cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1854
Views
5
Helpful
1
Replies

Umbrella with Split Tunnelling

Brigg001
Level 1
Level 1

Hi All, 

 

I have seen some similar queries for the below but can't get a clear answer.

 

We have Network split-tunnelling setup so that when we are not in the office the Umbrella agent is honoured for DNS URL filtering for our Windows 10 based Endpoints but when in the Office LAN then the URL filtering is carried out by the On Premises 3rd Party Firewall that also does URL filtering.

 

We are planning to rid of that 3rd party Firewall module that does the URL filtering and are aiming to consolidate to using Umbrella to do both in/ out Office endpoint DNS URL filtering.

 

Will Umbrella work for in Office LAN filtering if we add the Static Hide IP Address of the Office LAN range into the Cisco Umbrella Dashboard under "Deployments> Core Identities> Networks" (see attached screenshot: "Umbrella - Network setting.PNG") if we get rid of the On Premises 3rd Part Firewall that does the URL filtering and if so will it work without an Appliance or would we need to deploy one for this requirement?

 

Kind regards


Aftaab

 

1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @Brigg001,

You are mentioning URL filtering frequently, which would assume you have Umbrella SIG package (package that contains DNS security, but also Web Security Gateway / proxy). But, based on the screenshot you provided, it looks to me that you don't have SIG, but only Essentials or Advantage, which means that you do not have URL filtering, but only DNS-based filtering (it actually comes with some URL filtering, but is quite specific and can't be called URL filtering). Please correct me if I'm wrong.

Based on that, it is wrong to assume that URL filtering you currently have with your FW can be replaced with DNS filtering from Umbrella. URL filtering should be replaced with URL filtering (SIG from Umbrella).

Unless, DNS category filtering is enough for what you are trying to achieve? In that case, yes, you need to define your public IPs under Deployments / Core Identities / Networks, but these IPs should be from your internal DNS servers, on which you should configure Umbrella resolves as your forwarders. You should also create appropriate policies for that, or modify existing policy to include not only Roaming users, but Networks as well. You don't need your LAN IP scopes, as inside your network, your clients will talk to internal DNS servers, while internal DNS servers should talk to Umbrella. Alternatively, if roaming/AnyConnect agent is installed, it can talk to Umbrella directly, but, in that case, it already knows to which tenant should talk to, so there is no IP dependency here.

BR,

Milos

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: