browse
Overview
The Umbrella Module for Cisco Secure Client (CSC) works with most other networking / security software. However, but there are instances where extra action is required to have both types of software work as expected.
Software Incompatibilities
Client | Issue |
Split-DNS | Generally speaking, split-DNS may be problematic. It is not supported if the 3rd party VPN makes use of the DNS Proxy Provider for split DNS. Split DNS is a security risk - Umbrella handles this split for you with public DNS routing straight to us instead of internal DNS. |
Palo Alto Global Protect VPN (macOS) with split-DNS mode active |
Split-DNS mode only. This activates the DNS Proxy Provider, and only one DNS Proxy Provider may be active at one time, making split-DNS mode on Palo Alto's Global Protect VPN incompatible. |
Zscaler VPN | Zscaler makes use of ZPA which acts as a DNS proxy, which conflicts with our own DNS encryption proxy software. DNS may fail to resolve including local DNS or may resolve to completely different IPs such as 100.x.x.x ZScaler IPs. Cisco has discovered a workaround for ZPA incompatibility based on the prerequisites of ZPA. Add “prod.zpath.net” and “private.zscaler.com” to your internal domains list in Umbrella. |
Akamai endpoint protection (ETPclient) | This is a DNS redirection proxy software which will also bind to 127.0.0.1:53. We are not compatible with this competing product. |
SentinelOne firewall | Confirmed to conflict with the CSC/AnyConnect Umbrella Module and prevent coverage from applying after the next reboot after installation. No known workarounds. Contact SentinelOne to see if DNS control may be disabled. This is slated for resolution in a future SentinelOne version to be confirmed. |
StormShield | Confirmed to conflict with the CSC/AnyConnect Umbrella Module and prevent coverage from applying after the next reboot after installation. No known workarounds. Contact SentinelOne to see if DNS control may be disabled. This is slated for resolution in a future SentinelOne version to be confirmed. |
Lightspeed Rocket | Lightspeed Rocket has select features which are not compatible with the roaming client. Specifically, the DNS modification for "No SSL Search" and "SafeSearch" CNAME redirection of www.google.com -> nosslsearch.google.com and forcesafesearch.com respectively causes all www.google.com DNS resolution to fail as long as Lightspeed Rocket's DNS redirection is enabled. |
TwinGate |
Currently incompatible. |
F5 VPN |
Fixed by disabling the F5 DNS Relay Proxy service (F5FltSrv.exe) |
AWS VPN |
Use workaround: Edit the config file (downloaded from AWS manually) to have a second line of pull-filter ignore "block-outside-dns" |
Symantec WSSA Proxy |
Umbrella IPv6 protection will only work when using WSSA version 9.2.7. Otherwise IPv6 probes will be blocked by WSSA Proxy since it does not support IPv6 traffic. |
Additional configuration information
When deployed on a split tunnel configuration with tunnel-all-dns enabled, please refer to the following guide.