Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
0
Helpful
2
Replies

Umbrella SWG with DNS protection - is this possible?

Go to solution
PacketSpartan
Level 1
Level 1

‎03-22-2023 03:17 AM

HI All, We're looking to deploy Umbrella with a IPsec tunnel from our DC to Umbrella.  

We'll either use a PBR based routing or  PAC file to route 80/443 traffic into this tunnel, this will provide SWG protection for 80/443. 

How do we provide DNS-based security to the above setup?

 

1. Would it be possible to route DNS (53) traffic via the IPsec Tunnel, alongside 80/443
2. If we point our DNS server (win) to Umbrella for external lookups, will this provide granular logs in the activity search with private IPs (We already have our ADs linked to umbrella) 

 

 

 

 

CCNA R&S
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
diebarra
Cisco Employee
Cisco Employee

‎03-22-2023 07:55 AM

Hello!

DNS is supported within the tunnel for both Umbrella and non-Umbrella resolvers. To get visibility for users and internal IPs though you would need to deploy the virtual appliances.

Your windows servers under the network settings would have the DNS servers configured to be the VA, then the VA will automatically redirect to Umbrella or internal resolvers based on your dashboard "Internal Domain" list.

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
diebarra
Cisco Employee
Cisco Employee

‎03-22-2023 07:55 AM

Hello!

DNS is supported within the tunnel for both Umbrella and non-Umbrella resolvers. To get visibility for users and internal IPs though you would need to deploy the virtual appliances.

Your windows servers under the network settings would have the DNS servers configured to be the VA, then the VA will automatically redirect to Umbrella or internal resolvers based on your dashboard "Internal Domain" list.

 

 

0 Helpful

Go to solution
PacketSpartan
Level 1
Level 1
In response to diebarra

‎03-23-2023 04:04 AM

Thank you diebarra, it makes sense 
We need to have the VA's to have full visibility of the internal IPs 

So the 80/443 will go down the IPSec tunnel for SWG, the DNS traffic will hit the VAs and it will send it out to Umbrella (direct breakout if we dont want to use the tunnel). Our Windows DNS servers will also have its DNS pointed towards The VAs, which in return will forward it to the Umbrella cloud. 



 

 

CCNA R&S
0 Helpful
Customers Also Viewed These Support Documents