Umbrella: Roaming Client on a Protected Network

stanislav.pilat · ‎02-12-2019

Hi guys,

I'm facing an issue which I'm not able to solve. Actually, I'm not sure if it is an issue or expected behaviour. Here is my situation:

Have Roaming Computer - Roaming client installed

Roaming computer is connected to a network protected by Umbrella - DNS forwader configured and the VIP is also configured in the Dashboard.

There is an option under the Roaming Computer settings - Disable DNS redirection while on an Umbrella Protected Network - NOT checked

Have two policies (one for network, one for roaming computers) - exactly like here:

- other prerequisites are also matched.

I expected the computer will match the roaming policy, but it is matching the network policy.

Is that expected? Or there is something wrong in my configuration?

It really doesn't make sense to me since the computer will always be behind the network policy so I can't enable.

Hope my description is clear enough.

Thank you,

SP.

seanmil · ‎02-13-2019

This is expected behavior.

On a protected network, DNS will function as though they are regular network users:

Roaming users will be subject to the relevant network policy's settings.
Reporting will be at the network level: You will lose Umbrella roaming client's granular reporting.
Umbrella roaming client disables itself, DNS settings revert to the network DNS.
Outbound DNS will no longer be encrypted.

There is a good doc available that will help you understand roaming client behavior on your network and how to tune if needed.

dwarika.ratturi@ingrammicro.co · ‎03-11-2019

Can you check if the policy for roaming client is above the network policy since the policy flow is from up to down.

If it is proper then check laptop with outside network if the policy flow is proper.

Cisco Umbrella - Roaming Client