browse
Overview
Welcome to the "my roaming client" series of knowledge base article. This series provides an interactive series of questions in response to common roaming client challenges.
This article is targeted at the scenario where the roaming client is green and protected, but not behaving as expected. Below you will find frequently asked questions for this scenario frequently seen after deploying roaming clients. The client will install, but is not behaving as expected.
The "My Roaming Client Series" Index:
Explore the possibilities in each subsection below, by filling in the blank of "My roaming client says "Protected but... _________":
Sections in this doc
Unknown, Unprotected
If this is the current state, this article is not targeted for this scenario! This represents an unprotected state where the client has not yet registered. See this article on ways a proxy can prevent a roaming client from registering or contact our support team for assistance.
No sites are blocked
The roaming client will report "Protected" when we are able to reach 208.67.220.220 and 208.67.222.222 for DNS over UDP 53 or 443 or if the client is set to disable due to a known policy. If the client reports a Protected mode, but blocks are not occurring, follow these steps:
- Check for a proxy. In the case of a transparent or explicit proxy, the DNS resolved on the computer will be re-requested and overridden by the proxy server. Using Umbrella with a proxy?
- A third party software DNS proxy is overriding the roaming client's DNS responses
- A different than expected policy is applying. See how to confirm the expected policy is applying here.
Incorrect policy is applying
The roaming client will report "Protected and Encrypted" or "Protected and Transparent", but roaming client policies are not applying:
- Validate that the roaming client-based policy is the winning policy. If on network, and the network is higher in the policy order than the roaming clients, its policy will apply. See this article on determining which policy is being applied or visit policy-debug.opendns.com for details.
- Check for a proxy. In the case of a transparent or explicit proxy, the DNS resolved on the computer will be re-requested and overridden by the proxy server. The proxy server using Umbrella would apply only its egress-based network level coverage. Using Umbrella with a proxy?
- Using the AnyConnect Roaming Security Module? The standalone roaming client must not also be installed at the same time! If both ERCService.exe and acumbrellaagent.exe are running concurrently, this indicates both are installed. Uninstall the standalone Umbrella roaming client, and ensure no software management tools are reinstalling it.
Public or all DNS is failing
In this scenario, all DNS fails to receive a response. A nslookup in the command prompt or terminal times our or fails, and browsers report DNS issues and fail to load pages:
-
A third party software DNS proxy is overriding the roaming client's DNS responses. Many softwares will only override "website destination" A-records, allowing TXT records to pass freely. Since the roaming client checks for DNS availbility with TXT records, the roaming client will activate even if all A-records do not reach Umbrella. Encrypted Umbrella DNS combined with the background software often leads to a failure to send DNS A-records.
- A firewall has DNS protection built in or a "web protection" service, which may interfere with Umbrella.
- If this occurs intermittently, this may be PAT/NAT exhaustion. The addition of the roaming client has increased the number of direct UDP connections out of the workstations' egress network. This will intermittently cause either just DNS or all web traffic to fail. For more information, see this article on this port exhaustion and how changing the UDP timeout or validating your UDP connection limit may help.
- Using the AnyConnect Roaming Security Module? The standalone roaming client must not also be installed at the same time! If both ERCService.exe and acumbrellaagent.exe are running concurrently, this indicates both are installed. Uninstall the standalone Umbrella roaming client, and ensure no software management tools are reinstalling it.
Local DNS fails
In this scenario, any public record fails; however, domains on your internal domains list fail to resolve. If the local DNS servers are queried directly, the query succeeds.
- Is the domain failing added to your internal domains list? Note, any search suffix will automatically be dynamically added to the local (not cloud side) list. Any local-only domain not on this list will fail to resolve correctly. Any local domain not on the list will appear in your Dashboard reporting. Any domain on the list will not. Learn how local DNS works here.
- Are the local DNS servers correct? Validate that the values stored inside the roaming client match your expectations. Validate that each server listed (see location below) is able to return the response. We'll pick one to send each local DNS request to. These will match your DHCP lease or static assignment. If not, let us know by opening up a support case.
Mac /var/lib/data/opendns/resolv_orig.conf PC C:\ProgramData\OpenDNS\ERC\Resolver#-Name-of-NetworkAdaptor.conf - Software or VPN compatibility. Does the issue only occur when on a VPN? If so, ensure that the VPN does not restrict where DNS may flow or that your VPN is not on our unsupported list. See our VPN compatibility article for more details.
The client shows offline on the dashboard
The roaming client sync process is instrumental to the client states as shown on the dashboard. The roaming client will only activate when:
- At least one sync to our sync server (currently sync.hydra.opendns.com) has completed since client start
- One of the Umbrella DNS servers are available on port 443 or 53 UDP.
The dashboard state of the client is updated every sync (currently takes up to 60 minutes). Here are some possible reasons why these states may not be up to date:
- The client's state has changed since the last sync. Note, the initial sync on boot will be while the client is "offline" or not protected due to the requirement of sync to be protected.
- The client experiences intermittent failure to sync due to network restrictions. An initial sync may have occurred, but subsequent sync updates fail, resulting in the client appearing offline.
- The computer has switched networks since the last start of the client. For example, the computer was turned on in a bakery-cafe with sync access, then brought into the corporate network without sync access. The client will remain Protected/Encrypted if DNS is available, but the Dashboard will report the client is offline.
The computer reports a "No Connectivity" warning
When using the roaming client, computers on certain network environments may display a network connectivity "yellow triangle" indicator, but network access is fully operational. This may impact Microsoft applications such as Outlook, since they will not sync if the indicator is tripped.
- This issue is a known design limitation in Windows. To resolve it permanently:
- Windows 7/8: follow the hosts file instructions on this document.
- Windows 10: Update to version 1709 or higher and follow these instructions to modify either your Group Policy or registry to implement Microsoft's fix.
The local DNS entry for the computer disappears
The roaming client will transparently forward any DNS query to any domain in your internal domains list. When using the roaming client, you will most often see two updates rather than one because we are changing the DNS on the machine. In the event that the record disappears:
- Read this article to deploy a Microsoft hotfix for Windows 7 to prevent the record being deleted the moment the client enters the protected mode.