Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
2
Helpful
5
Replies

After installing Umbrella RC on a Win11 laptop, MS VPN no longer works

mski7861
Level 1
Level 1

‎02-01-2024 10:45 AM

Setting up a new implementation of Umbrella and the client rolled out the RC to a few Windows 11 laptops that have a MS VPN configured to connect to Azure.  After installing the Umbrella RC, they get the following error after entering the username and password:

 a connection to the remote computer could not be established. You might need to change the network settings for this connection

Verified other machines that didn't have the RC installed can connect to Azre from VPN.  

I also verified we can ping the primary and secondary VPN addresses and also added both in the allow rule.

NOTE: I do have SWG enabled in the secure roaming client config.

Any suggestions? 

Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎02-01-2024 10:55 AM

In the Umbrella console, under Deployment/Configuration/Domain Management/External Domains & IPs, I would add the domain or ips that you're vpn is connecting to... you don't want that VPN traffic going through the Umbrella cloud, you want that direct to the VPN endpoint. And probably a split tunnel configured in the VPN so that SWG traffic goes straight to Umbrella instead of going up to the VPN endpoint first.



________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Ruben Cocheno
Spotlight
Spotlight

‎02-01-2024 12:53 PM

@mski7861 

Add your internal domains here

https://docs.umbrella.com/umbrella-user-guide/docs/add-internal-domains

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

mski7861
Level 1
Level 1

‎02-02-2024 08:43 AM

@Ruben Cocheno @Ken Stieers thank you both for your recommendations!  Part of the issue was the client performed the install and selected all options including NVM, ISE Posture, ThousandEyes and ZeroTrust Access.  I uninstalled all features then only installed each requirement from the command line:

msiexec /package cisco-secure-client-win-5.1.1.42-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* securecleintinstall.log

msiexec /package cisco-secure-client-win-5.1.1.42-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log

msiexec /package cisco-secure-client-win-5.1.1.42-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log

The only issue remaining is when the client attempts to connect to a desktop using ConnectWise/ScreenConnect he receives the following error:

mski7861_1-1706892132143.png

I added ConnectWise as an approved app but still get this error.  When I disable SWG it works. 

 

0 Helpful

Ken Stieers
VIP
VIP
In response to mski7861

‎02-02-2024 08:58 AM

So, in that case, I the Umbrella/SWG console, add the ConnectWise domain to the "external domains and IPs" list too, so that traffic doesn't get sent to Umbrella.


________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.
0 Helpful

Ruben Cocheno
Spotlight
Spotlight
In response to mski7861

‎02-02-2024 09:17 AM

@mski7861 

Oh boy, that was a big one. For that ConnectWise add it as external domain and it should work

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful
Customers Also Viewed These Support Documents