Umbrella Mac OS
Introduction
This document describes the installation, configuration, and troubleshooting steps for the OpenDNS (Umbrella) Roaming module. In AnyConnect 4.3.X and later, the OpenDNS Roaming client is now available as an integrated module. It is also known as the Cloud Security module and it can be predeployed to the endpoint with the AnyConnect installer, or it can be downloaded from the Adaptive Security Appliance (ASA) via web-deploy.
Prerequisites
Requirements
On Monday, October 5, 2020, Cisco Umbrella released the Umbrella roaming client for macOS version 2.2.328 for all customers on the stage track. Between October 12 and 15, 2020, Cisco Umbrella will release the Umbrella roaming client for macOS version 2.2.328 for all customers on the first wave of the release track. For TinyUmbrella download on Mac, use the link- Mac App. Once you get the app installed on your system, you can use it right away. The application works in a very straightforward way. When you update your device, a small piece of information is saved on it. Umbrella is a Mac version to prevent duplicate files Tool, simple and powerful, monitoring any folder in the hard disk, after adding a file, Umbrella will monitor the content in the folder for you, if there is duplicate content, it will report the duplicate, and it will automatically mark and delete it. Function introduction: Umbrella for Mac reports the copy when it is created. Add OpenDNS Umbrella Prosumer to protect Windows and Mac OS X devices from threats on the internet, anywhere you go. Unlike OpenDNS VIP Home, this service adds enterprise-class threat protection for your roaming devices — with an advanced user interface and internet stats — but it will not cover your entire home network.
Cisco recommends that you have knowledge of these topics:
- Cisco AnyConnect Secure Mobility
- OpenDNS/Umbrella Roaming Module
- Cisco ASA
Components Used
The information in this document is based on these software and hardware versions:
- Cisco ASA Version 9.3(3)7
- Cisco AnyConnect Secure Mobility Client 4.3.01095
- OpenDNS Roaming Module 4.3.01095
- Cisco Adaptive Security Device Manager (ASDM) 7.6.2 or later
- Microsoft Windows 8.1
- Note: The minimum requirements to deploy OpenDNS Umbrella module are:
- AnyConnect VPN Client Version 4.3.01095 or later
- Cisco ASDM 7.6.2 or later
OpenDNS Roaming module is currently not supported on the Linux platform.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any commands or configuration.
Background Information
OrgInfo.json
For the OpenDNS Roaming module to function properly, an OrgInfo.json file must be downloaded from the OpenDNS dashboard or pushed from the ASA before the module is used. When the file is first downloaded, it is saved at a specific path which depends on the operating system.
For Mac OS X, OrgInfo.json is downloaded to /opt/cisco/anyconnect/Umbrella.
For Microsoft Windows, OrgInfo.json is downloaded to C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientUmbrella.
As shown, the file uses UTF-8 encoding and contains an organizationId, fingerprint, and userId. The organization ID represents the organization information for the user that is currently logged into the OpenDNS dashboard. The organization ID is static, unique, and auto-generated by OpenDNS for each organization. The fingerprint is used to validate the OrgInfo.json file during device registration and the user ID represents a unique ID for the logged in user.
When the Roaming module starts on Windows, the OrgInfo.json file is copied to the data directory under the Umbrella directory and used as the working copy. On MAC OS X, information from this file is saved to updater.plist in the data directory under the Umbrella directory. Once the module has successfully read information from the OrgInfo.json file, it attempts to register with OpenDNS with a cloud API. This registration results in OpenDNS assigning a unique device ID to the machine that attempted registration. If a device ID from prior registration is already available, the device skips registration.
After registration is complete, the Roaming module performs a sync operation in order to retrieve policy information for the endpoint. A device ID is necessary for the sync operation to work. Sync data includes syncInterval, internal bypass domains, and IP addresses among other things. The sync interval is the number of minutes after which the module should attempt to resync.
Umbrella Moss
DNS Probing Behavior
Upon successful registration and sync, the Roaming module sends Domain Name System (DNS) probes to its local resolvers. These DNS requests include TXT queries for debug.opendns.com. Based on the response, the client is able to determine if an on-premise OpenDNS Virtual Appliance (VA) exists in the network. Qube qross mac os.
If a virtual appliance (VA) is present, the client transitions to a 'behind-VA' mode, and DNS enforcement is not performed on the endpoint. The client relies on the VA for DNS enforcement at the network level.
If a VA is not present, the client sends a DNS request to the OpenDNS public resolvers (208.67.222.222) using UDP/443.
A positive response indicates that DNS encryption is possible. If a negative response is received, the client sends a DNS request to the OpenDNS public resolvers using UDP/53.
A positive response to this query indicates that DNS protection is possible. If a negative response is received, the client retries the query in a few seconds.
Upon receipt of a set number of negative responses, the client transitions to the fail-open state. A fail-open state means that DNS encryption and/or protection is not possible. Once the Roaming module has successfully transitioned to a protected and/or encrypted state, all DNS queries for search domains outside of the local search domains and internal bypass domains are sent to the OpenDNS resolvers for name resolution. Criminal frequency mac os. With encrypted state enabled, all DNS transactions are encrypted by the dnscrypt process.
DNS Behavior with AnyConnect Tunneling Modes
1. Tunnel-All (or tunnel-all-DNS enabled)
Note: As shown, the default behavior is for the Roaming module to disable DNS protection while a VPN tunnel with tunnel-all configuration is active. For the module to be active during an AnyConnect tunnel-all configuration, the Disable roaming client while full-tunnel VPN sessions are active option must be unchecked on the OpenDNS portal. The ability to enable this feature requires an advanced subscription level with OpenDNS. The information below assumes that DNS protection via the Roaming module is enabled.
Queried Domain Part of Internal Bypass List
DNS requests that originate from the tunnel adapter are allowed and sent to the tunnel DNS servers, across the VPN tunnel. The query will remain unresolved if it cannot be resolved by the tunnel DNS servers.
Queried Domain Not Part of Internal Bypass List
DNS requests that originate from the tunnel adapter are allowed, and will be proxied to the OpenDNS public resolvers via the Roaming module and sent across the VPN tunnel. To the DNS client it will appear as if name resolution had occurred via the VPN DNS server. If name resolution via OpenDNS resolvers is not successful, the Roaming module fails over to the locally configured DNS servers, starting with the VPN adapter (which is the preferred adapter while the tunnel is up).
2. Split-DNS (tunnel-all-DNS Disabled)
Note: All split-DNS domains are automatically added to the Roaming module internal bypass list upon tunnel establishment. This is done in order to provide a consistent DNS handling mechanism between AnyConnect and the Roaming module. Ensure that in a split-DNS configuration (with split-include tunneling) the OpenDNS public resolvers are not included in the split-include networks.
Note: On Mac OS X, if split-DNS is enabled for both IP protocols (IPv4 and IPv6) or it is only enabled for one protocol and there is no address pool configured for the other protocol, true split-DNS similar to Windows is enforced.
If split-DNS is enabled for only one protocol and a client address is assigned for the other protocol, only DNS fallback for split-tunneling is enforced. This means AnyConnect only allows DNS requests that match the split-DNS domains via tunnel (other requests are replied by AC with refused response to force failover to public DNS servers), but cannot enforce that requests which match split-DNS domains are not sent in the clear via the public adapter.
Queried Domain Part of Internal Bypass List and Also Part of Split-DNS Domains
DNS requests that originate from the tunnel adapter are allowed and sent to the tunnel DNS servers, across the VPN tunnel. All other requests for matching domains from other adapters will be responded by the AnyConnect driver with 'no such name' to achieve true split-DNS (prevent DNS fallback). Therefore, only non-tunnel DNS traffic is protected by the Roaming module.
Queried Domain Part of Internal Bypass List, but Not Part of Split-DNS Domains
DNS requests that originate from the physical adapter are allowed and sent to the public DNS servers, outside the VPN tunnel. All other requests for matching domains from the tunnel adapter will be responded by the AnyConnect driver with 'no such name' in order to prevent the query from being sent across the VPN tunnel.
Queried Domain Not Part of Internal Bypass List or Split-DNS Domains
DNS requests that originate from the physical adapter are allowed and proxied to the OpenDNS public resolvers, and sent outside the VPN tunnel. To the DNS client it will appear as if name resolution had occurred via the public DNS server. If name resolution via OpenDNS resolvers is unsuccessful, the Roaming module fails over to the locally configured DNS servers, excluding the ones configured on the VPN adapter. All other requests for matching domains from the tunnel adapter will be responded by the AnyConnect driver with no such name in order to prevent the query from being sent across the VPN tunnel.
3. Split-Include or Split-Exclude Tunneling (no split-DNS and tunnel-all-DNS Disabled)
Queried Domain Part of Internal Bypass List
Native OS resolver performs DNS resolution based on the order of network adapters, and AnyConnect is the preferred adapter when VPN is active. DNS requests will first originate from the tunnel adapter and be sent to the tunnel DNS servers, across the VPN tunnel. If the query cannot be resolved by the tunnel DNS servers, the OS resolver will attempt to resolve it via the public DNS servers.
Queried Domain Not Part of Internal Bypass List
Native OS resolver performs DNS resolution based on the order of network adapters, and AnyConnect is the preferred adapter when VPN is active. DNS requests will first originate from the tunnel adapter and be sent to the tunnel DNS servers, across the VPN tunnel. If the query cannot be resolved by the tunnel DNS servers, the OS resolver will attempt to resolve it via the public DNS servers.
If the OpenDNS public resolvers are part of the split-include list or not part of the split-exclude list, the proxied request is sent across the VPN tunnel.
If the OpenDNS public resolvers are not part of the split-include list or part of the split-exclude list, the proxied request is sent outside the VPN tunnel.
If name resolution via OpenDNS resolvers is not successful, the Roaming module fails over to the locally configured DNS servers, starting with the VPN adapter (which is the preferred adapter while the tunnel is up). If the final response returned by the Roaming module (and proxied back to the native DNS client) is not successful, the native client will attempt other DNS servers, if available.
Install and Configure Umbrella Roaming Module
In order to integrate OpenDNS Roaming module with the AnyConnect VPN client, the module needs to be installed either via pre-deploment or web deployment method:
Pre-deployment (Manual) Method
Pre-deployment requires manual installation of the OpenDNS Roaming module and copying of the OrgInfo.json file on the user machine. Large scale deployments are typically achieved with enterprise software management systems (SMS).
Deploy OpenDNS Roaming Module
During AnyConnect package installation, choose the AnyConnect VPN and AnyConnect Umbrella Roaming Security modules:
Deploy OrgInfo.json
In order to download the OrgInfo.json file, complete these steps:
- Log into the OpenDNS dashboard.
- Choose Configuration > Identities > Roaming Computers.
- Click the + sign.
- Scroll down and choose Module Profile in the Anyconnect Umbrella Roaming Security Module section as shown in this image:
Once the file is downloaded it must be saved at one of these paths, which depends on the operating system.
For Mac OS X: /opt/cisco/anyconnect/Umbrella
For Windows: C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientUmbrella
Web-Deployment Method
Deploy OpenDNS Roaming Module
Download the Anyconnect Security Mobility Client package (that is, anyconnect-win-4.3.02039-k9.pkg) from the Cisco website and upload it to ASA's flash. Once uploaded, in the ASDM, choose Group Policy > Advanced > AnyConnect Client > Optional Client Modules to Download and then choose Umbrella Roaming Security.
CLI Equivalent
Deploy OrgInfo.json
1. Download the OrgInfo.json file from the OpenDNS dashboard and upload it to ASA's flash.
2. Configure the ASA to push the OrgInfo.json file to remote endpoints.
Note: This configuration can only be performed through the CLI. In order to use ASDM for this task, ASDM Version 7.6.2 or later needs to be installed on the ASA.
Once the Umbrella Roaming client is installed via one of the methods discussed, it should appear as an integrated module within the AnyConnect GUI as shown in this image:
Until the OrgInfo.json is deployed on the endpoint at the correct location, the Umbrella Roaming module will not be initialized.
Configure
The section shows sample CLI configuration snippets necessary to operate the OpenDNS Roaming module with the various AnyConnect tunneling modes.
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
Steps to troubleshoot AnyConnect OpenDNS related issues are:
- Ensure that the Umbrella Roaming Security module is installed along with Anyconnect Secure Mobility Client.
- Ensure OrgInfo.json is present on the endpoint at the correct path based on the operating system and is in the format specified in this document.
- If DNS queries to OpenDNS resolvers are intended to go over the AnyConnect VPN tunnel, ensure that hairpin is configured on the ASA in order to allow reachability to OpenDNS resolvers.
- Collect packet captures (without any filters) on the AnyConnect virtual adapter and physical adapter simultaneously and note down the domains which fail to resolve.
- If the Roaming module operates in an encrypted state, collect packet captures after blocking UDP 443 locally, for troubleshooting purposes only. That way there is visibility into the DNS transactions.
- Run the AnyConnect DART, Umbrella diagnostics and note down the time of DNS failure. See How to collect the DART bundle for Anyconnect for more information.
- Collect Umbrella diagnostic logs and send the resulting URL to your OpenDNS administrator. Only you and OpenDNS administrator have access to this information.
For Windows: C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility ClientUmbrellaDiagnostic.exe
For Mac OSX: /opt/cisco/anyconnect/bin/UmbrellaDiagnostic
Related Information
The AnyConnect Plugin: Umbrella Roaming Security Client ..
- Cisco bug ID CSCvb34863 : Latency in resolving DNS when AnyConnect configured for split-include tunneling