This article is directed at users who are currently using or considering to use off-network protection with the Umbrella roaming client (URC) and have the option to use the AnyConnect Umbrella roaming security module (AC-RSM). The AC-RSM is deeply integrated into the system and AnyConnect's core, allowing for more control over the system's DNS.
Both editions of the roaming client will continue to be updated and supported. In some specific cases, AnyConnect + RSM client may have higher compatibility and will be required to resolve certain issues.
For this reason, we strongly recommend the Roaming Security Module over the standalone Umbrella roaming client for packages that include roaming module licensing. The roaming module can be deployed without the AnyConnect VPN component with instructions for command line installation on our documentation.
AnyConnect licensing is required to make use of the Umbrella Roaming Security Module inside AnyConnect. AnyConnect is granted to the primary account holder only.
For direct access to the most recently available build through Umbrella, please refer to our release notes under Roaming Clients -> AnyConnect.
The following packages include access to AnyConnect included:
- DNS Essentials and higher, including:
- DNS Advantage
- SIG Essentials
- SIG Advantage
- Any future package above DNS Essentials
The following packages can request access to AnyConnect for no additional cost. Please contact your account manager to request the addition of a contract number with access to AnyConnect, then follow the remainder of this guide.
- Umbrella Platform
- Umbrella Insights
- Umbrella Professional
Activating AnyConnect Licensing to your account
To link your Cisco CCO ID account with your Umbrella license (only the default first admin is linked by default), you will need to contact two parties.
- First, contact your account manager and ask for your contract number. This is required for the next step. This cannot be found on the Umbrella dashboard.
- Link this contract number with your Cisco account. See below
Linking contract to your Cisco account
Step 1: Visit the Cisco.com Profile Manager Self Help to view a list of service contracts that are currently associated with your Cisco.com profile.
- If you have a service contract that does not show in the list that you believe is associated with the software you would like to download, please proceed to Step 2 to add the service contract to your Cisco.com profile.
Step 2: Request additional service contracts be associated to your Cisco.com profile.
- Select 'Additional Access' tab.
- Select 'Obtain access to additional service contracts'.
- Enter service contracts number(s) in the space provided and click on the 'Submit' button.
- You will receive notification via email that the service contract associations have been completed. Service contract association can take up to 6 hours to complete.
If you would like to establish a direct service agreement with Cisco (or believe you have an agreement, but you are not sure of your service agreement number) please contact Cisco Customer Service by calling (800) 553-NETS (Direct (408) 526-7208) or emailing the email@example.com help address.
Umbrella support is not able to assist in linking your Cisco account to your AnyConnect contract. Please connect with Cisco Licensing TAC for assistance.
Downloading the AnyConnect Client
Once access is granted to your CCO account, click the link shown below under the roaming client download modal of the Umbrella dashboard to access the download.
An Important Note: Secure Web Gateway
This article is directed at DNS layer users in the Umbrella packages or DNS Security Essentials/Advantage packages. If you are a SWG user on the SIG Essentials or SIG Advantage package, or are seeking to add on SWG services please read this section.
- SIG/SWG users must make use of the AnyConnect Roaming Module. The standalone client does not support SWG.
- DNS Essentials and higher packages (such as DNS Advantage, SIG Essentials, etc.) include AnyConnect licensing.
The below sections of this article refer to DNS layer coverage only. If you are using the SWG web proxy for roaming users, stop and read the section above.
Both versions of the roaming client provide the same DNS protection to roaming computers in and outside of the office. For a more complete pro/con list, scroll down to the next section. There are some scenarios where one will greatly benefit over the other.
- Scenario 1: New deployment
- Go with AnyConnect. Grab a copy from our release notes and roll out our latest and greatest client version.
- Scenario 2: For someone with an existing ASA and AnyConnect 4.8 MR2 or newer deployment
- Go with the AC-RSM. Deployment involves a few lines of change in your ASA configuration.
- Scenario 3: Full update control is required
- Go with the AC-RSM. By default, cloud delivered upgrades are turned off. Auto updates are on and cannot be disabled for the URC.
- Scenario 4: Split-DNS or tunnel-all-dns modes for DNS are in use for AnyConnect
- You must use the AC-RSM to receive protection on the VPN.
Both clients contain these features:
- AD Integration/Internal IP reporting (AC-RSM 4.5 MR2+, URC)
- Umbrella's DNS layer protection both on and off network
- Internal domains support (by internal domains list or search suffix)
- Hostname visibility into client activity
AnyConnect Umbrella Roaming Security Module
- Cisco recommends this!
- AnyConnect can be deployed without VPN functionality
- Disable Umbrella Roaming when connected to an AnyConnect VPN
- Disable Umbrella Roaming when on a Cisco Trusted network (as defined by AnyConnect)
- Update control. Disable Umbrella Roaming updates from the Dashboard. Turn on updates when ready to deploy the update after testing
- Full support of all AnyConnect modes. The standalone client requires modification to most running modes, plus does not support tunnel-all-dns or split-dns. See the limitations of the standalone client at https://support.opendns.com/entries/95819618-Roaming-Client-VPNs-and-VPN-Compatibility#AnyConnect.
- No additional software required for AnyConnect users (just a new module)
- Cleaner DNS management. AnyConnect directs DNS to the 127.0.0.1:53 address for dnscrypt and no modifications are made to the DNS settings. The network interfaces continue to report system configured DNS settings.
- DNS enforcement: Lookups sent directly to the configured local system resolvers cannot bypass DNS security thanks to kernel driver DNS redirection.
- Service Lockdown built in (via deployment of AnyConnect module option)
Why the AC-RSM may not be the right choice:
- GUI not able to be hidden in the AC-RSM, and the Umbrella section will aways appear in the AnyConnect GUI.
- The latest features and bugfixes may not yet be available in the AC-RSM after initial implementation in the URC.
- No early access to releases
Umbrella Roaming Client
- Automatic updates on by default - you always have the latest and greatest
- Ability to hide the GUI and add/remove programs entries
- Early access to test builds in beta or release candidate (contact support for more information). Test builds are released at least several weeks before a production rollout completes.
Why the URC may not be the right choice:
- Update control is required for your software management. We offer early access to preview builds for test driving new releases to mitigate this requirement. Test at least several weeks before general release to your clients.
- Requires tweaks in a full or split tunnel AnyConnect VPN scenario.
- DNS may be manually sent to another address (no kernel redirection or enforcement)
Both Umbrella roaming clients provide excellent coverage off and on network. Cisco recommends the AnyConnect roaming security module for maximum compatibility and coverage.
Questions? Let us know by contacting the Umbrella support team at firstname.lastname@example.org or by giving us a call if you subscribe to phone support.