Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7259
Views
30
Helpful
12
Replies

Cisco Umbrella AnyConnect Integration w/ FTD

mumbles202
Level 5
Level 5

‎04-14-2020 11:37 AM

Is there a document for Umbrella configuration using FTD instead of ASA code?  I saw the document for ASA but didn't find anything for FTD.  I have the OrgInfo.json file downloaded but haven't seen any documents for FTD integration for the Cisco AnyConnect Umbrella Roaming Security Module.  Is it supported and if so, is there any documentation on getting it working.

Labels:
0 Helpful
12 Replies 12

Rob Ingram
VIP
VIP

‎04-14-2020 12:28 PM

Hi,
No that’s not currently possible.
If you have ISE you could possibly use the client provisioning portal to deploy the umbrella agent and org.json file.

HTH

mumbles202
Level 5
Level 5
In response to Rob Ingram

‎04-14-2020 02:59 PM

Ok thanks.  If i manually import the file to the client workstation and put it in the path documented in the Cisco document (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect43/administration/guide/b_AnyConnect_Administrator_Guide_4-3/b_AnyConnect_Administrator_Guide_4-3_chapter_01100.html)

should the package still work as expected?  The client is registered in the portal but when they connect to AnyConnect their local dns settings don't get updated to reflect the public ips for Umbrella.

0 Helpful

Rob Ingram
VIP
VIP
In response to mumbles202

‎04-14-2020 03:27 PM

If you placed the org.json file in "%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\" then the AnyConnect client should confirm "Umbrella is Active" < the wording may vary depending on AnyConnect version (screenshot below is from 4.8).

 

umbrella.PNG

You need to ensure you have .NET Framework 4.0 minimum installed. That's all that is required, DNS traffic should then match one of your DNS polcies.

 

The system DNS settings would not be changed, rather the DNS requests are intercepted by the AnyConnect Umbrella Raoming Security client, encrypted and then forwarded to the Umbrella cloud using tcp/443, rather than a normal dns request on udp/53 - the only except is health check probes to debug.opendns.com.

 

More information here:-

https://support.umbrella.com/hc/en-us/articles/360000429306-Standalone-Roaming-Client-vs-AnyConnect-Roaming-Module 

 

HTH

mumbles202
Level 5
Level 5
In response to Rob Ingram

‎04-14-2020 03:47 PM

Yes, the .json file was put in the path and the Umbrella configuration shows that is active as you noted; it shows active both when connected and disconnected over the VPN.  The current AnyConnect policy is handing out 2 internal DNS servers and is using split tunneling to send only corporate networks over the tunnel. 

 

Is there a validate on the client machine that the requests are in fact going to Umbrella rather than the locally configured DNS server?  I've confirmed dns resolution works over the vpn for internal resources. 

0 Helpful

Rob Ingram
VIP
VIP
In response to mumbles202

‎04-14-2020 04:16 PM

You could run a wireshark on the local computer, filter on "dns" - you will notice only dns requests for "debug.opendns.com". Change the filter to "ip.addr==208.67.222.222" or 208.67.220.220, this should be TLS1.2 - these are your dns requests being sent to the Umbrella cloud.

 

 

mumbles202
Level 5
Level 5
In response to Rob Ingram

‎04-14-2020 06:13 PM

Ah good point re Wireshark.

 

Should the Umbrella client show as Active when the vpn is connected?

0 Helpful

ToucanzooX
Level 1
Level 1
In response to mumbles202

‎05-19-2020 12:52 PM

Yes unless you configured trusted networks

0 Helpful

ShineSudheesh
Level 1
Level 1

‎05-19-2020 03:55 PM - edited ‎05-19-2020 03:58 PM

Hi ,
 
Can you please follow the below steps.
 
+++Download the anyconnect headend deployment from Software.cisco.com
+++Put the image under respective remote access policy while you are creating the Remote access VPN Policy
(Devices--->VPN--->Remote Access)  or else if you want to manually install the anyconnect image on the end host , you can download predeploy(eg;anyconnect-win-4.x-pre-deploy-k9.iso)
+++Extract the Predeploy and run the Setup.exe file on the machine
+++While installing select AnyConnect Umbrella Roaming Security and Anyconnect VPN
+++login in to Umbrella(https://login.umbrella.com) and download the Roaming client (Deployments > Roaming Computers)
+++Scroll down to the bottom of the page and click MODULE PROFILE to download the profile for AnyConnect (OrgInfo.json).
+++Locate the downloaded OrgInfo.json file in the Windows Downloads folder. Copy the file.
+++On your end client machine, navigate in Windows file explorer to the following
path: “C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella”    ---->Path will be hidden normally
+++Paste the profile file (OrgInfo.json) in this location.
++Check the umbrella status,If the status does not change, open the Windows Services console,
 locate the Cisco AnyConnect Umbrella Roaming Security Agent service, and restart the service.
.
 
You can also run a debug query to verify that your roaming client is routing DNS traffic to Umbrella for resolution
++click the Windows Start button, and in the Start menu right-click Command Prompt. Select Run as administrator.
++In the command prompt window, type the following command:
nslookup -type=txt debug.opendns.com
++If Umbrella is configured properly the output will display various details about the detected organization,
the Umbrella resolver used and the roaming client. 
 
Please rate if its helpful.
 
Regards
Shine Sudheesh
 
0 Helpful

derek.small
Level 5
Level 5

‎10-13-2020 01:15 PM - edited ‎10-13-2020 01:16 PM

Is it possible with FMC/FTD to configured the Umbrella pluggin to detect if the client is on or off net and enable or disable Umbrella accordingly?  I remember having a lot of problems with Umbrella/AnyConnect before we enabled this with ASDM, but I can't find a way to do that using FMC/FTD, or through the stand-alone AnyConnect Profile editor.

0 Helpful

Rob Ingram
VIP
VIP

‎10-13-2020 01:43 PM

@derek.small 

You can configure this option from the Umbrella dashboard, you can disable DNS redirection (on the client) when on umbrella protected networks.

https://docs.umbrella.com/umbrella-user-guide/docs/identity-support-for-the-roaming-client

0 Helpful

takiadeen
Level 1
Level 1

‎11-19-2020 02:59 AM - edited ‎11-19-2020 02:59 AM

You can integrate FTD with Umbrella module or any module similar to ASA. Its not supported natively but it can be done through flexconfig. 

check this url for enabling anyconnect modules in FTD 
https://www.cisco.com/c/en/us/td/docs/security/firepower/config_examples/advanced-anyconnect-ftd-fmc/advanced-anyconnect-vpn-ftd-fmc.html#Cisco_Task_in_List_GUI.dita_12b746da-3ace-4ba0-91b0-a56e78e36ac3

0 Helpful

ameliascotts80938
Level 1
Level 1

‎01-08-2021 10:04 PM - edited ‎01-22-2021 09:55 PM

The Umbrella AnyConnect module can only interoperate with the AnyConnect VPN. Third-party VPN support is available in the standalone Umbrella roaming client.

https://docs.umbrella.com/deployment-umbrella/docs/the-anyconnect-plugin-umbrella-roaming-security-client-administrator-guide

0 Helpful
Customers Also Viewed These Support Documents