The status of the Cisco Umbrella roaming client—which displays the current state of the Umbrella roaming client—is shown both in the Umbrella dashboard at Deployments > Core Identities > Roaming Computers and on the local machine through the Umbrella roaming client's tray icon.
Note: The tray icon can be set to hidden during installation.
The state that the Umbrella roaming client operates in depends on the current networking environment. This state determines how the Umbrella roaming client behaves and determines which Cisco Umbrella policy should be applied. The state of the Umbrella roaming client determines:
- Which Umbrella policy to enforce
- DNS settings
- If DNS encryption is possible.
- In the MSP console, navigate to Customer Management and click a customer name.
The Umbrella dashboard for that customer opens.
- In the Umbrella dashboard, navigate to Deployments > Core Identities > Roaming Computers.
- You can expand each roaming computer and review additional information.
Note: IPv6 protection status is not currently displayed in the dashboard.
When you expand a roaming client listing in the dashboard, you can view status information indicating the current operational mode of the roaming client
Hostname of the computer.
Client Type / Version
The currently installed version of the Umbrella roaming client. Typically will show as "Umbrella RC" with a version.
Note: If no version is reported, that machine has never successfully synchronized with Umbrella.
Displays the current state of the Umbrella roaming client.
Protected—The appropriate policy settings in the Umbrella dashboard are being enforced; the computer can communicate with our DNS servers. This can include IP layer enforcement, or not, depending on the policy.
Protected & Encrypted—Same as protected, but the DNS queries are encrypted in transit. This can include IP layer enforcement, or not, depending on the policy.
Protected by VA—The Umbrella roaming client has detected a VA on the network and is deferring to it—can include both DNS and IP Layers.
Protected by Network—The Umbrella roaming client has detected that the current network has an Umbrella network protection policy in place where the local DNS server and the computer are on the same registered dashboard network registration and the Umbrella roaming client is configured to disable itself while on a protected network—this is a configurable option.
Yellow (Unprotected)—The policy is not currently being enforced; the computer is unable to communicate with our DNS servers.
Grey (Offline)—The computer has been powered down, does not have an active internet connection or the Umbrella roaming client has been improperly installed, or uninstalled while disconnected from the internet.
Grey (Uninstalled)—The Umbrella roaming client was uninstalled on the endpoint and has not been deleted from the dashboard. It can either be reinstalled on the endpoint or deleted from the dashboard.
Grey (Disabled)—The Umbrella roaming client was manually disabled by the user. This is a feature for OSX only. For more information, see Umbrella Roaming Client for OS X: Adding an Enable/Disable Option to the Menu Bar Icon.
Red (Unregistered)—The Umbrella roaming client cannot perform initial registration with our system over HTTPS.
DNS Layer Encryption
Yes or No. Also, displays either a locked or unlocked icon. Indicates whether the DNS requests between the computer and Umbrella are encrypted or not.
Note: Umbrella roaming clients behind a Virtual Appliance (VA) are not encrypted.
IP Layer Enforcement
Enabled or disabled. Also, displays either a "locked icon" or "unlocked icon" in the dashboard indicating whether IP Layer Enforcement is enabled in policy and enabled on the Umbrella roaming client itself.
Note: Umbrella roaming client behind a VA will still have IP Layer Enforcement enabled.
Last Active Policy
The policy assigned to this computer when it last synced with the Umbrella API.
The version of the OS that the Umbrella roaming client records when it's installed.
There's a friendly name and an 'advanced' name, which is the one the OS manufacturer actually gives to the part of the system the Umbrella roaming client reads from.
Lapsed time since the computer last synced with our API. The API syncs periodically to check for updates and verify the internal domain list is up to date.
Indicates any groupings that the roaming computer is a part of. For more information, see Best Practices for Policy Creation.
Click Delete to remove that machine from the list of machines managed by your organization. If you remove an Umbrella roaming client from the dashboard while it's still installed on an end-user machine, that user will lose all security features and internal domains functionality. Uninstall the Umbrella roaming client from the machine first.
As displayed through the tray icon on the device where the Umbrella Roaming Client is deployed, status is indicated through a colored dot that is added to the tray icon. Status is determined based on a series of DNS queries, which are used as tests to determine the correct state.
No dot means roaming client status is good.
A colored dot indicates that there may be an issue with the roaming client.
No active network connections. The Umbrella roaming client waits for an active network connection. On a trusted network.
There is at least one active network connection, however, the Umbrella roaming client can’t connect to 18.104.22.168 / 22.214.171.124 / 2620:119:53::53 / 2620:119:35::35 over port 53/UDP on any active connection. The user is not protected by Umbrella or reporting to Umbrella.
The system's DNS settings are now back to their original settings (DHCP or Static).
DNS64 detected. The roaming client does not provide protection for DNS64 queries, though normal IPv4 and IPv6 queries are protected.
A network connection is active, and the Umbrella roaming client is able to connect to port 126.96.36.199 / 188.8.131.52 / 2620:119:53::53 / 2620:119:35::35 over port 53/UDP, but not 443/UDP. The user is protected and reporting to Umbrella, but the connection is not encrypted.
The Umbrella roaming client has established a connection to 184.108.40.206 / 220.127.116.11 / 2620:119:53::53 / 2620:119:35::35 over port 443/UDP. The user is protected and reporting to Umbrella and the DNS queries are encrypted. Internal domains are forwarded to DHCP-delegated or statically-set DNS servers, and are therefore not encrypted.
The computer is behind a protected network, and the organization has “Disable Behind Protected Networks” enabled in their dashboard. The Umbrella roaming client has reverted the DNS settings back to what was set via DHCP or statically set. The connection is not encrypted.
Behind Virtual Appliance
The computer is connected to a network which has VAs configured for DNS servers. The Umbrella roaming client disables itself and reverts the DNS settings back to what was set via DHCP or statically set. The connection is not encrypted.
Protection failure. The roaming client is not providing protection.
If using protection measures (Endpoint Client Firewall / Antivirus) that require you to allow list network access on a per-executable (binary) basis, these are the processes to allow access:
- ERCInterface.exe (if the GUI was installed)
- dnscryptproxy.exe (This is new as of version 3.0 of the Umbrella Roaming Client for Windows, and replaces dnscrypt-proxy)
These two executables perform the same network-based tasks:
18.104.22.168, 22.214.171.124, ocsp.digicert.com and crl4.digicert.com
126.96.36.199, 188.8.131.52, 184.108.40.206, ocsp.digicert.com and crl4.digicert.com
Note: The 220.127.116.11, 18.104.22.168, and 22.214.171.124 IP addresses resolve to disthost.umbrella.com, api.opendns.com, and disthost.opendns.com respectively. The Digicert domains resolve to various IP addresses based on CDN and are subject to change. Currently, these domains resolve to the following IPs:
Perform encrypted and unencrypted DNS queries directly to Umbrella.
When the computer is powered on, woken from hibernation, or if there is a new network connection established, the roaming client performs a series of tests to determine which state it should be in. Each test has a success result and a failure result. It performs the following actions, in order of execution.
Initial Resting Stage
If the roaming client does not detect any active network connections, it operates in the Reserved state and waits for an active network connection before starting Stage 1.
The roaming client sends a normal EDNS request via each DHCP-delegated or static DNS server on every interface. If it detects that one of the DNS requests went through a VA, it's considered a success and operates in the Behind VA state. If it does not detect a VA, it's considered a failure and moves to Stage 2.
The Umbrella roaming client sends a special encrypted EDNS request over 443/UDP to 126.96.36.199/188.8.131.52/2620:119:53::53/2620:119:35::35. If the requests receive a valid response, it's considered a success and the Umbrella roaming client will operate in the Encrypted state. If the requests time out or are rejected, it's considered a failure and moves on to Stage 3.
The roaming client sends a normal EDNS request over port 53/UDP to 184.108.40.206/220.127.116.11/2620:119:53::53/2620:119:35::35. If the requests receive a valid response, it's considered a success and the roaming client will operate in the Transparent state and send an additional test to determine if it should operate in the Protected Network state. If the requests time out or are rejected, it's considered a failure and moves on to Stage 4.
The roaming client has failed all tests, and reverts all the DNS settings to the original DHCP or static values and operates in the Open state. The transition to the Open state can take a few moments, so if a network has third-party DNS blocked, DNS resolution will not occur until the Umbrella roaming client can transition all the way to this state.
Unprotected Status (Yellow)
When the status (not state) of the roaming client is Unprotected, the roaming client tests all stages aggressively, so it may transition to a Protected state as soon as possible. This is designed to avoid the need to restart the Umbrella roaming client in situations wherein an admin suddenly opens a firewall port or a user joins a public WiFi network and must authenticate or accept the WiFi network's Terms of Service. Within seconds of successful WiFi authentication or a change in the firewall, the Umbrella roaming client returns to the Protected status and chooses the appropriate state.
Updated about a year ago