The Cisco Umbrella roaming security module (AnyConnect or Cisco Secure Client) works with most software, but there are instances when extra action is required to have both types of software work as expected.
- Generally speaking, split-DNS may be problematic. It is not supported if the 3rd party VPN makes use of the DNS Proxy Provider for split DNS. Split DNS is a security risk - Umbrella handles this split for you with public DNS routing straight to us instead of internal DNS.
- Palo Alto Global Protect VPN (macOS) with split-DNS mode active
- Split-DNS mode only. This activates the DNS Proxy Provider, and only one DNS Proxy Provider may be active at one time, making split-DNS mode on Palo Alto's Global Protect VPN incompatible.
- Zscaler VPN.
Zscaler makes use of ZPA which acts as a DNS proxy, which conflicts with our own DNS encryption proxy software. DNS may fail to resolve including local DNS or may resolve to completely different IPs such as 100.x.x.x ZScaler IPs.
NEW: Cisco has discovered a workaround for ZPA incompatibility based on the prerequisites of ZPA. Add “prod.zpath.net” and “private.zscaler.com” to your internal domains list in Umbrella.
- SentinelOne firewall.
Confirmed to conflict with the AnyConnect Umbrella Roaming Security Module and prevent coverage from applying after the next reboot after installation. No known workarounds. Contact SentinelOne to see if DNS control may be disabled. This is slated for resolution in a future SentinelOne version to be confirmed.
- Akamai endpoint protection (ETPclient)
This is a DNS redirection proxy software which will also bind to 127.0.0.1:53. We are not compatible with this competing product.
- StormShield: Incompatible at this time with the AnyConnect roaming security module. Impact: Inbound return DNS is blocked if UDP 53 inbound is blocked. The outgoing packet is not successfully stored in the UDP state table (not seen) and therefore the return packet is not associated with the existing state. Workaround: permit UDP 53 inbound.
- Lightspeed Rocket
Lightspeed Rocket has select features which are not compatible with the roaming client. Specifically, the DNS modification for "No SSL Search" and "SafeSearch" CNAME redirection of www.google.com -> nosslsearch.google.com and forcesafesearch.com respectively causes all www.google.com DNS resolution to fail as long as Lightspeed Rocket's DNS redirection is enabled.
Additional configuration information
When deployed on a split tunnel configuration with tunnel-all-dns enabled, please refer to the following guide.