The Cisco Umbrella roaming security module (AnyConnect or Cisco Secure Client) works with most software, but there are instances when extra action is required to have both types of software work as expected.
This article refers to the roaming module of AnyConnect (or Cisco Secure Client). For a companion article on the standalone roaming client click here.
|Split-DNS||Generally speaking, split-DNS may be problematic. It is not supported if the 3rd party VPN makes use of the DNS Proxy Provider for split DNS. Split DNS is a security risk - Umbrella handles this split for you with public DNS routing straight to us instead of internal DNS.|
|Palo Alto Global Protect VPN (macOS) with split-DNS mode active||
Split-DNS mode only. This activates the DNS Proxy Provider, and only one DNS Proxy Provider may be active at one time, making split-DNS mode on Palo Alto's Global Protect VPN incompatible.
|Zscaler VPN||Zscaler makes use of ZPA which acts as a DNS proxy, which conflicts with our own DNS encryption proxy software. DNS may fail to resolve including local DNS or may resolve to completely different IPs such as 100.x.x.x ZScaler IPs. Cisco has discovered a workaround for ZPA incompatibility based on the prerequisites of ZPA. Add “prod.zpath.net” and “private.zscaler.com” to your internal domains list in Umbrella.|
|Akamai endpoint protection (ETPclient)||This is a DNS redirection proxy software which will also bind to 127.0.0.1:53. We are not compatible with this competing product.|
|SentinelOne firewall||Confirmed to conflict with the AnyConnect Umbrella Roaming Security Module and prevent coverage from applying after the next reboot after installation. No known workarounds. Contact SentinelOne to see if DNS control may be disabled. This is slated for resolution in a future SentinelOne version to be confirmed.|
|StormShield||Confirmed to conflict with the AnyConnect Umbrella Roaming Security Module and prevent coverage from applying after the next reboot after installation. No known workarounds. Contact SentinelOne to see if DNS control may be disabled. This is slated for resolution in a future SentinelOne version to be confirmed.|
|Lightspeed Rocket||Lightspeed Rocket has select features which are not compatible with the roaming client. Specifically, the DNS modification for "No SSL Search" and "SafeSearch" CNAME redirection of www.google.com -> nosslsearch.google.com and forcesafesearch.com respectively causes all www.google.com DNS resolution to fail as long as Lightspeed Rocket's DNS redirection is enabled.|
Fixed by disabling the F5 DNS Relay Proxy service (F5FltSrv.exe)
Additional configuration information
When deployed on a split tunnel configuration with tunnel-all-dns enabled, please refer to the following guide.