Umbrella Roaming Client and Cisco Meraki MX Firewalls

IT_Magician
Building a reputation

Umbrella Roaming Client and Cisco Meraki MX Firewalls

YoYo Community, does anyone have a work around for this?

 

Long story short, Cisco Umbrella support is saying Windows 10 VPN and Cisco Umbrella roaming client isn't compatible. You would think since Meraki only offers the built-in client VPN and Cisco owns both companies there would be a better integration, but that is not the case.

 

Basically remote laptops with Umbrella client stop processing external domain DNS lookups once they connect to the VPN. Technical reason is below, but does anyone have a work around on this?

 

From Cisco Umbrella support: The reason you are having issues with this VPN is because it utilizes a Microsoft connection API that requires DNS be sent to the local NIC, not 127.0.0.1 and therefore cannot connect. While there are some VPNs that are compatible with the Enterprise Roaming Client, unfortunately the built in windows VPNs are not at this time.

 

Thanks, and go team!

 

 

4 Replies 4
Nash
Kind of a big deal

Are you using a full tunnel?

 

Split tunnel might help. You can set that up with a script. I've got examples in my sig, @PhilipDAth has a generator and I can't find the link... (Help?)

 

If you've got to keep a full tunnel, you don't have a lot of choices. If you have on-premises hosts, you could stand up the Umbrella virtual appliances and use them as your AD DNS' forwarders. Then boom, Umbrella action.

IT_Magician
Building a reputation

Hi Nash,

 

Thanks, we have standard setup, not sure if split or full tunnel but will investigate. In this scenario, how would virtual appliances work? The reason we deployed Umbrella Roaming client is to protect laptops with content filtering while they are outside of the network and not connected to the VPN, which means no firewall security.

 

The goal is to have Roaming Client on laptops so they have content filtering outside of the office, but these users also require VPN from time to time. Mabye we could create a script where event log shows VPN connected and it disabled Umbrella client and when event logs shows deactivated it re-enables it.

Nash
Kind of a big deal

You shouldn't need to disable/re-enable Umbrella roaming client when end users are on VPN. I regularly use a full tunnel VPN back to my office, which assigns me DNS, and my Umbrella roaming client hasn't had trouble recovering afterwards.

 

Now, when I manually assign some other DNS on the NIC when troubleshooting? Yeahhhhh, Umbrella has trouble. But not over VPN.

 

If you're not specifically creating your VPN connections as split tunnel, then they are full.

PhilipDAth
Kind of a big deal
Kind of a big deal

This is the script:

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

And yes, enabling split DNS for just the AD domain should resolve it.

Get notified when there are additional replies to this discussion.