Re: cisco umbrella VA with Proxy

Amr Ali Mohamed · ‎07-21-2024

Hello,

i will configure a new umbrella VA in one of our site and we have a proxy server in site all traffic going to HTTP or HTTPS will pass through Proxy , My question is that must to exclude our VA from passing through the proxy or not

Rob Ingram · ‎07-21-2024

@Amr Ali Mohamed the Umbrella VA is a conditional DNS forwarder, DNS traffic would not be sent through the proxy server.

https://docs.umbrella.com/deployment-umbrella/docs/1-introduction

Amr Ali Mohamed · ‎07-21-2024

@Rob Ingram but the connection between the VA and the umbrella establish on HTTPS so if we have a proxy on my network it intercept this traffic and will make issue between the VA and umbrella servers

Rob Ingram · ‎07-21-2024

@Amr Ali Mohamed ok, right, so you are referring to the upgrades and connectivity to the cloud over http/https. In which case, it's up to you whether you wish to exclude from the proxy as long as the VA is able to connect. I would personally exclude from the proxy if possible or not send the traffic to the proxy in the first place.

Amr Ali Mohamed · ‎07-21-2024

@Rob Ingram so i will need to exclude the VA ip to pass throgh proxy , in this case i will not face any issue between VA and umbrella servers

Rob Ingram · ‎07-21-2024

@Amr Ali Mohamed do you automatically redirect traffic to the proxy using WCCP or PBR etc?

Or do you explictly configure the proxy on the clients?

If you don't redirect web traffic to the proxy using WCCP or another method, then the VA would not send web traffic to the proxy in the first place and would be routed out direct. In which case you would need to configure the firewall to allow the VA access to the Umbrella cloud.

Amr Ali Mohamed · ‎07-21-2024

@Rob Ingram thanks bro , thanks for Support

ccieexpert · ‎07-21-2024

this is explained in this document:

https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-DNS-with-an-HTTP-proxy

**Rate this as helpful if this was useful**

Amr Ali Mohamed · ‎07-21-2024

@ccieexpert I just need to confirm the IPS on this Pack file, this IP is related to umbrella servers and must be set on the Pac file so the traffic will Pass through the proxy after I added them, but I will use the Pac file if we use the explicit proxy and we will not use the Umbrella VA , so is that correct

ccieexpert · ‎07-21-2024

you have some typos and grammatical error. so i am not able to fully understand.. The gist of this that you want to exclude the umbrella cloud ip from a proxy for DNS only:

https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-1

Then if you are using SWG (cisco secure web gateway):

https://support.umbrella.com/hc/en-us/articles/360047136412-Secure-Web-Gateway-s-IP-List-and-Domains-to-Allow-in-Customer-Firewalls

the 2nd list is only if you are using SWG..

Amr Ali Mohamed · ‎07-22-2024

@ccieexpert

i mean if I use explicit proxy on my environment using PAC file will I need to exclude the below IP or not