Showing results for 
Search instead for 
Did you mean: 

Umbrella: Roaming Client on a Protected Network

Level 1
Level 1

Hi guys,


I'm facing an issue which I'm not able to solve. Actually, I'm not sure if it is an issue or expected behaviour. Here is my situation:

Have Roaming Computer - Roaming client installed

Roaming computer is connected to a network protected by Umbrella - DNS forwader configured and the VIP is also configured in the Dashboard.

There is an option under the Roaming Computer settings - Disable DNS redirection while on an Umbrella Protected Network - NOT checked

Have two policies (one for network, one for roaming computers) - exactly like here:

- other prerequisites are also matched.

I expected the computer will match the roaming policy, but it is matching the network policy.

Is that expected? Or there is something wrong in my configuration?

It really doesn't make sense to me since the computer will always be behind the network policy so I can't enable.


Hope my description is clear enough.

Thank you,



2 Replies 2

Cisco Employee
Cisco Employee

This is expected behavior.


On a protected network, DNS will function as though they are regular network users:

  • Roaming users will be subject to the relevant network policy's settings.
  • Reporting will be at the network level: You will lose Umbrella roaming client's granular reporting.
  • Umbrella roaming client disables itself, DNS settings revert to the network DNS.
  • Outbound DNS will no longer be encrypted.

There is a good doc available that will help you understand roaming client behavior on your network and how to tune if needed.


Can you check if the policy for roaming client is above the network policy since the policy flow is from up to down.


If it is proper then check laptop with outside network if the policy flow is proper.