VPN SAML Connection Fails when Cisco Umbrella Is Enabled

Carrs · ‎05-19-2025

Hi everyone,

I'm experiencing an issue with a WatchGuard VPN that uses SAML authentication (via Azure AD / Entra ID). The VPN connection works perfectly under the following conditions:

Cisco Umbrella Roaming Client is disabled

However, when Cisco umbrella is enabled, the VPN connection fails right after the SAML authentication completes successfully. Here's what happens:

The SAML authentication flow completes (SAML Auth OK)
The OpenVPN client initiates the connection
The TLS handshake with the VPN server succeeds
Then, the client receives:
AUTH: Received control message: AUTH_FAILED

I’ve already tried the following:

Whitelisting all relevant domains in Umbrella
Disabling HTTPS inspection
Modifying the OrgInfo.json to include bypassDomains for DNS
Confirming with the firewall admin that no traffic is being blocked server-side

Despite all this, the issue only occurs when Umbrella is active. It seems that Umbrella is interfering with the SAML token exchange or the final authentication step, even though the TLS connection is established.

Has anyone encountered a similar issue or found a way to configure Umbrellato fully bypass VPN-related traffic?

Any help or guidance would be greatly appreciated!

Thanks

wajidhassan · ‎07-07-2025

Root Cause: Umbrella’s SAML Proxy Interference

Cisco Umbrella uses a SAML proxy (cookie/IP surrogate) to associate DNS and web traffic with user identities.
While SAML succeeds and TLS handshake completes for VPN, Umbrella intercepts subsequent traffic, injects its proxy, and likely drops or alters critical tokens — causing the VPN’s AUTH_FAILED.

Recommended Fixes

1. Enable IP Surrogates for SAML in Umbrella

Ensure Umbrella uses IP surrogates, not cookie-based only:

Go to Deployments → Configuration → SAML Configuration.
Enable IP Surrogates.
Map your VPN tunnel to a site and enable surrogates for it.
Optionally, add internal network bypass for shared addresses. community.watchguard.com+15docs.umbrella.com+15community.cisco.com+15community.cisco.com

This prevents Umbrella from injecting cookie-based proxy into your VPN flow.

2. Create a SAML Bypass Rule for VPN Traffic

Cisco now supports the “SAML Bypass” destination list:

Under Secure Web Gateway policy, add a SAML Bypass rule.
Include your VPN IP/FQDN as a bypass domain.
Traffic to these addresses will bypass SAML proxy entirely. support.umbrella.com+3support.umbrella.com+3community.cisco.com+3

3. Whitelist VPN Server & SAML Endpoints

Continue to whitelist:

VPN server’s public IP/FQDN.
Azure AD/Entra login URLs.
Any intermediate endpoints (token, metadata URLs).

But note: simple whitelisting may not override the SAML proxy unless combined with bypass rules above.

️ Step-by-Step Summary

Map tunnel to Site (Umbrella configuration).
Enable IP Surrogates for that Site.
Add SAML Bypass for VPN server domains/IPs.
Whitelist relevant SAML/Azure AD URLs.
Test VPN under Umbrella — the TLS handshake should pass, and AUTH should succeed