Problem
Cisco Umbrella SWG for AnyConnect may encounter incompatibility issues with certain SSL VPNs that operate on ports that are intercepted by the SWG agent (such as TCP 443).
AnyConnect SWG may not successfully activate to apply coverage reliably. Alternatively, network reliability while on VPN degrades or is unavailable when SWG is active if VPN traffic is passed through SWG (non-web traffic is dropped). This applies to all SSL VPNs using ports 80 and 443.
Solution
When adding SWG Bypass domains under Deployments -> Domain Management -> External Domains, add the domain and IP address of your VPN head end servers to the list. Due to the large number of connections on the VPN, the IP entry ensures that this traffic is never intercepted by the SWG agent. Please allow one hour for the new setting to propagate.
In summary, when using a SSL VPN and SWG:
- Add the VPN domain to the External Domains list
- If the VPN head end domain is a DNS Search Suffix, this addition will occur automatically client side for the duration of the connection.
- Add the VPN head end IP addresses or IP range to the External Domains list
Comments
0 comments
Please sign in to leave a comment.