cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
358
Views
25
Helpful
8
Replies
Highlighted
Participant

Cisco Umbrella AnyConnect Integration w/ FTD

Is there a document for Umbrella configuration using FTD instead of ASA code?  I saw the document for ASA but didn't find anything for FTD.  I have the OrgInfo.json file downloaded but haven't seen any documents for FTD integration for the Cisco AnyConnect Umbrella Roaming Security Module.  Is it supported and if so, is there any documentation on getting it working.

Everyone's tags (2)
8 REPLIES 8
Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: Cisco Umbrella AnyConnect Integration w/ FTD

Hi,
No that’s not currently possible.
If you have ISE you could possibly use the client provisioning portal to deploy the umbrella agent and org.json file.

HTH
Highlighted
Participant

Re: Cisco Umbrella AnyConnect Integration w/ FTD

Ok thanks.  If i manually import the file to the client workstation and put it in the path documented in the Cisco document (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect43/administration/guide/b_AnyConnect_Administrator_Guide_4-3/b_AnyConnect_Administrator_Guide_4-3_chapter_01100.html)

should the package still work as expected?  The client is registered in the portal but when they connect to AnyConnect their local dns settings don't get updated to reflect the public ips for Umbrella.

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: Cisco Umbrella AnyConnect Integration w/ FTD

If you placed the org.json file in "%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\" then the AnyConnect client should confirm "Umbrella is Active" < the wording may vary depending on AnyConnect version (screenshot below is from 4.8).

 

umbrella.PNG

You need to ensure you have .NET Framework 4.0 minimum installed. That's all that is required, DNS traffic should then match one of your DNS polcies.

 

The system DNS settings would not be changed, rather the DNS requests are intercepted by the AnyConnect Umbrella Raoming Security client, encrypted and then forwarded to the Umbrella cloud using tcp/443, rather than a normal dns request on udp/53 - the only except is health check probes to debug.opendns.com.

 

More information here:-

https://support.umbrella.com/hc/en-us/articles/360000429306-Standalone-Roaming-Client-vs-AnyConnect-Roaming-Module 

 

HTH

Highlighted
Participant

Re: Cisco Umbrella AnyConnect Integration w/ FTD

Yes, the .json file was put in the path and the Umbrella configuration shows that is active as you noted; it shows active both when connected and disconnected over the VPN.  The current AnyConnect policy is handing out 2 internal DNS servers and is using split tunneling to send only corporate networks over the tunnel. 

 

Is there a validate on the client machine that the requests are in fact going to Umbrella rather than the locally configured DNS server?  I've confirmed dns resolution works over the vpn for internal resources. 

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: Cisco Umbrella AnyConnect Integration w/ FTD

You could run a wireshark on the local computer, filter on "dns" - you will notice only dns requests for "debug.opendns.com". Change the filter to "ip.addr==208.67.222.222" or 208.67.220.220, this should be TLS1.2 - these are your dns requests being sent to the Umbrella cloud.

 

 

Highlighted
Participant

Re: Cisco Umbrella AnyConnect Integration w/ FTD

Ah good point re Wireshark.

 

Should the Umbrella client show as Active when the vpn is connected?

Highlighted
Beginner

Re: Cisco Umbrella AnyConnect Integration w/ FTD

Yes unless you configured trusted networks

Highlighted

Re: Cisco Umbrella AnyConnect Integration w/ FTD

Hi ,
 
Can you please follow the below steps.
 
+++Download the anyconnect headend deployment from Software.cisco.com
+++Put the image under respective remote access policy while you are creating the Remote access VPN Policy
(Devices--->VPN--->Remote Access)  or else if you want to manually install the anyconnect image on the end host , you can download predeploy(eg;anyconnect-win-4.x-pre-deploy-k9.iso)
+++Extract the Predeploy and run the Setup.exe file on the machine
+++While installing select AnyConnect Umbrella Roaming Security and Anyconnect VPN
+++login in to Umbrella(https://login.umbrella.com) and download the Roaming client (Deployments > Roaming Computers)
+++Scroll down to the bottom of the page and click MODULE PROFILE to download the profile for AnyConnect (OrgInfo.json).
+++Locate the downloaded OrgInfo.json file in the Windows Downloads folder. Copy the file.
+++On your end client machine, navigate in Windows file explorer to the following
path: “C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella”    ---->Path will be hidden normally
+++Paste the profile file (OrgInfo.json) in this location.
++Check the umbrella status,If the status does not change, open the Windows Services console,
 locate the Cisco AnyConnect Umbrella Roaming Security Agent service, and restart the service.
.
 
You can also run a debug query to verify that your roaming client is routing DNS traffic to Umbrella for resolution
++click the Windows Start button, and in the Start menu right-click Command Prompt. Select Run as administrator.
++In the command prompt window, type the following command:
nslookup -type=txt debug.opendns.com
++If Umbrella is configured properly the output will display various details about the detected organization,
the Umbrella resolver used and the roaming client. 
 
Please rate if its helpful.
 
Regards
Shine Sudheesh