Umbrella Policy help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2021 11:53 AM
Hello All,
Deployed Cisco umbrella and configured Network (Public IP Address) so any users within the premises exit via that public ip umbrella consider that machine legitimate and apply umbrella policies and also installed anyconnect roaming security module for off network umbrella protection.
My concern is the same users take their laptop to home and work from there. So what should i do so that user when inside the office umbrella internal policy should apply while they off-network roaming users policy should apply.
Note : Users login with their AD user credentails on their system on and off network both
Please guide
- Labels:
-
Cloud Security
-
Umbrella
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2021 12:03 PM - edited 08-31-2021 12:08 PM
@sv7 create a policy that applies to Roaming Computers, so assuming they have the anyconnect roaming agent install and the orginfo configuration file the umbrella policy will be applied.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-01-2021 06:54 AM
Hi Rob,
Would it be a problem to apply a right policy if user login with same AD users credentails on the same machine while on and off network.
Also what identity i have to choose while creating policy for on and off network .

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2021 12:16 PM
Hi,
Not a problem, this requirement can be accomplished by following steps specified on the following document, the guide contains detailed steps which will help you to implement it successfully:
I hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-01-2021 06:54 AM
Hi Ivan,
Would it be a problem to apply a right policy if user login with same AD users credentails on the same machine while on and off network.
Also what identity i have to choose while creating policy for on and off network .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2021 11:28 AM
Hi Ivan,
I have created Policy A for on-prem user login with Ad user credentails(configure Public IP as Network configured) and other for off-prem user login their system using same Ad credentails (used anyconnect security module).
Observed when user is off-network and login in their machine using Ad credentails he gets applied policy A which is created for on-prem users and not policy B which is created for 0ff-prem users

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2021 12:04 PM
Hi,
Yes that is expected, the reason for that is because if you have Active Directory integration the AnyConnect will pass the User identity and it will match the policy that is matching the respective user or AD group this user belong to.
In order to accomplish On and Off-Network policies for Roaming Computers you need to have the following in place:
-Enable the "Disable DNS redirection while on an Umbrella Protected Network" under Roaming Computer Settings in the Umbrella dashboard
-Configure 2 policies
- Policy matching the Network Identity must have higher precedence (only Network Identities do not use AD identities on this policy)
- Policy matching the Roaming Clients must be below the Policy matching the Network Identity (you can also use AD user on this policy)
The above is specifically when you are using Network Protection and Roaming Clients, if you were to implement Virtual Appliances and start building policies based on AD groups you will need the policies configured in the following order:
- Policy matching the Roaming Clients (For Off-network)
- Policy matching based on AD users/groups (for On-Network)
I hope this helps to clarify your concerns.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2021 12:14 AM
Hi Ivan,
Thanks for your reply. I have followed your recommendation and gets resulted as expected for on-prem and roaming users login in their machine with their user credentails (without VA).
Regarding deployment with VA you have suggested we can create policy using Ad users for on-prem and roaming client for off-prem. So would it not be chances that on-prem policy might applied if same users login with their Ad user credentails while if they off-prem.
Just a doubt.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2021 10:21 AM
Hi,
The why you need to create the on-prem policy with AD user/group while keep the off-prem with Roaming Clients, is because if you enable "Active Directory Identity" for your Roaming Computers and you move the AD policy on top of the Roaming Computers, users with Roaming Client will always hit that policy while on or off-network, so that is the reason why you need to do that change from Network to Active Directory user/group identity in your on-prem policy.
I hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2021 09:00 PM - edited 10-08-2021 10:58 PM
This requirement, can be accomplished by following steps specified on the following document, the guide contains detailed steps which will help you to implement it successfully:
https://docs.umbrella.com/deployment-umbrella/docs/customize-your-policies-1
