Like all software, the Umbrella Roaming Client is subject to compatibility issues. These issues can be addressed through updates and patches, but Cisco has identified a particular type of compatibility issue that is becoming increasingly prevalent and is a design limitation with the standalone Roaming Client. To resolve these issues, an Umbrella Technician may direct you to migrate to AnyConnect + Roaming Security module (no VPN or VPN module required). This article will discuss these issues and address common questions for those who need to migrate.
Standalone Roaming Client approach
The standalone Roaming Client uses a virtual loopback adapter (127.0.0.1:53) in order to extend DNS coverage to all DNS requests sent to the computer's network adapters DNS settings. This also requires that the DNS server is set (automatically) on all adaptors to use 127.0.0.1, the localhost loopback address.
The disadvantage of this approach is that some VPN providers validate DNS against their own criteria- either mandating that it matches what has been set by the Admin or invalidating the use of a locally running DNS resolver on 127.0.0.1.
Alternatively, some VPNs overwrite DNS NIC settings as well with VPN values - but run into conflicts from having treated 127.0.0.1 as local DNS instead of the real values. This conflict can cause the Umbrella Roaming Module and the conflicting software package to not function as designed or cause an all DNS fail scenario where the configured DNS settings are lost at connect or disconnect.
See our known list of known conflicts here:
Umbrella Roaming Client VPNs and VPN compatibility
These limitations apply to the core redirection design of the roaming client - 127.0.0.1 insertion into the NIC DNS settings.
Roaming Security Module approach
The AnyConnect + Roaming Security Module is designed with direct control over DNS - without changing the DNS settings on the interface - thereby avoiding DNS changer conflicts. AC+RSM uses a kernel driver, which intercepts the DNS requests at a much lower level in the operating system. Though more difficult to develop, this has the advantage of not requiring that all adapters point to the loopback address - and the original DNS settings are maintained. This architectural difference means that the RSM can retain much higher compatibility with other software when compared to the Standalone Roaming Client.
Some conflicts remain if a vendor also binds to 127.0.0.1:53 or has certain kernel level controls or DNS relay proxies of their own; however, conflicts are minimal.
You can see the known incompatibility list for AC+RSM here:
Software Compatibility - Roaming Security Module
Common questions and concerns
Q: To use the Roaming Security Module, I need to use the AnyConnect client. I already have a VPN and do not wish to switch to another VPN provider. How will this help me?
A: AnyConnect is known for its VPN module, but the VPN module is not required to be installed to use the Roaming Security Module. It is very common to use AnyConnect + Roaming Security Module alongside other VPNs. A rebranding of the client is due soon to help avoid this confusion.
Q: Where can I get a copy of the installer if I am not already a VPN user?
A: You can find a copy of the latest installer on the latest release note post for AnyConnect.
Q: I already pay for Umbrella, but I don't have any AnyConnect licenses! Why should I spend more money to fix this problem?
A: AnyConnect is now included in all Umbrella licenses. If you need help downloading the client, please see official Roaming Security Module documentation. If you have any further questions, please reach out to Umbrella Support.
Q: I don't want to change clients! If you sell the standalone Roaming Client, shouldn't you support it with patches and fixes to common problems?
A: The subscription is for DNS level protection, which can be deployed across multiple clients- iOS, Android, Chromebook, as well as the Umbrella Roaming client and Roaming Security module. All clients are regularly updated; however, certain impacts are design limitations that are not reasonably resolvable without a redesign. The AnyConnect Roaming Security Module is an equivalent roaming client - enhanced with a redesign that greatly increases compatibility with 3rd party VPNs and software.