Articles in this section

See more

Umbrella Roaming Client – How it Works on Your Company Network

Avatar
Tom Allen
  • Updated
Follow

Overview

 

The Cisco Umbrella roaming client is a great tool for protecting remote users but it can also protect users on your corporate network, adding another layer of security. Depending on the needs of the business some admins will want the continued protection of the Umbrella roaming client on the corporate network, whereas other admins will prefer to have the Umbrella roaming client 'back off' in favor of other Umbrella policies.

Umbrella offers flexibility on how the Umbrella roaming client operates when it enters your network. This article outlines these different approaches.

Table of Contents


Goals

 

 
Why would I disable the Umbrella roaming client on my company network?

There's normally no need to disable the Umbrella roaming client to have internal and external DNS work.  The Umbrella roaming client uses an Internal Domains feature to direct your internal DNS traffic to your normal DNS servers. You retain protection while the Umbrella roaming client runs on your endpoints on the network. However, there are some cases where you might need the roaming client disabled:

  • To provide a different 'on-network' and 'off-network' policy to roaming users who leave the network.
  • Using an internal DNS server on a company network offers some benefits in terms of caching and reduced outgoing DNS traffic. 
  • The Umbrella roaming client periodically sends probe messages to verify the connection to Umbrella.  This additional traffic may be unwanted when you have a very large number of clients.


Why would I want the Umbrella roaming client to remain enabled on my company network?

On the other hand, there are some very good reasons to keep the roaming client enabled at all times:

  • Ensure the Umbrella roaming client computer uses the same policy at all times.
  • Always having the Umbrella roaming client's computer hostname always identifiable in reports (instead of the network identity) for granular reports.

 

Operating Modes

 

Always ON

The Umbrella roaming client can remain on even when used on the company network. In this mode, policies are configured using the Umbrella roaming client Identity, and this Identity will appear in reports. 

 

Policy

The Umbrella roaming client Identity is used always.

Reporting

The Umbrella roaming client Identity will always appear in reports offering per-machine granularity

DNS Traffic
  • The Umbrella roaming client continues to send DNS queries directly to Umbrella, even when on a company network.
  • Queries sent to Umbrella will be encrypted, providing additional security.
  • Queries for 'Internal Domains' are routed to your normal DNS servers and not sent to Umbrella.

Probe Messages

 The Umbrella roaming client continues to send probe messages to determine the availability of Umbrella.

How to configure the 'Always ON' mode:

  1. Navigate to Identities > Roaming Computers.
  2. Set Disable Roaming Client when on an Umbrella Protected Network to NO.
  3. Navigate to Policies > Policies List.
  4. Create a separate policy for your Umbrella roaming clients and ensure that it is the highest priority (the very top of the list). Your Umbrella roaming client policy must be at a higher precedence than any policies based on Network Identities. 


Use Regular Network Policy

The Umbrella roaming client is enabled and continues to talk directly to Umbrella, however, the Network Identity is used for both policy and reporting purposes. This mode is activated simply by placing the network policy at a higher precedence than the Umbrella roaming client policy. 

Policy

The network policy will be used when on the protected network. This allows for different on/off network policies.
Reporting
  • Reporting will be associated with the Network Identity only.

  • Reporting still allows you to search with Umbrella roaming client hostname to filter results for that client only.

    filter_by_ID.jpg

DNS Traffic
  • The Umbrella roaming client continues to send DNS queries directly to Umbrella, even when on a company network.
  • Queries sent to Umbrella will be encrypted, providing additional security.
  • Queries for 'Internal Domains' are routed to your normal DNS servers and not sent to Umbrella.

Probe Messages

The Umbrella roaming client continues to send probe messages to determine the availability of Umbrella.

How to 'Use Regular Network Policy':

  1. Navigate to Identities > Roaming Computers.
  2. Set the Disable Roaming Client when behind Protected Network policies to NO.
  3. Navigate to Policies > Policies List.
  4. Create a separate policy for your Network(s). Ensure the policy for your Network(s) is at a higher precedence then any policies based on the Roaming Client. 

 

Disable behind Protected Networks

The Umbrella roaming client can 'back-off' when it detects that it is on a protected network. This means that Network Identity will be used for both policy and reporting purposes.

This mode is similar in behavior to the 'Use Regular Network Policy' mode except that the Umbrella roaming client actually disables itself and does not interfere with DNS traffic. 

Policy

The network policy will be used when on the protected network. This allows for different on/off network policies.

Reporting

When on the protected network there is no per-machine granularity to the reporting. Reporting will be associated with the Network Identity only.

 

 

DNS Traffic

When on the protected network the Umbrella roaming client doesn't interfere with DNS queries and they go to the normal internal DNS server.

Probe Messages

The Umbrella roaming client continues to send probe messages to determine that it is on a protected network.

How to configure Disable behind protected networks:

  1. Navigate to Identities > Roaming Computers.
  2. Set the Disable Roaming Client when behind Protected Network policies to YES.
  3. Navigate to Policies > Policies List.
  4. Create a separate policy for your Network(s). Ensure the policy for your Network(s) is at a higher precedence than any policies based on the Umbrella roaming client. 
  5. Your local DNS servers must be forwarding to Umbrella resolvers and must be correctly registered in the Umbrella dashboard.
  6. For this feature to work, the egress IP used by the client workstation must be registered to the same network identity as the egress IP used by your internal DNS servers. For full details, see this article.

 

Using the Umbrella Roaming Client with an Umbrella Virtual Appliance

  

As part of the Umbrella 'Insights' product (in the Platform and Insights packages) we provide a Virtual Appliance (VA) which acts as a DNS forwarder within your network. This VA is the key to gaining visibility about the source of DNS requests on your network and is also required for our Active Directory integration.

The Umbrella roaming client will always disable itself if it detects that a VA is being used for DNS forwarding. If the VA has been assigned as the DNS server (either using DHCP or static settings) then the Umbrella roaming client will detect this and disable itself.

Policy

The Umbrella roaming client is always disabled when behind a VA. A VA Identity will be used to decide the chosen policy. Policies can be created based on the following Identities:

  • AD User (only if AD integration is enabled)
  • AD Computer (only if AD integration is enabled)
  • Internal Network
  • Umbrella Site Name.

Click here for more information on policy precedence.
Reporting

The Umbrella roaming client is always disabled when behind a VA and will not be shown in reports. Reporting will be logged as either:

  • AD User (only if AD integration is enabled)
  • AD Computer (only if AD integration is enabled)
  • Internal Network
  • Umbrella Site Name.

In addition, the internal client IP address will be logged for each request.

roaming_client_Identity_user.jpg

DNS Traffic
  • The Umbrella roaming client doesn't interfere with DNS queries and they will go to the virtual appliance.
  • The VA forwards external DNS queries to Umbrella (encrypted).
  • The VA routes internal DNS queries as appropriate and forwards them to the configured internal DNS servers.

Probe Messages

The Umbrella roaming client still sends probe messages to Umbrella but does so at a reduced rate.

 

 

Cisco Umbrella AnyConnect Roaming Security Module

  

 The Umbrella module for Cisco AnyConnect supports all the same operating modes as described above.  Two additional AnyConnect specific modes are also available.  Both of these modes can be enabled in your Umbrella Dashboard on the Identities > Roaming Computers page, however, additional configuration is required within the AnyConnect VPN profile.

  • Respect AnyConnect Trusted Network Detection.
    This feature causes the Umbrella Security module to disable when Cisco AnyConnect determines it is on a Trusted Network.  This relies on AnyConnect's Trusted Network Detection feature to identify the network.  Trusted domains, DNS servers, and URLs can be used to identify your company network.  For more information please see the AnyConnect documentation.
  • Disable Roaming Client while full-tunnel VPN sessions are active
    With this feature enabled, the Umbrella module will be disabled when AnyConnect is connected to a Full Tunnel (or Tunnel All DNS) VPN.

When disabled the Roaming Client does not filter DNS traffic, so it is important to ensure that your network is covered by other security like our Network Protection feature.

 

More Information

 

If you wish to disable the Roaming Client on your company network but need more control, or wish to discuss other options, please contact Cisco Umbrella support.

 

 

Related articles

Comments

0 comments

Article is closed for comments.