The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find our comprehensive guides designed to help you use with Cisco Umbrella.

Get Started    

AnyConnect: Umbrella Roaming Security Client Administrator Guide

Introduction

The Umbrella Roaming Security module provides always on security even when no VPN is active by integrating with the Cisco AnyConnect client.

The Umbrella Roaming Security module can replace your existing OpenDNS Roaming Client if you already have AnyConnect configured, or it can be part of a new AnyConnect deployment.

Videos about Umbrella Roaming Security

For more information about how Umbrella Roaming Security works, we have two great videos to check out.

First, listen to Cisco Product Manager Adam Winn discuss the solution here:
https://www.youtube.com/watch?v=31tGpnAyV5g

The Umbrella Roaming Security module for AnyConnect 4.3+ (AnyConnect licensed separately) requires a subscription to either Cisco Umbrella Roaming service or OpenDNS Umbrella services (Professional, Insights, Platform or MSP).

The Umbrella Roaming Security module provides DNS-layer security when no VPN is active, whereas OpenDNS Umbrella subscriptions add Intelligent Proxy and IP-Layer Enforcement features, both on- and off-network. Additionally, OpenDNS Umbrella subscriptions provide content filtering, multiple policies, robust reporting, active directory integration, and more. The same Umbrella Roaming Security module is used regardless of the subscription.

The Umbrella Roaming module profile (OrgInfo.json) associates each deployment with the corresponding service, and the corresponding protection features are enabled automatically.

The Umbrella Dashboard provides real-time visibility into all of the Internet activity originating from the Roaming Security module. The level of granularity in policies and reports depends on the Umbrella subscription.

Refer to https:/​/​www.opendns.com/​enterprise-security/​threat-enforcement/​packages/​ for a detailed comparison of which features are included in service level subscriptions.

NOTE:

IP Layer Enforcement is not available in all Umbrella packages.

To get the full functionality of Umbrella Roaming Security, rather than just DNS-layer security when off the network and single security policies with basic reports (by hostname), you must have the Professional, Insight, or Platform OpenDNS packages. For more information about these packages, please read here: https://www.opendns.com/enterprise-security/threat-enforcement/package-comparison/

Table of Contents

This guide consists of three major areas, each of which are divided into subsections:

1) Umbrella Roaming Security Client Administrator Guide

2) Umbrella Dashboard Configuration

3) Cisco Certificate Import

Quick Start Guide

If you're already familiar with either the Umbrella Roaming Client or AnyConnect, the number of steps required to perform an upgrade can be shortened considerably. Although there are several steps to consider for a full deployment, if you're just getting your first few machines up and running to test the solution, these simplified instructions summarize the process.

If you already have the Umbrella Roaming Client installed

  1. Upgrade to AnyConnect 4.3 MR1 with the Umbrella Roaming Security module enabled. This will automatically detect, copy registration from, and uninstall the standalone Roaming Client.
  2. You're finished, that's the only step.

If you don't already have the Umbrella Roaming Client installed

  1. Download the Umbrella Roaming Security module profile (OrgInfo.json) from the Umbrella Roaming Computers page in the Umbrella Dashboard. Click the + section to get going.
  2. Drop the file into
    Windows: %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\
    or
    Mac: /opt/cisco/anyconnect/Umbrella/
    You will need to create this folder structure in order to do this in advance.
  3. Upgrade to AnyConnect 4.3 MR1 with the Umbrella Roaming Security module enabled.
  4. You're finished, that's the final step.

System Requirements

  • Windows 7 (or later) x86 (32-bit) and x64 (64-bit) operating system

    The VPN Module requires Visual Studio 2015 32-bit runtime, which is bundled with our installation package.
    The Roaming Security Module requires a .NET framework (3.5 at the minimum)
    Note: IP Layer Enforcement has additional requirements. Review them here.

  • Mac OS X 10.9 (or later) operating system

Minimum Requirements:

AnyConnect 4.3 MR1 or newer in use. We strongly recommend upgrading to 4.3 MR1 or newer and use testing before enabling the Umbrella module. Upgrades from versions lower than 4.1 are strongly recommended to undergo testing before enabling the Umbrella Roaming Security module. 4.3 is the version number and MR1 denotes maintenance release 1. If the currently deployed version is less than 4.3 MR1, deployment is not available.

ASDM 7.6.2 is required to deploy via the GUI. Any version lower than this will not be able to find the Umbrella Roaming module settings and OrgInfo.json profile deployment settings. Users with a lower version must use the ASA CLI to deploy.

Upgrading the Umbrella Roaming Security Client module

By default, automatic updates from Cloud Update are disabled. We highly recommend that you enable this feature to ensure the best possible experience using this module. Please read the section about cloud update for more information.

IMPORTANT

The Umbrella Roaming Security module for AnyConnect can work with both the full-featured Cisco Umbrella Dashboard or a dashboard that has limited capabilities when it is purchased as part of the Cisco Umbrella Roaming Package. This section of documentation is oriented toward the limited Roaming Package dashboard. The documentation for the full featured Umbrella dashboard can be found in the other sections of docs.opendns.com.

The exact instructions on deploying Roaming Security module to AnyConnect clients, and the instructions to gather the orgInfo.json file to configure the module came from will vary based on which dashboard is being used.

Before You Begin

  1. OpenDNS Roaming Client and AnyConnect Roaming Security Module Incompatibility.
  2. Obtain an OpenDNS Umbrella Account.
  3. Download the Roaming Security Module Profile File From the Dashboard.

OpenDNS Roaming Client and AnyConnect Roaming Security Module Incompatibility

The Umbrella Roaming Security module and the OpenDNS Roaming Client are incompatible. If you are deploying the Umbrella Roaming Security module, any existing installation of the Umbrella Roaming Client will be detected and removed automatically during installation of the Roaming Security module. If the existing installation of the Umbrella Roaming Client is associated with an Umbrella service subscription, it will automatically be migrated to the Umbrella Roaming Security module unless an OrgInfo.json file is co-located with the AnyConnect installer, configured for web-deployment or pre-deployed in the Umbrella module's directory. You may also wish to manually uninstall the Umbrella Roaming Client prior to deploying the Umbrella Roaming Security module.

Obtain an Umbrella Account

The Umbrella dashboard (http:/​/​dashboard2.opendns.com/​) is the login page where you can obtain the profile (OrgInfo.json) for the AnyConnect Umbrella Roaming Security module to include in your deployment. It is also the login for the traditional OpenDNS dashboard. From there you can also manage policy and activity reporting for the roaming client. If you need assistance logging into your dashboard, contact your Cisco account representative.

Download the AnyConnect Roaming Security Profile from the Dashboard

The OrgInfo.json file is specific information about your Umbrella dashboard instance that lets the Roaming Security module know where to report and which policies to enforce.

To prepare for deploying the Umbrella Roaming Security module, you must obtain the OrgInfo.json file from the Umbrella dashboard (https:/​/​dashboard2.opendns.com) and browse to Configuration > Identities > Roaming Computers and click the + sign in the upper-right corner of the page.

Scroll down to the section marked AnyConnect Configuration File and click "Module Profile" to download the OrgInfo.json file:

Refer to the AnyConnect Deployment Overview for specific installation/deployment steps and package and file specifics.

IMPORTANT

When you deploy the OrgInfo.json file for the first time, it is copied to the data subdirectory (/umbrella/data), where several other registration files are also created. Therefore, if you need to deploy a replacement OrgInfo.json file, the data subdirectory must be deleted. Alternatively, you can uninstall the Umbrella Roaming Security module (which deletes the data subdirectory) and reinstall with the new OrgInfo.json file.

The OrgInfo.json is specific information about your Umbrella dashboard instance that lets the Roaming Security module know where to report to and which policies to enforce. If you use another OrgInfo.json file from a different dashboard to install the Roaming Security module, the client computer will appear in that dashboard instead.

Get the Roaming Security Module Up and Running

When you deploy AnyConnect, you can include optional modules that enable extra features and set up client profiles that configure the VPN and optional features.

Roaming Security is now one of these optional modules.

Information for Web Security Module compatibility

If you are deploying the Umbrella Roaming Security module with the Web Security module, you must configure the exclude static and host exceptions referenced in Required Host Exception for Web Security and Roaming Security Compatibility and Required Static Exception for Web Security and Umbrella Roaming Security Modules Compatibility.

For Windows 7 SP1 users, we recommend that you install Microsoft .NET framework 4.0 before installation or initial use. At startup, the Umbrella service checks if .NET framework 4.0 (or newer) is installed. If it is not detected, the Umbrella Roaming Security module is not activated, and a message is displayed. To go and then install the .NET Framework, you must reboot to activate the Umbrella Roaming Security module.

Configure the OrgInfo.json File

The OrgInfo.json file contains specific information about your Umbrella service subscription that lets the Security Roaming module know where to report and which policies to enforce. You can deploy the OrgInfo.json file and enable the Umbrella Roaming Security module from the ASA or ISE using CLI or GUI. The steps below describe how to enable from the ASA first and then how to enable from ISE:

ASA CLI

  1. Upload the OrgInfo.json that you obtained from the OpenDNS dashboard (https:/​/​dashboard2.opendns.com) to the ASA file system.
  2. Issue the following commands, adjusting the group-policy name as appropriate for your configuration.

webvpn
anyconnect profiles orginfo disk0:/orginfo.json

group-policy DfltGrpPolicy attribute
webvpn
anyconnect profiles value orginfo type umbrella

ASDM GUI

NOTE:

ASDM 7.6.2 is required to configure the Umbrella Roaming Security module via GUI, and that version is not yet released. CLI configuration is the only option until ASDM 7.6.2 is released.

  1. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.
  2. Choose Add.
  3. Give the profile a name.
  4. Choose the Umbrella Security Roaming Client type from the Profile Usage drop-down menu. The OrgInfo.json file populates in the Profile Location field.
  5. Click Upload and browse to the location of the OrgInfo.json file that you downloaded from the dashboard.
  6. Associate it with the DfltGrpPolicy at the Group Policy drop-down menu. Refer to Enable Additional AnyConnect Modules to specify the new module name in the group-policy.

ISE

Follow these steps to enable from ISE:

  1. Upload the OrgInfo.json from the Umbrella dashboard https://​dashboard2.opendns.com.
  2. Rename the file OrgInfo.xml.
  3. Follow steps in Configure ISE to Deploy AnyConnect.

Cloud Update

By default, automatic updates from Cloud Update are disabled. We highly recommend that you enable this feature to ensure the best possible experience using this module.

The Umbrella Roaming Security module can provide automatic updates for all installed AnyConnect modules from the Umbrella Cloud infrastructure. With Cloud Update, the software upgrades are obtained automatically from the Umbrella Cloud infrastructure, and the update track is dependent upon that and not any action of the administrator. By default, this feature is disabled.

To enable Cloud Updating for Umbrella Roaming Security and the rest of AnyConnect, log in to the Umbrella Dashboard, and under the Settings icon (the gear icon), check Automatically update AnyConnect, including VPN module, whenever new versions are released.

Updates will not occur while VPN is active. By default, this option is unselected. Best practice is to enable this feature unless there is a reason (eg: change control) not to do so.

Consider the following regarding Cloud Update:

  • Only the software modules that are currently installed are updated.
  • Customizations, localizations, and any other deployment types are not supported.
  • The updates occur only when logged in to a desktop and will not happen if a VPN is established.
  • With updates disabled, the latest software features and updates will not be available.
  • Disabling Cloud Update has no effect on other update mechanisms or settings (such as web-deploy, deferred updates, and so on).
  • Cloud Update ignores devices having newer, unreleased versions of AnyConnect (such as interim releases and patched versions).

Cisco OpenDNS Certificate Import

It's important to your end user's​ experience that you install the OpenDNS certificate on computers that will use the Roaming Security module when off-network and off-VPN. Although this is not required as it only affects block pages when reaching HTTPS domains, it is good to have. When HTTPS enabled domains are blocked by your policy, the Umbrella Roaming Security module presents a block page to you which is also served over HTTPS. This block page is encrypted with a certificate signed by the OpenDNS Root CA. In order to avoid certificate errors when accessing the block page, you must install the OpenDNS Root CA in your users' browsers.

Steps to perform this vary based on operating system and browser type and are outlined here:
https://docs.opendns.com/product/umbrella/cisco-certificate-import-information/

Understanding UI Changes on the Endpoint

You or your users will see state changes on the AnyConnect endpoint which are new after the installation of Umbrella Roaming Security.

Within the AnyConnect user interface, the Roaming Security tile gives the current status:

Note: If you see no state displayed, the Roaming Security Module is installed, but the OrgInfo file is not deployed.

State
Icon Color
Description
Condition

Reserved

Orange

Checking Connection Status.
No active network connections. The Roaming Module waits for an active network connection.

This operating state occurs during the following conditions:

When the module is first activated.

When a network interface change (such as detection of a new network adapter, IP changes on an existing adapter, or a new VPN tunnel being established or torn down) occurs.

Open

Yellow

You are not currently protected by Umbrella.
There is at least one active network connection; however, the roaming client cannot connect to 208.67.222.222 over port 53/UDP on any active connection. The user is not protected by Umbrella or reporting to Umbrella. The system’s DNS settings will revert to their original settings—DHCP or Static.

This operating state occurs during the following conditions:

No UDP port 443 or UDP port 53 connectivity to Umbrella resolvers (208.67.222.222).

No Umbrella DNS VA is configured on the local network.

The VPN tunnel may temporarily be in a state of tear down or establishment.

Protected

Green

You are protected by Umbrella. A network connection is active, and the Roaming Module is able to connect to port 208.67.222.222 over port 53/UDP, but not 443 UDP. The user is protected and reporting to Umbrella, but the connection is not encrypted.

This state may occur when the module is first activated or when there is a network interface change.

Encrypted

Green

You are protected by Umbrella.
The Roaming Client has established a connection to 208.67.222.222 over port 443/UDP. The user is protected and reporting to Umbrella, and the DNS queries are encrypted. Internal Domains are forwarded to DHCP-delegated or statically-set DNS servers and are therefore not encrypted.

This operating state occurs during the following conditions:

UDP port 443 connectivity to Umbrella resolvers (209.67.222.222).

TCP port 443 and TCP port 53 connectivity to Umbrella resolvers (208.67.222.222).

Protected Network

Green

You are on a network protected by Umbrella. The computer is behind a Protected Network, and the organization has “Disable Behind Protected Networks” enabled in their dashboard. The Roaming Client has reverted the DNS settings back to what was set via DHCP or statically set. The connection is not Encrypted.

This operating state occurs during the following conditions:

The current endpoint network egress IP address is registered with the same Umbrella account as the endpoint.

Resolvers used are the Umbrella cloud resolvers (208.67.222.222, 208.67.220.220).

Policy configured via Umbrella dashboard ("Disable Behind Protected Networks") dictates that the Umbrella module should be disabled when on a protected network.

Note: This state is not possible for all Umbrella Roaming package customers because there is no network-level protection.

Behind Virtual Appliance

Green

You are protected by an Umbrella Virtual Appliance.
The computer is connected to a Network which has Virtual Appliances configured for DNS servers. The Roaming Module disables itself and reverts the DNS settings back to what was set via DHCP or statically set. The connection is not Encrypted.

This operating state occurs when the endpoint configured DNS address (via DHCP or statically) is the Umbrella VA address.

VPN Trusted Network State

Gray

Disabled while you are on a trusted network.
Local Umbrella module DNS protection is not active because the current endpoint network is configured as an AnyConnect VPN trusted network.

This operating state occurs during the following conditions:

AnyConnect VPN module is reporting the Trusted Network Detection state as trusted.

AnyConnect VPN tunnel is either not connected or established in full tunnel mode.

The policy configured via the Umbrella dashboard dictates that the Umbrella module should be disabled when on an AnyConnect VPN trusted network.

Note: This setting is true for all roaming package customers and cannot be changed by the administrator.

Disabled due to VPN State

Gray

Disabled while your VPN is active.
Local Umbrella module DNS protection is not active because the endpoint currently has an active AnyConnect VPN tunnel established.

This operating state occurs during the following conditions:

AnyConnect VPN module is reporting the Trusted Network Detection state as not trusted.

AnyConnect VPN tunnel is established in full tunnel mode.

Policy configured with the Umbrella dashboard dictates that the Umbrella module should be disabled when an AnyConnect VPN tunnel is established.

Note: This setting is true for all roaming package customers and cannot be changed by the administrator.

No OrgInfo.json State

Red

You are not currently protected by Umbrella.
Profile is missing. Local Umbrella module DNS protection is not active because the endpoint currently has an active AnyConnect VPN tunnel established.

This operating state occurs when the OrgInfo.json file was not deployed to the proper directory:

Windows: %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella

Mac: opt/cisco/anyconnect/umbrella

Agent Unavailable State

Red

You are not currently protected by Umbrella.
Service unavailable. Local Umbrella module DNS protection is not active because the Umbrella agent is not running.

This operating state occurs when the Umbrella agent service is not currently running (either due to a crash or manual service stop).

Missing .NET Dependency State (Windows only)

Red

You are not currently protected by Umbrella. Microsoft 4.0 NET framework is not installed. Local Umbrella module DNS protection is not active because the Umbrella agent is not running. The .NET runtime framework is missing.

This operating state occurs when the Umbrella agent service is not running due to a missing .NET 4.0 runtime.

Interpret Diagnostics

For any general AnyConnect or Roaming Security Module issues, refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide. We will also ask you to run a DART report for diagnostic purposes.

The Roaming Security module has a unique diagnostic tool for troubleshooting as well. The executable can be found:

Windows:
%Program Files (x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\UmbrellaDiagnostic.exe

Mac OS X:
/opt/cisco/anyconnect/bin/UmbrellaDiagnostic.app/

Running the executable will provide instructions on how to submit the feedback from this diagnostic to support.

Next, we'll configure your Umbrella Security Policies and review the reports:
https://docs.opendns.com/product/umbrella/umbrella-dashboard-configuration/

AnyConnect: Umbrella Roaming Security Client Administrator Guide


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.