As Umbrella has grown, we have evolved our methods for protecting roaming computers. While the original Roaming Client approach is still usable in some instances, compatibility issues with other products have lead the Cisco to work towards a simple, singular product that is widely compatible with other networking applications. To this end, an Umbrella Technician may direct you to migrate to Cisco Secure Client + Umbrella Module. This article will discuss why this approach is often suggested and address common questions for those who need to migrate.
Standalone Roaming Client approach
The standalone Roaming Client uses a virtual loopback adapter (127.0.0.1:53) in order to extend DNS coverage to all DNS requests sent to the computer's network adapters DNS settings. This also requires that the DNS server is set (automatically) on all adapters to use 127.0.0.1, the localhost loopback address.
The disadvantage of this approach is that some VPN providers validate DNS against their own criteria- either mandating that it matches what has been set by the Admin or invalidating the use of a locally running DNS resolver on 127.0.0.1.
Alternatively, some VPNs overwrite DNS NIC settings as well with VPN values - but run into conflicts from having treated 127.0.0.1 as local DNS instead of the real values. This conflict can cause the Umbrella Roaming Client and the conflicting software package to not function as designed or cause an all DNS fail scenario where the configured DNS settings are lost at connect or disconnect.
See our known list of known conflicts here:
These limitations apply to the core redirection design of the roaming client - 127.0.0.1 insertion into the NIC DNS settings.
Umbrella Module approach
With Cisco Secure Client (CSC), the Umbrella Module is able to gain direct control over the adapter - without changing the DNS settings on the interface, avoiding DNS changer conflicts. The CSC uses a kernel driver, which intercepts the DNS requests at a much lower level in the operating system. This more sophisticated mechanism has the advantage of not requiring that all adapters point to the loopback address - and the original DNS settings are maintained. This architectural difference means that the Umbrella Module can retain much higher compatibility with other software when compared to the Standalone Umbrella Roaming Client.
Some conflicts remain if a vendor also binds to 127.0.0.1:53 or has certain kernel level controls or DNS relay proxies of their own; however, conflicts are minimal and rare in practice.
You can see the known incompatibility list for Cisco Secure Client + Umbrella Module here:
Upgrading to Cisco Secure Client
If you already have one of our previous roaming clients installed, upgrading is fairly straightforward. The process involves downloading the CSC from Cisco and installing it from an account that has full administrative privileges.
For more information, please select which product you are moving from:
- If you are upgrading from AnyConnect to Cisco Secure Client, click here.
- If you are upgrading from Umbrella Roaming Client to Cisco Secure Client, click here.
Common questions and concerns
Q: If I use the Cisco Secure Client, do I need to use the AnyConnect VPN module? I already have a VPN and do not wish to switch to another provider. How will this help me?
A: While Cisco is known for it's AnyConnect VPN, the VPN module does not need to be in use in order to take advantage of the Umbrella Module. You can use another VPN at the same time as using the CSC, and this configuration is common with Cisco Secure Client + Umbrella Module.
Q: Where can I get a copy of the Cisco Security Client?
A: Follow instructions listed in the release notes here. Note: To complete download, you will need to log in using a valid Cisco Account.
Q: I already pay for Umbrella, but I don't have any Cisco Secure Client licenses! Why should I spend more money to fix this problem?
A: Cisco Secure is now included in all Umbrella licenses. If you need help downloading the client, please see official Umbrella Module documentation. If you have any further questions, please reach out to Umbrella Support.
Q: I don't want to change clients! If you sell the standalone Roaming Client, shouldn't you support it with patches and fixes to common problems?
A: The subscription is for DNS level protection, which can be deployed across multiple clients- iOS, Android, Chromebook, as well as the Umbrella Roaming client and Umbrella Module. We have taken all of the knowledge learned from the Umbrella Roaming Client and AnyConnect modules and evolved them into the upgraded solution. The Cisco Secure Client with Umbrella Module is an equivalent roaming client to our previous clients, enhanced with a redesign that greatly increases compatibility with 3rd party VPNs and software.