Re: Umbrella with a PAC file

Brian McPhillips · ‎08-26-2021

Hi All,

I am planning an umbrella roll out with a customer already using Forcepoint Clients. Our plan was to remove the Forcepoint client and apply the umbrella PAC.

I have a query on the DNS resolution, if we point DNS to umbrella, we can't resolve internal Domains via Umbrella DNS directly. I know the internal domains are whitelisted on the Dashboard, but I dont think they can be resolved from there.

If the users retain internal DNS, Do we just need to add the Umbrella IPs as forwarders on the DNS servers? The proxy takes care of http/https traffic.

Karsten Iwen · ‎08-26-2021

@Brian McPhillips wrote:
I have a query on the DNS resolution, if we point DNS to umbrella, we can't resolve internal Domains via Umbrella DNS directly. I know the internal domains are whitelisted on the Dashboard, but I dont think they can be resolved from there.

Did you test it? With the configured internal domains in the umbrella dashboard it should work and while the internal DNS-servers are reachable (for example through VPN) they should be queried for the configured domains.

If the users retain internal DNS, Do we just need to add the Umbrella IPs as forwarders on the DNS servers? The proxy takes care of http/https traffic.

Yes that should work when your public IP network is added to the Umbrella dashboard. The better solution could be to deploy the Umbrella VAs in your network:

https://docs.umbrella.com/deployment-umbrella/docs/1-introduction

Ivan Gonzalez · ‎08-26-2021

Hi,

The internal Domains section in your Umbrella Dashboard is for Virtual Appliances and Roaming Computers (AnyConnect or ERC), so if you are just pointing your users to your local DNS servers and configure the Umbrella fowarders for external resolution then internal domains will be resolved by your internal domains while external domains will be redirected to Umbrella.

Here is the guide to configure your internal domains to redirect external requests to Umbrella:

https://docs.umbrella.com/deployment-umbrella/docs/point-your-dns-to-cisco

I just wanted to give a heads up for this setup, regularly when using PAC files browser traffic might not generate DNS request, the reason for that is because when PAC files are used the machine knows the proxy will generate a DNS resolution on its behalf so only non-browser traffic will generate DNS requests and that is the traffic you will be getting redirected to Umbrella, we have recommendations to be performed for a setup with web proxy which can be found on the following link:

https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy

I highly recomment to follow the recommendations on the above guide for a succesful implementation.

I hope this helps!

Brian McPhillips · ‎08-31-2021

Thanks Ivan, That seems to explain my testing. When I tested with the PAC file I did not see traffic hitting the DNS policies much if at all. Mostly the Web proxy was blocking.

I just wanted to give a heads up for this setup, regularly when using PAC files browser traffic might not generate DNS request, the reason for that is because when PAC files are used the machine knows the proxy will generate a DNS resolution on its behalf so only non-browser traffic will generate DNS requests and that is the traffic you will be getting redirected to Umbrella, we have recommendations to be performed for a setup with web proxy which can be found on the following link:
https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy

Ivan Gonzalez · ‎08-31-2021

You are very welcome Brian, I am glad the explanation was helpful. And yes what you experienced is an expected behavior due to what I explained.

Hellen Queiros Brito · ‎03-22-2023

Hello Brian... could you help me? I need import my PAC FIle customized on Umbrella.. but I don't know where.

Iam already using Forcepoint too.. and try to test it.