Overview
The Cisco Umbrella roaming client is a great tool for protecting remote users but it can also protect users on your corporate network, adding another layer of security. Depending on the needs of the business some admins will want the continued protection of the Umbrella roaming client on the corporate network, whereas other admins will prefer to have the Umbrella roaming client 'back off' in favor of other Umbrella policies.
Umbrella offers flexibility on how the Umbrella roaming client operates when it enters your network. This article outlines these different approaches.
Table of Contents
- Goals
- Operating Modes
- Using the Umbrella Roaming Client with an Umbrella Virtual Appliance
- Cisco AnyConnect Umbrella Roaming Security Module
- AnyConnect Trusted Network Detection
- Disable when Full Tunnel VPN sessions are active
- More Information
Goals
Q). Why would I disable the Umbrella roaming client on my company network?
There's normally no need to disable the Umbrella roaming client to have internal and external DNS work. The Umbrella roaming client uses the Domain Management feature to direct your internal DNS traffic to your normal DNS servers. This allows you to retain both protection and connectivity while the Umbrella roaming client runs on your endpoints on the network.
However, there are sometimes reasons to consider disabling the Roaming Client protection...
- To provide a different 'on-network' and 'off-network' policy to roaming users who leave the network.
- Using an internal DNS server on a company network offers some benefits in terms of caching and reduced outgoing DNS traffic.
- The Umbrella roaming client periodically sends probe messages to verify the connection to Umbrella. This additional traffic may be unwanted when you have a very large number of clients.
Q) Why would I want the Umbrella roaming client to remain enabled on my company network?
On the other hand, there are some very good reasons to keep the roaming client enabled at all times:
- Ensure the Umbrella roaming client computer uses the same policy at all times.
- Always having the Umbrella roaming client's hostname identifiable in reports (instead of the network identity) - for granular reporting.
- The Roaming Client uses 'Encrypted DNS' traffic for enhanced privacy
- For Secure Web gateway users (using AnyConnect) the client must remain enabled to provide SWG web filtering.
Operating Modes
The Umbrella roaming client can remain on even when used on the company network. In this mode, policies are configured using the Umbrella roaming client Identity, and this Identity will appear in reports.
|
Policy |
The Umbrella roaming client Identity is used always. |
|
Reporting |
The Umbrella roaming client Identity will always appear in reports offering per-machine granularity
|
|
DNS Traffic |
|
|
Probe Messages |
The Umbrella roaming client continues to send probe messages to determine the availability of Umbrella. |
How to configure the 'Always ON' mode:
- Navigate to Identities > Roaming Computers.
- Click the
(Roaming client settings) icon. - Clear Disable DNS redirection while on an Umbrella Protected Network and click Save.
- Create a separate policy for your Umbrella roaming clients and ensure that it is the highest priority (the very top of the list). Your Umbrella roaming client policy must be at a higher precedence than any policies based on Network Identities.
Use Regular Network Policy
The Umbrella roaming client is enabled and continues to talk directly to Umbrella, however, the Network Identity is used for both policy and reporting purposes. This mode is activated simply by placing the network policy at a higher precedence than the Umbrella roaming client policy.
| Policy |
The network policy will be used when on the protected network. This allows for different on/off network policies. |
| Reporting |
|
|
DNS Traffic |
|
|
Probe Messages |
The Umbrella roaming client continues to send probe messages to determine the availability of Umbrella. |
How to 'Use Regular Network Policy':
- Navigate to Identities > Roaming Computers.
- Click the (Roaming client settings) icon.
- Clear Disable DNS redirection while on an Umbrella Protected Network and click Save.
- Create a separate policy for your Network(s). Ensure the policy for your Network(s) is at a higher precedence then any policies based on the Roaming Client.
Disable behind Protected Networks (Ideal for smaller networks)
The Umbrella roaming client can 'back-off' when it detects that it is on a protected network. This means that Network Identity will be used for both policy and reporting purposes.
This mode is similar in behavior to the 'Use Regular Network Policy' mode except that the Umbrella roaming client actually disables itself and does not interfere with DNS traffic.
| Policy |
The network policy will be used when on the protected network. This allows for different on/off network policies. |
|
Reporting |
When on the protected network there is no per-machine granularity to the reporting. Reporting will be associated with the Network Identity only.
|
|
DNS Traffic |
When on the protected network the Umbrella roaming client doesn't interfere with DNS queries and they go to the normal internal DNS server. |
|
Probe Messages |
The Umbrella roaming client continues to send probe messages to determine that it is on a protected network. |
How to configure Disable behind protected networks:
- Navigate to Identities > Roaming Computers.
- Click the (Roaming client settings) icon.
- Select Disable DNS redirection while on an Umbrella Protected Network and click Save.
- Navigate to Policies > Policies List.
- Create a separate policy for your Network(s). Ensure the policy for your Network(s) is at a higher precedence than any policies based on the Umbrella roaming client.
- Your local DNS servers must be forwarding to Umbrella resolvers and must be correctly registered in the Umbrella dashboard.
- For this feature to work, the egress IP used by the client workstation must be registered to the same network identity as the egress IP used by your internal DNS servers. For full details, see this article.
Disable behind trusted network domain (ideal for larger networks)
It is now possible to choose a customer-configured 'Trusted Network Domain'. The client will attempt to resolve this DNS Domain (A record) and disable protection when the domain resolves successfully. This is intended to be an internal-only DNS record that will only resolve when the client is on the company network.
| Policy |
The client will back-off whenever the Trusted Domain is detected and will not necessarily receive Umbrella policy or filtering. We would recommend to add other Umbrella features (eg. Network protection) to ensure policy is still applied on the company network. |
|
Reporting |
The client will back-off whenever the Trusted Domain is detected and will not necessarily receive Umbrella policy or filtering. If the network is protected by other Umbrella features (eg. Network protection) then traffic will appear in reports under the network identity. |
|
DNS Traffic |
When on the trusted network the Umbrella roaming client doesn't interfere with DNS queries and they go to the normal internal DNS server. |
|
Probe Messages |
The Umbrella roaming client disables the majority of it's DNS 'probe' tests in this state, greatly reducing the amount of traffic generated by Roaming Clients. |
How to configure Trusted Network Domain:
- Create a DNS A record on your internal DNS servers (eg. magic.mydomain.tld).
- The record must be a "sub-domain" (3 DNS labels minimum)
- The record must resolve to an internal RFC-1918 address
- Take care to ensure the record does not exist publically
- Navigate to Identities > Roaming Computers.
- Click the (Roaming client settings) icon.
- Select Trusted Network Domain option and enter the domain name (eg. magic.mydomain.tld). Click Save.
Using the Umbrella Roaming Client with an Umbrella Virtual Appliance
As part of the Umbrella 'Insights' product (in the Platform and Insights packages) we provide a Virtual Appliance (VA) which acts as a DNS forwarder within your network. This VA is the key to gaining visibility about the source of DNS requests on your network and is also required for our Active Directory integration.
By Default, The Umbrella roaming client will disable itself if it detects that a VA is being used for DNS forwarding. If the VA has been assigned as the DNS server (either using DHCP or static settings) then the Umbrella roaming client will detect this and disable itself.
VA Backoff
| Policy |
With VA Backoff enabled, the VA Identity will be used to decide the chosen policy. Policies can be created based on the following Identities:
Click here for more information on policy precedence. |
| Reporting |
With VA Backoff enabled the Umbrella roaming client is disabled when behind a VA and will not be shown in reports. Reporting will be logged as either:
In addition, the internal client IP address will be logged for each request.
|
|
DNS Traffic |
|
|
Probe Messages |
The Umbrella roaming client still sends probe messages to Umbrella but does so at a reduced rate. |
How to configure VA Backoff:
- This feature is enabled by default but you can check it's status (and optionally disable it)
- Navigate to Identities > Roaming Computers.
- Click the (Roaming client settings) icon.
- Select VA Backoff option
Cisco Umbrella AnyConnect Roaming Security Module
The Umbrella module for Cisco AnyConnect supports all the same operating modes as described above. Two additional AnyConnect specific modes are also available. Both of these modes can be enabled in your Umbrella Dashboard on the Identities > Roaming Computers page, however, additional configuration is required within the AnyConnect VPN profile.
- Respect AnyConnect Trusted Network Detection.
This feature causes the Umbrella Security module to disable when Cisco AnyConnect determines it is on a Trusted Network. This relies on AnyConnect's Trusted Network Detection feature to identify the network. Trusted domains, DNS servers, and URLs can be used to identify your company network. For more information please see the AnyConnect documentation. - Disable Roaming Client while full-tunnel VPN sessions are active
With this feature enabled, the Umbrella module will be disabled when AnyConnect is connected to a Full Tunnel (or Tunnel All DNS) VPN.
When disabled the Roaming Client does not filter DNS traffic, so it is important to ensure that your network is covered by other security like our Network Protection feature.
More Information
If you wish to disable the Roaming Client on your company network but need more control, or wish to discuss other options, please contact Cisco Umbrella support.
Comments
0 comments
Article is closed for comments.