Standalone Roaming Client vs AnyConnect Roaming Module

Overview

This article is directed at users who are currently using or considering to use off-network protection with the Umbrella roaming client (URC) and have the option to use the AnyConnect Umbrella roaming security module (AC-RSM). 

Most importantly, both editions of the roaming client will continue to be updated and supported. Neither is a replacement for the other. 

An Important Note: Secure Web Gateway

This article is directed at DNS layer users in the Umbrella packages or DNS Security Essentials/Advantage packages. If you are a SWG user on the SIG Essentials or SIG Advantage package, or are seeking to add on SWG services please read this section.

• SIG/SWG users must make use of the AnyConnect Roaming Module. The standalone client does not support SWG.
  • SIG Essentials and higher packages include AnyConnect licensing. DNS only packages do not include this license

The Basics 

The below sections of this article refer to DNS layer coverage only. If you are using the SWG web proxy for roaming users, stop and read the section above.

Both versions of the roaming client provide the same DNS protection to roaming computers in and outside of the office. For a more complete pro/con list, scroll down to the next section. There are some scenarios where one will greatly benefit over the other. 

• Scenario 1: For someone not already part of the AnyConnect ecosystem, without subscription access to AnyConnect
  • Go with the URC. You're already fully licensed.
• Scenario 2: For someone with an existing ASA and AnyConnect 4.3 MR4 or newer deployment
  • Go with the AC-RSM. Deployment involves a few lines of change in your ASA configuration.
• Scenario 3: Full update control is required
  • Go with the AC-RSM. By default, cloud delivered upgrades are turned off. Auto updates are on and cannot be disabled for the URC. 
• Scenario 4: Split-DNS or tunnel-all-dns modes for DNS are in use for AnyConnect
  • You must use the AC-RSM to receive protection on the VPN. 
• Scenario 5: I want access to the latest and greatest features as soon as possible!
  • Go with the URC. Features are implemented here first in most cases. 
• Scenario 6: IPv6 protection is required
  • No difference. Note, only 4.8 MR2+ supports IPv6. 

Both clients contain these features:

• AD Integration/Internal IP reporting (AC-RSM 4.5 MR2+, URC)
• Umbrella's DNS layer protection both on and off network
• Internal domains support (by internal domains list or search suffix)
• Hostname visibility into client activity

AnyConnect Umbrella Roaming Security Module

• Disable Umbrella Roaming when connected to an AnyConnect VPN
• Disable Umbrella Roaming when on a Cisco Trusted network (as defined by AnyConnect)
• Update control. Disable Umbrella Roaming updates from the Dashboard. Turn on updates when ready to deploy the update after testing
• Full support of all AnyConnect modes. The standalone client requires modification to most running modes, plus does not support tunnel-all-dns or split-dns. See the limitations of the standalone client at https://support.opendns.com/entries/95819618-Roaming-Client-VPNs-and-VPN-Compatibility#AnyConnect.
• No additional software required for AnyConnect users (just a new module)
• Cleaner DNS management. AnyConnect directs DNS to the 127.0.0.1:53 address for dnscrypt and no modifications are made to the DNS settings. The network interfaces continue to report system configured DNS settings. 
• DNS enforcement: Cannot be bypassed by sending DNS to another address manually (i.e. dig @208.67.222.222) thanks to kernel driver DNS redirection.
• Service Lockdown built in (via deployment of AnyConnect module option)

Why the AC-RSM may not be the right choice:

• IP Layer Enforcement: currently available only for Windows with AnyConnect version 4.8 MR3+
• IPv6 protection and redirection is available for 4.8 MR2+ only
• GUI not able to be hidden in the AC-RSM, and the Umbrella section will aways appear in the AnyConnect GUI.
• Minimum version of AnyConnect required to run: AnyConnect 4.3 MR4 with the Umbrella Roaming Security module enabled. Recommended minimum version 4.8 MR2. 
• The latest features and bugfixes may not yet be available in the AC-RSM after initial implementation in the URC. 
• Requires licensing for AnyConnect
• No early access to releases
• Roaming module updates (which may include desired new features) are tied to AnyConnect releases. VPN client software upgrades may require more substantial testing than roaming client only updates. 

Umbrella Roaming Client

• More rapid development. Releases are not tied to the AnyConnect release cycles and more agile releases are possible. This includes new features and bug fixes, but may vary
• No AnyConnect license required
• Automatic updates on by default - you always have the latest and greatest
• Ability to hide the GUI and add/remove programs entries
• Early access to test builds in beta or release candidate (contact support for more information). Test builds are released at least several weeks before a production rollout completes. 

Why the URC may not be the right choice:

• Update control is required for your software management. We offer early access to preview builds for test driving new releases to mitigate this requirement. Test at least several weeks before general release to your clients. 
• Requires tweaks in a full or split tunnel AnyConnect VPN scenario. 
• DNS may be manually sent to another address (no kernel redirection or enforcement)

Conclusion

Both Umbrella roaming clients provide excellent coverage off and on network.  The URC is the standalone client whereas the AC-RSM requires the AnyConnect client to function. 

Questions? Let us know by contacting the Umbrella support team at umbrella-support@cisco.com or by giving us a call if you subscribe to phone support.