Umbrella Roaming Client – How it Works on Your Company Network

Overview

The Cisco Umbrella roaming client is a great tool for protecting remote users but it can also protect users on your corporate network, adding another layer of security. Depending on the needs of the business some admins will want the continued protection of the Umbrella roaming client on the corporate network, whereas other admins will prefer to have the Umbrella roaming client 'back off' in favor of other Umbrella policies.

Umbrella offers flexibility on how the Umbrella roaming client operates when it enters your network. This article outlines these different approaches.

Table of Contents

• Goals
• Operating Modes
• Always ON
• Use Regular Network Policy
• Disable behind Protected Networks

• Using the Umbrella Roaming Client with an Umbrella Virtual Appliance

Goals

 
Why would I disable the Umbrella roaming client on my company network?

There's normally no need to disable the Umbrella roaming client to have internal and external DNS work.  The Umbrella roaming client uses an Internal Domains feature to direct your internal DNS traffic to your normal DNS servers. You retain protection while the Umbrella roaming client runs on your endpoints on the network. However, there are some cases where you might need the roaming client disabled:

• To provide a different 'on-network' and 'off-network' policy to roaming users who leave the network.
• Using an internal DNS server on a company network offers some benefits in terms of caching and reduced outgoing DNS traffic. 
• The Umbrella roaming client periodically sends probe messages to verify the connection to Umbrella.  This additional traffic may be unwanted when you have a very large number of clients.

Why would I want the Umbrella roaming client to remain enabled on my company network?

On the other hand, there are some very good reasons to keep the roaming client enabled at all times:

• Ensure the Umbrella roaming client computer uses the same policy at all times.
• Always having the Umbrella roaming client's computer hostname always identifiable in reports (instead of the network identity) for granular reports.

Operating Modes

Always ON

The Umbrella roaming client can remain on even when used on the company network. In this mode, policies are configured using the Umbrella roaming client Identity, and this Identity will appear in reports. 

How to configure the 'Always ON' mode:

1. Navigate to Identities > Roaming Computers.
2. Set Disable Roaming Client when on an Umbrella Protected Network to NO.
3. Navigate to Policies > Policies List.
4. Create a separate policy for your Umbrella roaming clients and ensure that it is the highest priority (the very top of the list). Your Umbrella roaming client policy must be at a higher precedence than any policies based on Network Identities. 

Use Regular Network Policy

The Umbrella roaming client is enabled and continues to talk directly to Umbrella, however, the Network Identity is used for both policy and reporting purposes. This mode is activated simply by placing the network policy at a higher precedence than the Umbrella roaming client policy. 

How to 'Use Regular Network Policy':

1. Navigate to Identities > Roaming Computers.
2. Set the Disable Roaming Client when behind Protected Network policies to NO.
3. Navigate to Policies > Policies List.
4. Create a separate policy for your Network(s). Ensure the policy for your Network(s) is at a higher precedence then any policies based on the Roaming Client. 

Disable behind Protected Networks

The Umbrella roaming client can 'back-off' when it detects that it is on a protected network. This means that Network Identity will be used for both policy and reporting purposes.

This mode is similar in behavior to the 'Use Regular Network Policy' mode except that the Umbrella roaming client actually disables itself and does not interfere with DNS traffic. 

How to configure Disable behind protected networks:

1. Navigate to Identities > Roaming Computers.
2. Set the Disable Roaming Client when behind Protected Network policies to YES.
3. Navigate to Policies > Policies List.
4. Create a separate policy for your Network(s). Ensure the policy for your Network(s) is at a higher precedence than any policies based on the Umbrella roaming client. 
5. Your local DNS servers must be forwarding to Umbrella resolvers and must be correctly registered in the Umbrella dashboard.
6. For this feature to work, the egress IP used by the client workstation must be registered to the same network identity as the egress IP used by your internal DNS servers. For full details, see this article.

Using the Umbrella Roaming Client with an Umbrella Virtual Appliance

As part of the Umbrella 'Insights' product (in the Platform and Insights packages) we provide a Virtual Appliance (VA) which acts as a DNS forwarder within your network. This VA is the key to gaining visibility about the source of DNS requests on your network and is also required for our Active Directory integration.

The Umbrella roaming client will always disable itself if it detects that a VA is being used for DNS forwarding. If the VA has been assigned as the DNS server (either using DHCP or static settings) then the Umbrella roaming client will detect this and disable itself.