Umbrella Secure Client (Anyconnect Umbrella only) and Citrix

bjames · ‎12-18-2024

Hi

We are having an issue with a new deployment of Umbrella Secure Client (Only Umbrella loaded) and Citrix VPN. When the client is enabled we are seeing 25-30% more traffic going to the VPN IP. When the Secure Client is uninstalled it's gone, this results in hundreds of Megs worth of traffic when it should be K's. Clients are split tunneled, not using the on prem VA's for DNS so should be going over the cloud via split tunnel to Umbrella. Citrix is fully patched and we are using the latest Secure Client.

Sniffer traces aren't telling us much and we have a case open with Umbrella but we are not making much progress.

Anyone else have a similar experience?

wajidhassan · ‎06-27-2025

https://support.umbrella.com/hc/en-us/articles/230561147-Umbrella-Roaming-Client-standalone-Compatibility-Guide-for-Software-and-VPNs?utm_source=chatgpt.com

1. Use the Umbrella (Secure Client) Module
Migrate from the standalone Umbrella client to Cisco Secure Client + Roaming Security Module.
This integrated module is designed to respect VPN clients like Citrix and avoids DNS conflicts.

2. Verify Split-Tunnel Policies
Ensure Citrix split-tunnel configuration specifically excludes DNS traffic from being routed through the VPN. DNS queries should go through Umbrella’s client, not the VPN tunnel.

3. DNS Binding Order
Umbrella relies on being the primary DNS resolver bound to 127.0.0.1.
If Citrix resets DNS interface order, Umbrella may deactivate to allow VPN to function.
The integrated module reduces this DNS flip-flop.

4. Update Clients to Latest Versions
Ensure you’re using the latest Cisco Secure Client and Citrix Secure Access/VPN client, which include fixes for DNS and tunnel compatibility.