The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Manage Global Settings

The Web policy's Global Settings affect all rules and rulesets. Global settings can be enabled and disabled for Microsoft 365 Compatibility and for Protected File Bypass. Microsoft 365 Compatibility exempts Microsoft 365-related domains, marked as Optimize and Allow in Microsoft's endpoint categories, to bypass inspection and policy enforcement. Protected File Bypass overrides Umbrella's default setting that blocks the downloading of encrypted files.

Table of Contents

Microsoft 365 Compatibility

The Microsoft 365 Compatibility feature exempts Microsoft 365-related domains, marked as Optimize and Allow in Microsoft's endpoint categories, to bypass inspection and policy enforcement, allowing those domains to pass through the Umbrella infrastructure unaltered. The domains are excluded from HTTPS decryption and content filtering. The Microsoft 365 traffic appears in Umbrella reporting, however, because HTTPS inspection is disabled, traffic is logged only at the host/domain level and will not show the full URL.

Tenant Controls

Microsoft 365 Compatibility is compatible with Tenant Controls. However, when Tenant Controls are configured for Microsoft 365, Umbrella decrypts three Microsoft login domains (login.microsoftonline.com, login.microsoft.com, and login.windows.net) for the purpose of tenant enforcement. The domain is detected by analyzing the SNI (Server Name Indication) TLS extension. Some applications may not send SNI information in which case the exclusion does not apply.

Limitations

  • Microsoft 365 traffic is still sent to Umbrella's web proxy service in all deployment methods (Tunnel, AnyConnect, PAC). To stop this traffic from hitting Umbrella entirely, add manual 'External Domain' entries or route the traffic direct to the internet from your connecting devices.
  • File Inspection will no longer apply to this traffic.
  • This will not change geo-location behavior for Microsoft 365
  • This will not prevent the Microsoft 365 traffic egressing from an Umbrella IP address
  • This does not apply to all Microsoft/Microsoft 365 domains. Only those categorized as important for performance by Microsoft.
  • Allows a number of important Microsoft 365 domains so web policies and filtering do not apply to them and prevents these domains from triggering Umbrella SAML authentication.

Note: MS Intune sync requires "manage.microsoft.com" to be added to the Selective Decryption List even when Microsoft365 Compatibility feature is enabled.
For more information, see the official Microsoft documentation.

Procedure

  1. Navigate to Policies > Management > Web Policy and click Global Settings.
  1. Enable Microsoft 365 Compatibility.

Protected Files Bypass

Umbrella’s security protection is unable to scan protected files because these files are encrypted. Thus, Umbrella considers encrypted files to be a high risk security threat. Therefore, by default, Umbrella and by extension the Web policy, blocks identities from downloading encrypted files. Enabling the Web policy's Protected File Bypass global setting allows you to override Umbrella's default global setting and permits the downloading of protected files.

How Protected Files Bypass is Enabled and Disabled

  • When enabled globally, Protected Files Bypass is enabled for all rules in all rulesets. Protected File Bypass is automatically enabled when adding new rules.
  • When enabled globally, Protected Files Bypass cannot be disabled for individual rules. Protected Files Bypass is always enabled for all rules.
  • When disabled globally, Protected Files Bypass can be enabled for individual rules. Protected Files Bypass can be either enabled or disabled for all rules.
  • When disabled globally, Protected Files Bypass can be disabled for individual rules that had previously been set to enabled. Protected Files Bypass can be either enabled or disabled for all rules.

For more information and the procedure to manually enable or disable at the rule level, see Protected File Bypass.

Procedure

Note: Enable with caution as Umbrella will not scan protected files. Cisco recommends downloading and opening files from trusted sources only.

  1. Navigate to Policies > Management > Web Policy and click Global Settings.
  1. Enable Protected File Bypass.

Updated 16 days ago

Manage Global Settings


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.