When you are using Virtual Appliances (VAs) for Internal Network or Active Directory visibility and granularity, Cisco Security Connector behavior changes. VAs act as DNS forwarders and send all public DNS requests to Cisco Umbrella and forward internal DNS requests to the network's internal DNS servers.
If an iphone running the Cisco Security Connecter enters a network with VAs set in DHCP's DNS settings it enters a "Behind VA Mode". The Cisco Security Connect does the following so long as it has unimpeded access to 220.127.116.11 &18.104.22.168 via UDP 443:
- While in Behind VA mode the CSC will forward all DNS to the VA's.
- The Apple process will still send the DNS via the CSC to the VA's so this works differently than our Roaming Clients.
- Reporting in the Umbrella dashboard will show as the Internal Network IP identity instead of showing as the mobile device.
- Mobile device specific policies will not be enforced until you roam onto a network without VAs.
If you have concerns that your device is not on the correct policy, and it is not connected to a Virtual Appliance, please follow the instructions found in our article How to Collect Cisco Security Connector Diagnostics Logs and contact the Umbrella Support Team.