Relatioship between Umbrella and AnyConnect

Site Feedback
1

Hi,

I’m reading the documentation on both Umbrella & AnyConnect, but I am not quite getting when these two products interract, if they even need to, and to what benefit.

Things I think I am clear on:

  • Umbrella is a filter, provides DNS based security.
  • AnyConnect is a suite of functions/products, most common a VPN client, provides network privacy and security.
  • Umbrella can be deployed and centrally managed to desktops. (What about mobile devces?)
  • AnyConnect can manage Umbrella, (sold sererately), including mobile devces.

That’s as far as I think I get so far.

Are there sistuations where one requires the other? It appears that if you already have an environment where AnyConnect is deployed, it could be leveraged to include Umbrella.

If you don’t already have AnyConnect, is there any situation that it would be required for Umbrella fuinctionality?

Thank you!

2

Some funky information in the answers so far.

Umbrella is a filter, provides DNS based security.

Amongst other things, yes. With the DNS license, you will also get intelligent proxy, which is a web proxy for web traffic to domains which don’t have a clear disposition (known good, known bad, unknown). You will also get endpoint IP-layer enforcement: your endpoint basically receives info on known malicious IP addresses and if communication is going to those destinations, it gets null routed on the endpoint without DNS/proxying. With the Umbrella SIG license, you will get a full cloud-delivered web proxy (called secure web gateway, SWG), a cloud-delivered next-gen firewall (ngips on beta right now), and a CASB stack (inline and API-based).

AnyConnect is a suite of functions/products, most common a VPN client, provides network privacy and security.

Correct. AnyConnect is a modular endpoint client. VPN was the first module, Stealthwatch NVM is another, Umbrella Roaming Protection another, AMP for Endpoints EDR another, ISE Posture another, etc.

With Umbrella (license to be confirmed), you can apply Umbrella policy on roaming endpoints through either the OpenDNS Client (I don’t recommend) or AnyConnect (with or without VPN licenses). It’s a module to apply Umbrella DNS and/or proxy, and as it is a standalone module, it becomes your Umbrella endpoint agent.

Umbrella can be deployed and centrally managed to desktops. (What about mobile devces?)

If the mobile device is on wifi = you’re all good on-prem (Umbrella protected). Roaming mobiles (ios and android) need to get the Umbrella client deployed through an MDM (meaning BYOD without MDM won’t work… this is a mobile limitation, not a cisco one from what i gather).

AnyConnect can manage Umbrella, (sold sererately), including mobile devces.

AnyConnect can enforce Umbrella DNS and Web Proxy on endpoints (with or without a VPN license). AnyConnect for mobile is VPN only. To protect mobile endpoints, you deploy the security connector for Umbrella through your MDM.

Are there sistuations where one requires the other?

AnyConnect VPN with split-tunnel/DIA = the perfect use case for both. Backhaul traffic that needs to go to your DC, DIA via Umbrella the rest.

If you don’t already have AnyConnect, is there any situation that it would be required for Umbrella fuinctionality?

Enforcing Umbrella DNS and or web proxy. You can enforce DNS to umbrella via the older Umbrella agent, called the opendns client and you can enforce web proxy in the cloud via pac files, but f that. AnyConnect is much simpler and (license to be confirmed) comes with Umbrella.

3

I wish the Cisco documentation was more clear about what does what. I even took a partner cert in this stuff and it seems like they all overlap so much.

AnyConnect is really just a VPN client. That’s it. If you want to control endpoints from ISE, those endpoints must have AnyConnect.

What things could you push from ISE? You could restrict all DNS calls to Umbrella. That’s all Umbrella is, DNS. (And you can use it for free by just pointing to 208.67.222.222 and/or 208.67.220.220. I use their OpenDNS service at home.)

You could also push AMP, enforce OS version compliance, run Stealthwatch, but each piece really only does one thing.

4

  • Be really careful about Umbrella clients for BYOD mobile devices, it’s a very slippery slope in regards to employee privacy. Using Umbrella DNS on things like office WiFi isn’t a problem in my mind, but when a user’s DNS activity is tracked on their personal mobile device 24/7, it gets messy.

  • There is an Umbrella plugin to AnyConnect which you can use in lieu of the regular Umbrella client. This is crazy helpful for internal DNS resolution when you have Umbrella VAs deployed and you’re using AnyConnect VPN client. I’m not the best at explaining Umbrella VA, but Cisco’s documentation on that at Introduction is amazing

-If you’re not using AnyConnect for VPN or Cisco ISE posturing, I don’t think there’s any advantage to using it for Umbrella, but that’s just my $0.02, there could be a reason I’m not thinking of

Hope that helps, I’m a huge Umbrella fan and as long as you’re upfront about the privacy side of things with anyone getting the roaming client or Anyconnect installed, it’s good stuff

5

If you don’t already have AnyConnect, is there any situation that it would be required for Umbrella fuinctionality?

Basically if you want to enforce Umbrella policies for devices when they aren’t connected to managed networks.

6

When it comes to Windows and macOS devices, there are two different clients related to Umbrella:

  1. The standalone Umbrella Roaming Client (URC).
  2. The Cisco AnyConnect (AC) VPN client + Umbrella Roaming Security Module (RSM)

You can use either or, and the standalone Umbrella Roaming Client doesn’t require the Cisco AnyConnect VPN client to function. However. the Cisco AnyConnect VPN client + Umbrella Roaming Security Module is superior in different ways to the standalone Roaming Client–such as kernel-level drivers that make it more difficult for a user to bypass Umbrella and manual control of updates.

7

You can enforce DNS to umbrella via the older Umbrella agent, called the opendns client

Am I missing something or isn’t the Umbrella roaming client the thing you deploy if you don’t use AnyConnect?

8

AnyConnect is much simpler and (license to be confirmed) comes with Umbrella.

To be clear AnyConnect licenses are complimentary with SIG. With traditional DNS security you would still have to purchase AC licenses separately.

9

You can use the client if you prefer. If you see yourself going SIG, then AnyConnect Umbrella module is a better move as you’ll avoid pac files.