The purpose of this documentation is to provide a high-level overview of the Cisco Umbrella roaming client and allow you to get started deploying the client to your organization’s Windows and Mac laptops—and desktop systems, if desired—and verify that it is working properly.
NOTE: A number of links in this documentation lead to an area of our setup guide that requires your authentication. If you don't already have an Umbrella login, sign up for a free trial to gain access.
The Umbrella roaming client is a very lightweight DNS client that runs on your Windows or Mac OSX computers. It is not a VPN client or a local anti-virus engine. It allows Umbrella security and policy-based protection, including our intelligent proxy, to be enforced no matter the network you are connected to. Whether you're at the office, your hotel, a coffee shop, or using a mobile hotspot, the Umbrella roaming client enforces policies set by you in Umbrella. It includes the ability to deliver granular policy enforcement and reporting information about the specific computer identity or even the logged-in Active Directory user.
For more neat facts about the roaming client, the Umbrella product manager Adam Winn outlines here what the roaming client is and does: Ten things you didn’t know about the Umbrella roaming client.
The Umbrella roaming client binds to 127.0.0.1:53 (localhost) and sets itself as the exclusive DNS server on every network connection on your computer, ensuring that all DNS requests are directed to the closest Umbrella data center, while gracefully handling local network resources using internal domains.
The DNS queries sent through Umbrella are encrypted, authenticated, and subjected to security and content filtering as dictated by your organization's administrator. If the computer attempts to reach a domain name which either Umbrella or your organization's administrator considers unsafe, the computer's browser gets directed to a safe block page.
Depending on what network environment your computer is in, the Umbrella roaming client gracefully decides between several states under which it can operate, depending on its environment.
It’s important to know that the Umbrella roaming client does not store cached DNS records or responses. The Umbrella roaming client respects TTLs as set by the domain's DNS properties just as the computer (without the Umbrella roaming client) normally would.
With our traditional network-based service, or with most traditional appliance-based network perimeter gateways, there are two limitations that are overcome with the Umbrella roaming client:
- Roaming / Off-network—If a laptop leaves the office and is not using a full-tunnel VPN at all times (which can be slow), the laptop is unprotected from threats and undesirable content while roaming outside of the network.
- Granular Reporting and Filtering—With only network-based service, all the DNS traffic visible in your Umbrella reports come from a single network identity. The Umbrella roaming client provides computer-level granularity that is specified in policies that you set up in Umbrella. Not only can you enforce different security and content filtering settings on a per-computer basis, but you also see computer-level reports.
- User Identity Support—Identity support is an enhancement to the Umbrella roaming client that provides Active Directory user and group identity based policies, in addition to user and private LAN IP reporting. For more on that, see Identity Support for the Roaming Client.
Yes! The Umbrella roaming client works with most split-tunnel and full-tunnel VPNs.
Be aware that there are some special considerations with Cisco split-tunnel VPNs that are outlined here: Umbrella Roaming Client: VPNs and VPN Compatibility
There is also a small list of VPN clients that are not compatible with the Umbrella roaming client. The list can be found here: Incompatible VPN Clients.
Yes! The Umbrella roaming client's only function is to handle DNS requests, so third-party security software should not interfere with the Umbrella roaming client. All the heavy processing is being done in the Umbrella data centers and in the cloud, so there's no slowness like that associated with traditional anti-virus.
We have a great video that goes through some of the common FAQs in more depth. We encourage anyone with additional questions to watch. Find out how the Umbrella roaming client works and why you should use it: https://www.youtube.com/watch?v=6pCjDlTeXrY
- Check out the Umbrella Roaming Client Knowledge Base for answers to many common questions and situations.
Introduction to the Umbrella Roaming Client > Prerequisites