Until around 2024-04-25, the Cisco Secure Client's SWG module backoff behavior could not be controlled irrespective of the DNS module's state and was dependent on the DNS backoff settings to enable/disable SWG protection. To address this, Umbrella has decoupled the behavior for the DNS module and the SWG module, enabling independent management as needed. This will be available to Cisco Secure Clients on version 5.1.3.62 and newer where we decoupled the DNS and SWG backoff settings to allow for enhanced granular control. Clients on older versions will not follow the separate SWG module backoff.

When the 'Secure Web Gateway backoff follows DNS backoff' feature is enabled, the CSC's SWG module follows the behavior of the DNS module. However, this will not occur with all DNS backoff settings. In the next section, the DNS backoff settings that the SWG module will or will not follow are detailed.

Which DNS backoff settings will cause SWG to back off?

The following DNS backoff settings will cause SWG to backoff:

1) Customer Trusted Network:

Setting up a "Customer Trusted Network" domain in the DNS backoff settings is one of the simplest methods. By hosting an internal domain that resolves to an RFC1918 address, both DNS and SWG will simultaneously backoff. Our client is coded to query that domain. If it successfully resolves the domain to a private IP address, it identifies the device as being on a private and protected network, causing the DNS module to back off. This backoff mechanism is also respected by the Web module, which will similarly back off when the DNS module successfully resolves the domain. 

2) AnyConnect Trusted Network Detection

3) AnyConnect VPN Detection

Note: The DNS backoff settings remain functional on Cisco Secure Clients running versions older than 5.1.3.62, as it was implemented prior to the decoupling of the DNS and SWG backoff settings.

Which DNS backoff settings will not cause SWG to back off?

Configuring the following two DNS backoff features will not cause SWG to back off. Therefore, customers should configure SWG backoff settings selectively, independent of the DNS configuration state. This will be discussed in more detail in the next section.

1) Backoff Behind Virtual Appliance

Starting from AnyConnect 4.10.07061 (MR7) and Secure Client 5.0.02075 (MR2), the SWG module will remain enabled on networks where an Umbrella virtual appliance is present. If you were previously relying on the presence of a virtual appliance to disable the SWG module and web redirection on a given network, you can instead use Trusted Network Domain or AnyConnect Trusted Network Detection.

2) Protected Network Detection

Independent SWG backoff settings

If the following DNS backoff features are not enabled in the customer's environment, they should exclusively utilize one of the SWG backoff settings outlined below to ensure SWG remains disabled.

• Customer Trusted Network
• AnyConnect Trusted Network Detection
• AnyConnect VPN Detection

This new capability allows the SWG module to operate independently of the DNS module. This feature is available to Cisco Secure Clients using version 5.1.3.62 and newer. Configure one of the explicit SWG backoff toggles in the dashboard. 

1) Customer Trusted Network

One option is to use the "Customer Trusted Network" option under the SWG backoff settings where you can configure an internal server that the client can reach out to confirm that it's on the protected network. You need to ensure the web server is reachable by the client, obtain a certificate on that server, and copy the certificate hash to the Umbrella dashboard. 

The other two options apply exclusively to VPN connections. 

2) AnyConnect Trusted Network Detection

3) AnyConnect VPN Detection