Cisco Umbrella is a very popular system that is generally used for web filtering. It’s very powerful but it has some issues.
This article talks about problems with the Cisco Umbrella Roaming client when used with certain VPNs. In my case I came across this because the Fortinet VPN client was clashing with the Cisco Umbrella Roaming client.
The problem manifested itself as a user losing DNS resolution ability – this would essentially cut the device off the network for users – however replicating the issue was quite difficult. On further investigation it was discovered that the Cisco Umbrella Roaming client likes to set the devices DNS settings to point to 127.0.0.1 – however the Fortinet VPN client would also try to change the DNS settings to point at whatever IP your corporate DNS is on when the VPN is started.
This would cause the two applications to get caught in a state of flux constantly changing the DNS settings until the IP stack essentially falls over because it can take no more.
The issue here is that both Fortinet VPN and Cisco Umbrella Roaming client run at the application layer.
It took some time going back and forth to Cisco but eventually between myself and Cisco support we came across a solution.
The Cisco AnyConnect client has an Cisco Umbrella module and as long as you are licensed to use Cisco Umbrella you are licensed to use the Cisco AnyConnect client. The AnyConnect client runs at the kernel layer which means that it doesn’t care about what your DNS settings are – it will still intercept any calls and deal with them accordingly.
So this is good news – now we just need to find a way to deploy this across an entire tenancy so we turn to Intune.
We also need to make sure that in one swoop we can remove the Cisco Umbrella Roaming client from the device, check for the existence of the AnyConnect folders that store the json configuration file and copy the file there BEFORE installing the AnyConnect application. Once this is taken care of we need to install the AnyConnect Umbrella client.
If all of this takes place correctly then you will have successfully deployed a solution to the Cisco Umbrella conflicting with VPN software issue. As I said above this manifested itself for me with the Fortinet VPN client but I am sure other VPN clients will suffer from this same issue. Azure VPN, AWS VPN, Avaya VPN and Microsoft VPN are ones that I know suffer from this same issue.
It is also worth noting that Cisco actually list Fortinet VPN client as being compatible with the Roaming client. Hopefully they have updated this now.
So, here’s a quick link to my source for resolving using Intune. Put your details in the Orginfo.json, package to an .intunewin and deploy.
If you know of any other VPNs that have this conflict feel free to comment below.