Advanced Cisco Umbrella features, such as IP Layer Enforcement, SSL Decryption through the intelligent proxy and the ability to block your own custom URLs require that you install the Cisco Umbrella root certificate. Other features, such as File Inspection, gain greater efficacy from having the certificate present as Umbrella is able to proxy and block more traffic.
The Cisco Umbrella root certificate is needed in any circumstance where Umbrella must proxy and decrypt HTTPS traffic intended for a website. The Cisco Umbrella root certificate is required for these core features:
- Block Pages—If you visit a blocked domain through HTTPS, the Cisco Umbrella root certificate must be installed so that Umbrella can present a block page instead of the browser presenting an error page.
- Intelligent Proxy with SSL Decryption—If a domain is proxied, the Cisco Umbrella root certificate must be installed to decrypt HTTPS traffic instead of the browser presenting an error page.
Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root certificate. Having the SSL Decryption feature improves:
- Custom URL Blocking—Required to block the HTTPS version of a URL.
- Application Block/Allow—Required to control applications by name. Depending on the application, Umbrella may have data to block the application through a domain—DNS level—or by URL. This feature works more effectively if you enable SSL Decryption.
- File Inspection—With SSL Decryption enabled Umbrella is able to scan files downloaded from HTTPS websites. It also greatly increases the number of domains subject to proxying and file scanning.
- IP Layer Enforcement—Many IP addresses are considered 'suspicious' and subject to further inspection by the intelligent proxy. HTTPS decryption must be enabled to inspect traffic to these IP addresses by HTTPS.
For more about SSL Decryption, watch Cisco Umbrella SSL Decryption.
Umbrella’s Block Page and Block Page Bypass features present an SSL certificate to browsers that make connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed. Typical errors include "The security certificate presented by this website was not issued by a trusted certificate authority" (Internet Explorer), "The site's security certificate is not trusted!" (Google Chrome) or "This Connection is Untrusted" (Mozilla Firefox). Although the error page is expected, the message displayed can be confusing and you may wish to prevent it from appearing.
To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the browsers of your users—if you're a network admin. This can be done on a per-browser or per-machine basis. For larger deployments, you can perform an automatic installation through Group Policy (GPO). Note that the automatic installation through GPO is only supported for the Internet Explorer, Edge, or Chrome browsers on Windows systems. As such, for Firefox or Safari browsers, and for users of non-Windows operating systems, you must perform the manual installation procedure.
For advanced users or system administrators with larger networks, you can install the Cisco Umbrella root certificate automatically—through Active Directory Group Policy Objects—for a group of users in Microsoft Windows Active Directory. This automatic installation of the Cisco Umbrella root certificate is only supported for Internet Explorer, Edge, or Chrome browsers on Windows systems. For all other browsers and systems, you must perform the manual installation procedure.
Updated about a year ago