browse
Overview
The Umbrella Module for Cisco Secure Client (CSC) works with most other networking / security software. However, but there are instances where extra action is required to have both types of software work as expected.
Software Incompatibility (No Workaround Available)
Client | Issue |
Split-DNS | Generally speaking, split-DNS may be problematic. It is not supported if the 3rd party VPN makes use of the DNS Proxy Provider for split DNS. Split DNS is a security risk - Umbrella handles this split for you with public DNS routing straight to us instead of internal DNS. |
Palo Alto Global Protect VPN (macOS) with split-DNS mode active |
Split-DNS mode only. This activates the DNS Proxy Provider, and only one DNS Proxy Provider may be active at one time, making split-DNS mode on Palo Alto's Global Protect VPN incompatible. |
Akamai endpoint protection (ETPclient) | This is a DNS redirection proxy software which will also bind to 127.0.0.1:53. We are not compatible with this competing product. |
SentinelOne firewall | Confirmed to conflict with the CSC/AnyConnect Umbrella Module and prevent coverage from applying after the next reboot after installation. No known workarounds. Contact SentinelOne to see if DNS control may be disabled. This is slated for resolution in a future SentinelOne version to be confirmed. |
StormShield | Confirmed to conflict with the CSC/AnyConnect Umbrella Module and prevent coverage from applying after the next reboot after installation. No known workarounds. Contact SentinelOne to see if DNS control may be disabled. This is slated for resolution in a future SentinelOne version to be confirmed. |
TwinGate |
Currently incompatible. |
Fortinet VPN | On macOS internal domains are not respected. |
Workspace One | Currently incompatible |
Checkpoint | Currently incompatible |
Software Incompatibility (Workaround Available)
All workarounds are best effort. If the workaround does not work then you would need to open a ticket with both Umbrella and the third-party vendor.
Client | Issue |
Split-DNS | Generally speaking, split-DNS may be problematic. It is not supported if the 3rd party VPN makes use of the DNS Proxy Provider for split DNS. Split DNS is a security risk - Umbrella handles this split for you with public DNS routing straight to us instead of internal DNS. |
AWS VPN |
Use workaround: Edit the config file (downloaded from AWS manually) to have a second line of pull-filter ignore "block-outside-dns" |
F5 VPN |
Fixed by disabling the F5 DNS Relay Proxy service (F5FltSrv.exe) |
Symantec WSSA Proxy |
Umbrella IPv6 protection will only work when using WSSA version 9.2.7. Otherwise IPv6 probes will be blocked by WSSA Proxy since it does not support IPv6 traffic. |
OpenVPN Connect |
Enable Allow using local DNS resolvers in the advanced settings section of the OpenVPN Connect client. |
Lightspeed Rocket | Disable Lightspeed Rocket's DNS redirection. Lightspeed Rocket has select features which are not compatible with the roaming client. Specifically, the DNS modification for "No SSL Search" and "SafeSearch" CNAME redirection of www.google.com -> nosslsearch.google.com and forcesafesearch.com respectively causes all www.google.com DNS resolution to fail as long as Lightspeed Rocket's DNS redirection is enabled. |
Zscaler VPN | Zscaler makes use of ZPA which acts as a DNS proxy, which conflicts with our own DNS encryption proxy software. DNS may fail to resolve including local DNS or may resolve to completely different IPs such as 100.x.x.x ZScaler IPs.
Cisco has discovered a workaround for ZPA incompatibility based on the prerequisites of ZPA. Add “prod.zpath.net” and “private.zscaler.com” to your internal domains list in Umbrella. |
Additional configuration information
When deployed on a split tunnel configuration with tunnel-all-dns enabled, please refer to the following guide.