Articles in this section

See more

Standalone Roaming Client vs AnyConnect Roaming Module

Avatar
Alexander Harrison
  • Updated
Follow

Overview

 

This article is directed at users who are currently using or considering to use off-network protection with the Umbrella roaming client (URC) and have the option to use the AnyConnect Umbrella roaming security module (AC-RSM). The AC-RSM is deeply integrated into the system and AnyConnect's core, allowing for more control over the system's DNS.

Both editions of the roaming client will continue to be updated and supported. In some specific cases, AnyConnect + RSM client may have higher compatibility and be recommended by Umbrella support. 

For this reason, we recommend the Roaming Security Module over the standalone Umbrella roaming client for packages that include roaming module licensing.

For more information, see Moving to AnyConnect + Roaming Security Module for compatibility issues.

  

AnyConnect Licensing

 

AnyConnect licensing is required to make use of the Umbrella Roaming Security Module inside AnyConnect. AnyConnect is granted to the primary account holder only.

The following packages include access to AnyConnect included:

  • DNS Essentials and higher, including:
    • DNS Advantage
    • SIG Essentials
    • SIG Advantage
    • Any future package above DNS Essentials

The following packages can request access to AnyConnect for no additional cost. Please contact your account manager to request the addition of a contract number with access to AnyConnect, then follow the remainder of this guide.

  • Umbrella Platform
  • Umbrella Insights
  • Umbrella Professional

Activating AnyConnect Licensing to your account

To link your Cisco CCO ID account with your Umbrella license (only the default first admin is linked by default), you will need to contact two parties.

  1. First, contact your account manager and ask for your contract number. This is required for the next step. This cannot be found on the Umbrella dashboard.
  2. Link this contract number with your Cisco account. See below

Linking contract to your Cisco account

Step 1: Visit the Cisco.com Profile Manager Self Help to view a list of service contracts that are currently associated with your Cisco.com profile.

  • If you have a service contract that does not show in the list that you believe is associated with the software you would like to download, please proceed to Step 2 to add the service contract to your Cisco.com profile.

Step 2: Request additional service contracts be associated to your Cisco.com profile.

  • Select 'Additional Access' tab.
  • Select 'Obtain access to additional service contracts'.
  • Enter service contracts number(s) in the space provided and click on the 'Submit' button.
  • You will receive notification via email that the service contract associations have been completed. Service contract association can take up to 6 hours to complete.

Click here for information on registering with a Service Contract number.

If you would like to establish a direct service agreement with Cisco (or believe you have an agreement, but you are not sure of your service agreement number) please contact Cisco Customer Service by calling (800) 553-NETS (Direct (408) 526-7208) or emailing the web-help@cisco.com help address.

Umbrella support is not able to assist in linking your Cisco account to your AnyConnect contract. Please connect with Cisco Licensing TAC for assistance.

Downloading the AnyConnect Client

Once access is granted to your CCO account, click the link shown below under the roaming client download modal of the Umbrella dashboard to access the download.

Overview.png

 

 

An Important Note: Secure Web Gateway

 

This article is directed at DNS layer users in the Umbrella packages or DNS Security Essentials/Advantage packages. If you are a SWG user on the SIG Essentials or SIG Advantage package, or are seeking to add on SWG services please read this section.

  • SIG/SWG users must make use of the AnyConnect Roaming Module. The standalone client does not support SWG.
    • DNS Essentials and higher packages (such as DNS Advantage, SIG Essentials, etc.) include AnyConnect licensing.

  

The Basics 

 

The below sections of this article refer to DNS layer coverage only. If you are using the SWG web proxy for roaming users, stop and read the section above.

Both versions of the roaming client provide the same DNS protection to roaming computers in and outside of the office. For a more complete pro/con list, scroll down to the next section. There are some scenarios where one will greatly benefit over the other. 

  • Scenario 1: For someone not already part of the AnyConnect ecosystem, without subscription access to AnyConnect
    • Go with the URC. You're already fully licensed.
  • Scenario 2: For someone with an existing ASA and AnyConnect 4.3 MR4 or newer deployment
    • Go with the AC-RSM. Deployment involves a few lines of change in your ASA configuration.
  • Scenario 3: Full update control is required
    • Go with the AC-RSM. By default, cloud delivered upgrades are turned off. Auto updates are on and cannot be disabled for the URC. 
  • Scenario 4: Split-DNS or tunnel-all-dns modes for DNS are in use for AnyConnect
    • You must use the AC-RSM to receive protection on the VPN. 
  • Scenario 5: I want access to the latest and greatest features as soon as possible!
    • Go with the URC. Features are implemented here first in most cases. 
  • Scenario 6: IPv6 protection is required
    • No difference. Note, only 4.8 MR2+ supports IPv6. 

Both clients contain these features:

  • AD Integration/Internal IP reporting (AC-RSM 4.5 MR2+, URC)
  • Umbrella's DNS layer protection both on and off network
  • Internal domains support (by internal domains list or search suffix)
  • Hostname visibility into client activity

 

AnyConnect Umbrella Roaming Security Module

 
 
Why use the AC-RSM over the URC?
  • Disable Umbrella Roaming when connected to an AnyConnect VPN
  • Disable Umbrella Roaming when on a Cisco Trusted network (as defined by AnyConnect)
  • Update control. Disable Umbrella Roaming updates from the Dashboard. Turn on updates when ready to deploy the update after testing
  • Full support of all AnyConnect modes. The standalone client requires modification to most running modes, plus does not support tunnel-all-dns or split-dns. See the limitations of the standalone client at https://support.opendns.com/entries/95819618-Roaming-Client-VPNs-and-VPN-Compatibility#AnyConnect.
  • No additional software required for AnyConnect users (just a new module)
  • Cleaner DNS management. AnyConnect directs DNS to the 127.0.0.1:53 address for dnscrypt and no modifications are made to the DNS settings. The network interfaces continue to report system configured DNS settings. 
  • DNS enforcement: Cannot be bypassed by sending DNS to another address manually (i.e. dig @208.67.222.222) thanks to kernel driver DNS redirection.
  • Service Lockdown built in (via deployment of AnyConnect module option)

Why the AC-RSM may not be the right choice:

  • IP Layer Enforcement: currently available only for Windows with AnyConnect version 4.8 MR3+
  • IPv6 protection and redirection is available for 4.8 MR2+ only
  • GUI not able to be hidden in the AC-RSM, and the Umbrella section will aways appear in the AnyConnect GUI.
  • Minimum version of AnyConnect required to run: AnyConnect 4.3 MR4 with the Umbrella Roaming Security module enabled. Recommended minimum version 4.8 MR2. 
  • The latest features and bugfixes may not yet be available in the AC-RSM after initial implementation in the URC. 
  • Requires licensing for AnyConnect
  • No early access to releases
  • Roaming module updates (which may include desired new features) are tied to AnyConnect releases. VPN client software upgrades may require more substantial testing than roaming client only updates. 

 

Umbrella Roaming Client

 
 
Why use the URC over the AC-RSM?
  • More rapid development. Releases are not tied to the AnyConnect release cycles and more agile releases are possible. This includes new features and bug fixes, but may vary
  • No AnyConnect license required
  • Automatic updates on by default - you always have the latest and greatest
  • Ability to hide the GUI and add/remove programs entries
  • Early access to test builds in beta or release candidate (contact support for more information). Test builds are released at least several weeks before a production rollout completes. 

Why the URC may not be the right choice:

  • Update control is required for your software management. We offer early access to preview builds for test driving new releases to mitigate this requirement. Test at least several weeks before general release to your clients. 
  • Requires tweaks in a full or split tunnel AnyConnect VPN scenario. 
  • DNS may be manually sent to another address (no kernel redirection or enforcement)

 

Conclusion

 

Both Umbrella roaming clients provide excellent coverage off and on network.  The URC is the standalone client whereas the AC-RSM requires the AnyConnect client to function. 

Questions? Let us know by contacting the Umbrella support team at umbrella-support@cisco.com or by giving us a call if you subscribe to phone support.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.