Netskope Help

Cisco Umbrella

This document explains how to implement three steps to ensure smooth interoperability between the Cisco Umbrella and Netskope Client.

Environment

This document was created using the following components:

  • Netskope Client v.85.2.0.629

  • Umbrella Roaming Client v.2.2.580.0

  • Cisco AnyConnect (v.4.10.01075) with latest Umbrella Roaming Module as of 6/1/2021

Interoperability Configuration Requirements

We recommend the following configuration requirement to ensure smooth interoperability between Netskope Client and Cisco Umbrella

  1. Create an Umbrella IP Bypass List in Netskope

  2. Bypass Umbrella Processes for Umbrella DNS-based protection

  3. Enable the Perform Server Name Indication (SNI) Check in Netskope

Create an Umbrella IP Bypass List in Netskope

Regardless of the Netskope steering method (CASB or NG-SWG) or OS (Windows or Mac), create a Network Location and add the below ranges to it. This prevents Netskope from intercepting the block page responses and the Intelligent Proxy redirect responses (if enabled in Umbrella), regardless of type (malware, malsite, content, etc) so those pages/redirects can be properly rendered. See Exception Configuration for VPN Applications for procedure to create Network location and add it to a steering configuration as exception.

  • 67.215.64.0/19

  • 146.112.0.0/16

  • 155.190.0.0/16

  • 185.60.84.0/22

  • 204.194.232.0/21

  • 208.67.216.0/21

  • 208.69.32.0/21

Note

In the steering configuration, select Destination Location as the exception.

Bypass Umbrella Processes for Umbrella DNS-based protection

This step is done for Umbrella components running on the host, but even if the Umbrella user is just redirecting via virtual appliances while on-premises, it’s not a bad idea to have these bypasses in place. This will prevent Netskope from intercepting any traffic from the DNScrypt component of Umbrella, as well as ensure that no traffic bound to the Umbrella dashboard (for things like updating status / operation) is intercepted by Netskope.

For Windows AND MacOS Umbrella RC, create a single Cert-Pinned App with the following listed as processes

  • Windows:

    • For the Umbrella DNScrypt process: dnscrypt-proxy.exe and dnscryptproxy.exe (as of 2.3+ of the Umbrella Roaming Client).

    • For the Umbrella RC process: ercservice.exe.

    • For the Anyconnect with the Umbrella Roaming Module: acumbrellaagent.exe.

  • Mac: dnscrypt-proxy, dnscryptproxy, ercservice, and acumbrellaagent.

Watch this video to see how to create these exceptions:

 
Enable the Perform Server Name Indication (SNI) Check in Netskope

Originally, Ignore DNS Loopback was used to ensure there was no overlapping IP space when one IP was used by several applications. When this occurred, Netskope would map that IP to all of those applications and policy could overlap. Now that the SNI check option exists for steering, this original method is no longer needed.

To ensure SNI checking is enabled:

  1. Go to Settings > Security Cloud Platform > Netskope Client > Devices and click Client Configurations (top right).

  2. Click on the existing tenant configuration. If there is more than one, click the one that will require Umbrella Roaming Client interop.

  3. Under Advanced, select the Perform SNI (Server Name Indication) option:

    image3.png

This ensures the ability to check the SNI to ensure there is no confusion as to what server name is being seen, hence removing the concern around overlapping IPs.

Troubleshooting

Question 1: I’ve done everything in this document, and we're not getting Umbrella block page, things just seem to go right through. What can I do?

Answer 1: When this has happens, it generally has to do with the browser using Secure DNS, a.k.a. DNS over HTTPS. Umbrella cannot inspect the DNS requests when this is enabled, and therefore the lack of any action taken by Umbrella. This has nothing to do with the Netskope Client or services.

Question 2: When Umbrella VAs (Virtual Appliances) are used onsite, is there anything to be concerned about with that component?

Answer 2: No. The steps outlined here also take care of Virtual Appliances when in the network.

Question 3: What about tunnels? Any concerns if not using the Netskope client, but an IPSec tunnel with the Umbrella Client or VAs?

Answer 3: No issues here, either.

Question 4: What about Cloud Explicit Proxy, or EPoT (Explicit Proxy over Tunnel) instead of the Netskope client with Umbrella Roaming client? Any concerns here?

Answer 4: Yes. Since an explicit proxy call uses a CONNECT that doesn’t call for a host-level DNS request, and therefore doesn’t produce anything the Umbrella roaming client/VAs can inspect. This will render the Umbrella solution completely inoperable, an effect brought on by use of an explicit proxy configuration, not specific to Netskope.