Cisco Umbrella

Cisco Umbrella

This document explains how to implement three steps to ensure smooth interoperability between the Cisco Umbrella and Netskope Client.

Environment

This document was created using the following components:

  • Netskope Client v.85.2.0.629
  • Umbrella Roaming Client v.2.2.580.0
  • Cisco AnyConnect (v.4.10.01075) with latest Umbrella Roaming Module as of 6/1/2021

Interoperability Configuration Requirements

We recommend the following configuration requirement to ensure smooth interoperability between Netskope Client and Cisco Umbrella

  1. Create an Umbrella IP Bypass List in Netskope
  2. Bypass Umbrella Processes for Umbrella DNS-based protection

Create an Umbrella IP Bypass List in Netskope

Regardless of the Netskope steering method (CASB or NG-SWG) or OS (Windows or Mac), create a Network Location and add the below ranges to it. This prevents Netskope from intercepting the block page responses and the Intelligent Proxy redirect responses (if enabled in Umbrella), regardless of type (malware, malsite, content, etc) so those pages/redirects can be properly rendered. See Exception Configuration for VPN Applications for procedure to create Network location and add it to a steering configuration as an exception.

Note

In the steering configuration, select Destination Location as the exception.

Bypass Umbrella Processes for Umbrella DNS-based protection

This step is done for Umbrella components running on the host, but even if the Umbrella user is just redirecting via virtual appliances while on-premises, it’s not a bad idea to have these bypasses in place. This will prevent Netskope from intercepting any traffic from the DNScrypt component of Umbrella, as well as ensure that no traffic bound to the Umbrella dashboard (for things like updating status / operation) is intercepted by Netskope.

For Windows AND MacOS Umbrella RC, create a single Cert-Pinned App with the following listed as processes

  • Windows:
    • For the Umbrella DNScrypt process: dnscrypt-proxy.exe and dnscryptproxy.exe (as of 2.3+ of the Umbrella Roaming Client).
    • For the Umbrella RC process: ercservice.exe.
    • For the Anyconnect with the Umbrella Roaming Module: acumbrellaagent.exe.
  • Mac: dnscrypt-proxy, dnscryptproxy, ercservice, and acumbrellaagent.

Watch this video to see how to create these exceptions:

 

FAQ

Question 1: I’ve done everything in this document, and we’re not getting Umbrella block page, things just seem to go right through. What can I do?

Answer 1: When this has happens, it generally has to do with the browser using Secure DNS, a.k.a. DNS over HTTPS. Umbrella cannot inspect the DNS requests when this is enabled, and therefore the lack of any action taken by Umbrella. This has nothing to do with the Netskope Client or services.

Question 2: When Umbrella VAs (Virtual Appliances) are used onsite, is there anything to be concerned about with that component?

Answer 2: No. The steps outlined here also take care of Virtual Appliances when in the network.

Question 3: What about tunnels? Any concerns if not using the Netskope client, but an IPSec tunnel with the Umbrella Client or VAs?

Answer 3: No issues here, either.

Question 4: What about Cloud Explicit Proxy, or EPoT (Explicit Proxy over Tunnel) instead of the Netskope client with Umbrella Roaming client? Any concerns here?

Answer 4: Yes. Since an explicit proxy call uses a CONNECT that doesn’t call for a host-level DNS request, and therefore doesn’t produce anything the Umbrella roaming client/VAs can inspect. This will render the Umbrella solution completely inoperable, an effect brought on by use of an explicit proxy configuration, not specific to Netskope.

Share this Doc

Cisco Umbrella

Or copy link

In this topic ...