Cisco Umbrella with the Netskope Client


I’ve done everything in this document, and we're not getting Umbrella block page, things just seem to go right through. What can I do?

When this has happenes, it generally has to do with the browser using Secure DNS, a.k.a. DNS over HTTPS. Umbrella cannot inspect the DNS requests when this is enabled, and therefore the lack of any action taken by Umbrella. This has nothing to do with the Netskope Client or services.

When Umbrella VAs (Virtual Appliances) are used onsite, is there anything to be concerned about with that component?

No. The steps outlined here also take care of Virtual Appliances when in the network.

What about tunnels? Any concerns if not using the Netskope client, but an IPSec tunnel with the Umbrella Client or VAs?

No issues here, either.

What about Cloud Explicit Proxy, or EPoT (Explicit Proxy over Tunnel) instead of the Netskope client with Umbrella Roaming client? Any concerns here?

Yes. Since an explicit proxy call uses a CONNECT that doesn’t call for a host-level DNS request, and therefore doesn’t produce anything the Umbrella roaming client/VAs can inspect. This will render the Umbrella solution completely inoperable, an effect brought on by use of an explicit proxy configuration, not specific to Netskope.