco Umbrella support.
Comments
0 comments
Article is closed for comments.