Deploying SWG gives you greater visibility and control of data egressing from your network, allowing you to take advantage of Cisco’s enhanced security controls. It will also log and inspect all web traffic for greater transparency.
Before you look to deploy SWG, think about the needs of your organization. Ask yourself some questions such as:
- Are you looking to protect a range of IOT devices and static office equipment?
- Are you needing to secure devices on the go?
- Or, do you need to identify your devices by the logged-in user?
- These questions will help you decide which method is right for you.
There are currently 4 methods to direct traffic from your organization to SWG for inspection and policy enforcement. These are:
- Cisco Secure Client with the Roaming Security Module (our preferred method)
- IPsec Tunnels
- Proxy Chaining
- PAC Files
Depending on your deployment needs, some methods can be deployed in tandem. Please see our deployment documentation for further information: Summary of Umbrella Deployments.
Cisco Secure Client
The Cisco Secure Client is an installable application for Windows and Mac devices that provides protection on any network, anywhere, anytime.
Cisco Secure Client is an ideal method to choose if you are using laptop devices and is the only connection method that allows on and off-network protection whether you are in the office, home network or coffee shop.
Installing the Roaming Security Module into the Cisco Secure Client will forward DNS traffic to Umbrella, blocking malware, phishing and C2 call-backs over any port. Web traffic is sent to Umbrella for URL Visibility and Protection and Control is then configured within your Policies.
User identity support is provided based on the current logged-in user and allows for user-based reporting and policy application.
IPsec Tunnels
Deploying IPsec tunnels can be an effective way of quickly protecting a network without deploying agents. It will allow for protection of many on-premise devices such as servers, printers, and internet of things (IOT) devices all on a single network.
Tunnels are used to forward data from devices such as a Cisco ASA or compatible router to Umbrella. Management is then handled through the Umbrella dashboard. This method offers DNS, Web protection as well as Firewall Policies to control your data.
IPsec tunnels allow for internal IP address visibility, and when integrated with Active Directory, your users can be identified. SAML redirection provides individual user and group-based identities for policy enforcement and can be set to authenticate periodically.
Proxy Chaining and PAC Files
If you have a proxy server, you may consider proxy chaining as a method for easier and quicker migration, as there are no changes required to the end point devices. Both methods can be useful for applications such as Virtual Desktop Infrastructure (VDI) or Virtual desktops where Tunnels or agents are not appropriate.
PAC and Proxy chaining will provide network, user, and group identity via SAML redirection, and full URL level web protection with filtering via the Web Policy.
Proxy chaining can provide Internal IP visibility by XFF to HTTP headers, and more information on this can be seen in our documentation: Manage Proxy Chaining.
If you do not have a proxy server, you can use the proxy auto-config (PAC) file, to forward all web traffic to Umbrella directly from the browser.
Note: A registered fixed network is required, and DNS policies will not apply.
