Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2912
Views
5
Helpful
6
Replies

Umbrella deployment without VA

vishal77
Level 1
Level 1

‎03-20-2020 11:02 PM

Hi All,

 

Having some queries regarding Cisco umbrella if anyone could help it would be a great help

 

1) is it possible to use Cisco umbrella within office premises without installation  of Virtual Appliance ?

If Yes is there any limitations to it (in terms of its features) with respect to physical or virtual appliance installation

 

2) Is it Cisco umbrella supports Users machine having Linux operating system for on and off Network ?

 

Any help will be highly appreciated.

 

Regards,

Vishal

Labels:
0 Helpful
6 Replies 6

Cristian Matei
VIP Alumni
VIP Alumni

‎03-21-2020 12:45 AM - edited ‎03-26-2020 02:51 AM

Hi,

 

    1. Yes, it is.  

    2. For Linux, only for on network, for the moment, as there are no agents yet; for off network for Linux device, you would have to force the Linux boxes for VPN Always on, so that all their DNS traffic goes through your central/internal network DNS servers, which are integrated with Umbrella via DNS Forwarding.

 

There are 4 deployment options for Umbrella (in all 3 uses-cases you can protect both on network and off network users), recommended being option 3:

 

1. No VA on premises and no Roaming Agent/Client on end devices; you just integrate your DNS servers with umbrella; It works for users on network, for users off network it works only if all these users have an Always ON VPN policy, so that they can't access the Internet when off network, unless they're connected to the VPN, so that DNS queries are relayed to Umbrella via your internal DNS servers

 

2. VA on premises and no Roaming Agent on end devices, where you have the same requirements as above, just additional benefits, as with VA you see the real IP address of your users in DNS requests, and you can thus make more granular policies and reporting, plus you can further integrate it with AD, to gain even more insight by user-to-IP mapping

 

3. VA on premises and Roaming Agents on end devices (except for Linux); having the Roaming Agent on end devices brings the benefit of not having to force users to use VPN in order to catch their DNS Requests through Umbrella, as now the Roaming Agent does that

 

4. No VA on premises but Roaming Agents on end devices; the issue is with the Linux devices, which require always ON VPN, in order to catch their DNS traffic via your internal DNS server, which is integrated with Umbrella.

 

Look in these CL presentations for any further clarifications:

 

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2017/pdf/LABSEC-2006-LG.pdf

https://www.ciscolive.com/c/dam/r/ciscolive/latam/docs/2018/pdf/BRKSEC-1980.pdf

 

Regards,

Cristian Matei. 

Netplace Support
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 12:29 AM

Hello Cristian,

 

First of all a very thanks to you for such detailed information and document.

 

I have tried option1 and it's work very smoothly for on premises i.e both external dns and internal dns are resolving, but for roaming computers which is connected to VPN (via forticlient) it is working only if I use umbrella public dns for dns resolution (but unable to resolve internal dns).

 

And if I use my internal dns then internet dns resolution wont work and also "welcome.umbrella.com is showing dns traffic is not going via umbrella.

 

Any you please let me know what I have miss 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Netplace Support

‎03-26-2020 02:58 AM

Hi,

 

    Do the VPN users receive via the VPN connection the same DNS servers to be used, like if they would be on-premises (where it works)? Do you use split-tunnelling? How does the FortiClient enforce DNS resolution through the tunnel or bypassing the tunnel?

 

Regards,

Cristian Matei.

0 Helpful

vishal77
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 06:29 AM

hi Cristian,

 

A very thanks for your reply and please find me remarks below

 

Q-Do the VPN users receive via the VPN connection the same DNS servers to be used, like if they would be on-premises ?

 

A- yes, dns server is same the one which I'm using on premises. 

Note : there's no such AD server in my infrastructure so I have to mention my dns server manually for both ON and OFF network.

 

Q- Do you use split-tunnelling? 

A- No all traffic goes via corporate isp

 

Q- How does the FortiClient enforce DNS resolution through the tunnel or bypassing the tunnel?

 

A- I have just made an reachability for my vpn users to my internal AD server and same I'm entering manually in Network Adapter after connecting to vpn

 

 

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Netplace Support

‎03-26-2020 12:59 PM

Hi,

 

   Your internal DNS servers should have Umbrella as their forwarders. So if you assign to the VPN devices, your internal DNS server, how come Internet resources can't be resolved?

 

Regards,

Cristian Matei.

0 Helpful

vishal77
Level 1
Level 1
In response to Cristian Matei

‎03-27-2020 06:42 AM

Hi Cristian,

 

Yes my internal dns server has umbrella dns as forwarder and same has been working smoothly within premises without VA ( as per your deployment option 1)

 

But when I enter same internal dns for RA vpn users traffic is not going via umbrella but Able to ping internal dns server.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents