Umbrella CDFW with roaming client

krezov.igor · ‎11-29-2024

The customer has already deployed Umbrella DNS protection with AnyConnect client and now they want to utilize CDFW and web proxy. I was wondering what is the default behavior in Umbrella for forwarding traffic for HTTP and HTTPS if you have AnyConnect clients and tunnels for CDFW in the same time, which method has precedence and what do I need to do to change one over another?

andre.baumgarten · ‎12-04-2024

Hello

from my experience the default bahaivior is SWG redirect disabled. You have to change this in the global roaming client settings to enable the redirect. You can use overrides to change this behavior for each client.

Hope this helps.
Andre

krezov.igor · ‎12-20-2024

I have tested scenario for one site where there is active VPN tunnel to Umbrella and the external traffic is going over the tunnel, hit the CDFW first and then is redirected to the proxy since I guess the option for SWG is disabled in the global setting for secure client. My question if I enabled this option will this force the web traffic to be redirected from the client or it will still go over the tunnel when they use the corporate network.

Also on the other sites only secure client is installed with no tunnels and I can see that there is a traffic hitting the default web policy although the option for SWG is disabled in the global setting for secure client. Is this a default behavior on the Umbrella module for secure client for customers with SIG subscription ?

I am just trying to figure out how secure client interact with Umbrella for the web traffic and how I can tweak this option for the identity of the polices.

nbogdaje · ‎12-10-2024

If a client has the anyconnect with SWG enabled and is sitting behind a ipsec tunnel then all of that users external traffic will go over the tunnel and hit the CDFW first. Then, web traffic will be directed to the proxy and all other traffic will be sent out to the internet from Umbrella. You can modify your PBR config on your edge device to direct what traffic you want to send over the tunnel and what you want to send directly out to the internet. You can also use backoff settings to disable the anyconnect module in certain scenario (such as when on your corporate network).

https://docs.umbrella.com/umbrella-user-guide/docs/tunnels

https://docs.umbrella.com/umbrella-user-guide/docs/appendix-e-roaming-computers-settings#ac

krezov.igor · ‎12-20-2024

I have tested scenario for one site where there is active VPN tunnel to Umbrella and the external traffic is going over the tunnel, hit the CDFW first and then is redirected to the proxy since I guess the option for SWG is disabled in the global setting for secure client. My question if I enabled this option will this force the web traffic to be redirected from the client or it will still go over the tunnel when they use the corporate network.

Also on the other sites only secure client is installed with no tunnels and I can see that there is a traffic hitting the default web policy although the option for SWG is disabled in the global setting for secure client. Is this a default behavior on the Umbrella module for secure client for customers with SIG subscription ?

I am just trying to figure out how secure client interact with Umbrella for the web traffic and how I can tweak this option for the identity of the polices.

adamwin · ‎12-20-2024

In this scenario I recommend setting TCP port 80/443 traffic destined to SWG to go outside the tunnel. It provides a few benefits:
1) No oddities in the way reporting and statistics are calculated
2) Offloads a ton of traffic from the IPsec tunnel, meaning you're less likely to need multiple tunnels if you have a lot of traffic