A number of advanced settings for both the Umbrella roaming client and the Cisco Umbrella Roaming Security module can be configured.
- In the MSP console, navigate to Customer Management and click a customer name.
The Umbrella dashboard for that customer opens.
- In the Umbrella dashboard, navigate to Deployments > Core Identities > Roaming Computers.
- Click Settings.
- Select options and click Save.
Available options include:
- Disable DNS redirection while on an Umbrella Protected Network—Disables the DNS-based protection applied by the roaming client while on a network protected by Umbrella. This includes the intelligent proxy since it is a DNS-based redirect. IP Layer enforcement is not affected. Relies on the protection of the network for all features except IP Layer Enforcement. To trigger this setting, network registration and the network must be the higher policy (not same, but higher) and the local DNS server egress network must be the same network registration as straight out from the computer to 18.104.22.168. Having the network be in the same org will not trigger disabling of DNS redirection. See Add IP Layer Enforcement and Roaming Client: Enable/Disable Protected Network feature.
- Enable Active Directory user and group policy enforcement and internal IP address visibility—Enables identity support for roaming computers. Identity support is an enhancement to the Umbrella roaming client or the AnyConnect Umbrella roaming security module that provides Active Directory user and group identity-based policies, in addition to user and private LAN IP reporting. See Identity Support for the Roaming Client.
- Enable legacy VPN compatibility mode—The Cisco Umbrella roaming client works with most VPN software; however, certain AnyConnect and other VPN profiles may not resolve local DNS correctly on a VPN connection with Windows 10 due to the elimination of the system DNS binding order. The local LAN may bind above the VPN, resulting in a failure to resolve local DNS over the tunnel. Select this setting to apply the legacy binding order behavior. For more information, see Windows 10: DNS Binding Order.
- Enable IPv6 DNS Redirection—Provides DNS protection through redirection to Umbrella resolvers for IPv6.
The following applies to the AnyConnect roaming security module only and does not apply to the standalone roaming client:
- Respect AnyConnect Trusted Network Detection—Trusted Network Detection (TND) is configured in the AnyConnect VPN Client profile. Enabling this setting disables the roaming module whenever TND indicates the current network is trusted.
- Disable Roaming Client while full-tunnel VPN sessions are active—When selected, your roaming module is automatically disabled if a full-tunnel AnyConnect VPN session is active.
- Automatically update AnyConnect, include VPN module, whenever new versions are released. Updates will not happen when VPN is active—When enabled, AnyConnect is automatically updated, except when active VPN is detected. This updates the entire AnyConnect client, including the roaming security module.
- Enable IPv6 DNS Redirection—Provides DNS protection through redirection to Umbrella resolvers for IPv6. This setting is separate from the same tilted setting listed under Umbrella Roaming Client Settings.
Note: The minimum required version of AnyConnect is 4.8mr2.
Appendix D – Internal Domains < Appendix E – Roaming Computers Settings
Updated about a year ago