The Umbrella roaming client may be used in a wide variety of network and software configurations. This article documents all known compatibility topics with the F5 VPN client. This article begins with the current expected detection behaviors and then discusses F5 VPN specific compatibility notes.
The Umbrella client has implemented automated detection mechanisms to react to VPN changes to ensure that DNS functionality is maintained. This may cause the client to temporarily remain unprotected while the VPN is connected. Please refer to our article here: Third-Party VPN Detection Heuristics with the Umbrella Roaming Client for more details.
F5 VPN Compatibility
In many configurations, F5 VPN will function by inserting the VPN DNS addresses to non-VPN NICs by pre-pending the VPN servers to the NIC's DNS. So, for a local DNS config of x.x.x.x and a VPN config of y.y.y.y, the result will be x.x.x.x, y.y.y.y.
With the Umbrella roaming client - this will override the 127.0.0.1 placed. To ensure that F5 VPN is not impaired with an endless change loop, we will stop redirecting if 127.0.0.1 is placed at the end of the DNS list or is rapidly changed back away from 127.0.0.1.
In most cases, we recommend the use of the Umbrella roaming security module that is part of the AnyConnect roaming security client. VPN is not required to be deployed (it can be removed from display to the user at the time of install).
F5 compatibility at this time is defined as a successful F5 VPN connection with fully functional local and public DNS. This may be as a result of a graceful backoff by the roaming client into an unprotected state. Please ensure that your on-network coverage is in place while using F5 by configuring your network for Cisco Umbrella.
BigIP F5 VPN Client
The BigIP F5 edge client is the most common F5 VPN client at this time; however, it is being replaced with the new F5 client in many deployments. This article discusses all known interoperability concerns with the F5 BigIP client.
F5 DNS Relay Proxy
The roaming client is not compatible with VPN client 2.2+ in configurations that activate the F5 DNS Relay Proxy service. This relay proxy is known to activate in split-dns mode and DNS-based split tunneling modes. F5 may not be used with DNS names defined with the roaming client To use split tunneling with F5 and the roaming client at this time, use IP-based split tunneling rather than DNS based split tunneling. Additionally, some configurations and versions may result in Umbrella being overridden despite showing green when the DNS Relay Proxy is activated.
Where do I find this split-dns or DNS-based split tunneling setting?
F5 VPN Split Tunneling with split-dns appears in the form of the "DNS Address Space" setting. When active, this spins up F5's own DNS proxy which conflicts with the roaming client. The symptom is a failure to resolve A-records while both the roaming client and the VPN is active. See the following image for a working configuration. The most common breaking setting is "*". For more information on this feature, see https://support.f5.com/csp/article/K9694.
This feature is most commonly used for DNS-based split tunneling. At this time, DNS-based split tunneling with F5 is incompatible with the Umbrella roaming client and the configuration noted here is required to not launch the F5 DNS Proxy.
Today, a permanent solution may exist in the form of the AnyConnect roaming security module (Included in your Umbrella DNS license). In the long term, we aim to add support for these additional DNS modes; however, due to the use of a F5 DNS proxy - support may remain limited.
In some cases, this manifests with a F5 DNS proxy where DNS flows to F5 despite the roaming client showing protected and encrypted. Test pages to welcome.umbrella.com will fail (unless on-network uses Umbrella) and the roaming client would not be used for DNS due to interception. The roaming client is fully functional and would report a protected state, but not receive DNS from the system. In this case, you need to stop the "F5 DNS Relay Proxy" service (F5FltSrv.exe) to see if it helps.
New F5 Client
Recently, many F5 deployments may be deployed with the new F5 VPN client. The Cisco Umbrella team has limited information on this new client; however, any of the conditions present for the Big-IP F5 client may also apply to the new F5 client.