Re: Umbrella Roaming Client and CDF

skdudoit · ‎08-27-2020

One of the key drivers for Umbrella is the security it provides for roaming clients with split tunneling enabled for the most efficient traffic routing to resources. With the SIG package, it looks like we have DNS and Web traffic covered quite well with Umbrella DNS and SWG, respectively. However, for "other than" DNS-driven and Web traffic we ideally want a firewall for protection. The Cloud Delivered Firewall seems like it should be perfect for this, except for the fact that it doesn't yet support roaming clients.

Therefore, I'm looking for best practices or architectural guidance on how best to split tunnel this scenario using AnyConnect, such that all non-DNS-derived and non-Web traffic is tunneled back to the corporate data center to either be routed through that firewall, or routed through the CDF that services the data center (though probably the former will apply in most cases today).

Any architectural documentation in this regard will be greatly appreciated.

Ruben Cocheno · ‎09-08-2020

@skdudoit

Give a look on the CVD's aat cisco.com or www.ciscolive.com for breakout sessions, you going to find all info required.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

skdudoit · ‎09-15-2020

I did. Couldn't find anything addressing my particular question.

skdudoit · ‎09-15-2020

That's the way it's marketed.

But as it stands with the CDF not being accessible via the Roaming Client, that's synonymous with taking away the corporate firewall and protecting all corporate Internet-bound traffic simply with Umbrella's DNS layer security and SWG. But not CDF.

No one would do this today.

franzd · ‎01-05-2021

For your non-web traffic problem, according to this document:

https://support.umbrella.com/hc/en-us/articles/360051661151-Cisco-AnyConnect-Secure-Mobility-Client-Version-4-9-MR3

We can now allow SWG proxy to intercept HTTP and HTTPS traffic coming from non-standard ports besides the standard ports 80 and 443. But the availability of such feature is limited. Might want to open a ticket to have this enabled.

skdudoit · ‎01-06-2021

Thanks for the note! That's a step in the right direction, but focused around HTTP/S traffic specifically. I'm trying to solve for all "other" IP protocols that someone can use to compromise a host or even just provide reconnaissance, something as simple as ICMP for example. Many firewalls, such as Cisco's, block ICMP inbound by default, for security reasons. For corporate use, I need to assume that my mobile users are not behind a firewall (even though they're likely behind consumer-grade firewalls), and so in the same way that most of us wouldn't protect a data center with a Netgear firewall, I want to protect my mobile users behind a cloud-provided enterprise-grade firewall that I manage--this being CDF. I believe CDF needs to be able to be connected to by AnyConnect. Just like Pr!sma Access and Gl0balProtect. That's a straight up enterprise-grade firewall in the cloud for mobile users. Come on, Cisco, you can do it, too!!

gyughujgjhfgyt79727 · ‎01-11-2021

yes its looking interesting i will focus on it later bcz now i am still doing the same project that i was mention in my blog you can see there it is very interesting topic and after my real project completion i will take a look at this trouble.