04-14-2020 11:37 AM
Is there a document for Umbrella configuration using FTD instead of ASA code? I saw the document for ASA but didn't find anything for FTD. I have the OrgInfo.json file downloaded but haven't seen any documents for FTD integration for the Cisco AnyConnect Umbrella Roaming Security Module. Is it supported and if so, is there any documentation on getting it working.
04-14-2020 12:28 PM
04-14-2020 02:59 PM
Ok thanks. If i manually import the file to the client workstation and put it in the path documented in the Cisco document (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect43/administration/guide/b_AnyConnect_Administrator_Guide_4-3/b_AnyConnect_Administrator_Guide_4-3_chapter_01100.html)
should the package still work as expected? The client is registered in the portal but when they connect to AnyConnect their local dns settings don't get updated to reflect the public ips for Umbrella.
04-14-2020 03:27 PM
If you placed the org.json file in "%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\" then the AnyConnect client should confirm "Umbrella is Active" < the wording may vary depending on AnyConnect version (screenshot below is from 4.8).
You need to ensure you have .NET Framework 4.0 minimum installed. That's all that is required, DNS traffic should then match one of your DNS polcies.
The system DNS settings would not be changed, rather the DNS requests are intercepted by the AnyConnect Umbrella Raoming Security client, encrypted and then forwarded to the Umbrella cloud using tcp/443, rather than a normal dns request on udp/53 - the only except is health check probes to debug.opendns.com.
More information here:-
HTH
04-14-2020 03:47 PM
Yes, the .json file was put in the path and the Umbrella configuration shows that is active as you noted; it shows active both when connected and disconnected over the VPN. The current AnyConnect policy is handing out 2 internal DNS servers and is using split tunneling to send only corporate networks over the tunnel.
Is there a validate on the client machine that the requests are in fact going to Umbrella rather than the locally configured DNS server? I've confirmed dns resolution works over the vpn for internal resources.
04-14-2020 04:16 PM
You could run a wireshark on the local computer, filter on "dns" - you will notice only dns requests for "debug.opendns.com". Change the filter to "ip.addr==208.67.222.222" or 208.67.220.220, this should be TLS1.2 - these are your dns requests being sent to the Umbrella cloud.
04-14-2020 06:13 PM
Ah good point re Wireshark.
Should the Umbrella client show as Active when the vpn is connected?
05-19-2020 12:52 PM
Yes unless you configured trusted networks
05-19-2020 03:55 PM - edited 05-19-2020 03:58 PM
10-13-2020 01:15 PM - edited 10-13-2020 01:16 PM
Is it possible with FMC/FTD to configured the Umbrella pluggin to detect if the client is on or off net and enable or disable Umbrella accordingly? I remember having a lot of problems with Umbrella/AnyConnect before we enabled this with ASDM, but I can't find a way to do that using FMC/FTD, or through the stand-alone AnyConnect Profile editor.
10-13-2020 01:43 PM
You can configure this option from the Umbrella dashboard, you can disable DNS redirection (on the client) when on umbrella protected networks.
https://docs.umbrella.com/umbrella-user-guide/docs/identity-support-for-the-roaming-client
11-19-2020 02:59 AM - edited 11-19-2020 02:59 AM
You can integrate FTD with Umbrella module or any module similar to ASA. Its not supported natively but it can be done through flexconfig.
check this url for enabling anyconnect modules in FTD
https://www.cisco.com/c/en/us/td/docs/security/firepower/config_examples/advanced-anyconnect-ftd-fmc/advanced-anyconnect-vpn-ftd-fmc.html#Cisco_Task_in_List_GUI.dita_12b746da-3ace-4ba0-91b0-a56e78e36ac3
01-08-2021 10:04 PM - edited 01-22-2021 09:55 PM
The Umbrella AnyConnect module can only interoperate with the AnyConnect VPN. Third-party VPN support is available in the standalone Umbrella roaming client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide