The Cisco Umbrella roaming security module (AnyConnect or Cisco Secure Client) works with most software, but there are instances when extra action is required to have both types of software work as expected.
- Zscaler VPN.
Zscaler makes use of ZPA which acts as a DNS proxy, which conflicts with our own DNS encryption proxy software. DNS may fail to resolve including local DNS or may resolve to completely different IPs such as 100.x.x.x ZScaler IPs.
- SentinelOne firewall.
Confirmed to conflict with the AnyConnect Umbrella Roaming Security Module and prevent coverage from applying after the next reboot after installation. No known workarounds. Contact SentinelOne to see if DNS control may be disabled. This is slated for resolution in a future SentinelOne version to be confirmed.
- Akamai endpoint protection (ETPclient)
This is a DNS redirection proxy software which will also bind to 127.0.0.1:53. We are not compatible with this competing product.
- StormShield: Incompatible at this time with the AnyConnect roaming security module. Impact: Inbound return DNS is blocked if UDP 53 inbound is blocked. The outgoing packet is not successfully stored in the UDP state table (not seen) and therefore the return packet is not associated with the existing state. Workaround: permit UDP 53 inbound.
- Lightspeed Rocket
Lightspeed Rocket has select features which are not compatible with the roaming client. Specifically, the DNS modification for "No SSL Search" and "SafeSearch" CNAME redirection of www.google.com -> nosslsearch.google.com and forcesafesearch.com respectively causes all www.google.com DNS resolution to fail as long as Lightspeed Rocket's DNS redirection is enabled.
Additional configuration information
When deployed on a split tunnel configuration with tunnel-all-dns enabled, please refer to the following guide.