The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the installation, configuration, and troubleshooting steps for the OpenDNS (Umbrella) Roaming module. In AnyConnect 4.3.X and later, the OpenDNS Roaming client is now available as an integrated module. It is also known as the Cloud Security module and it can be predeployed to the endpoint with the AnyConnect installer, or it can be downloaded from the Adaptive Security Appliance (ASA) via web-deploy.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any commands or configuration.
For the OpenDNS Roaming module to function properly, an OrgInfo.json file must be downloaded from the OpenDNS dashboard or pushed from the ASA before the module is used. When the file is first downloaded, it is saved at a specific path which depends on the operating system.
For Mac OS X, OrgInfo.json is downloaded to /opt/cisco/anyconnect/Umbrella.
For Microsoft Windows, OrgInfo.json is downloaded to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella.
{
"organizationId" : "XXXXXXX",
"fingerprint" : "XXXXXXXXXXXXXXXXXXXXXXXXXX",
"userId" : "XXXXXXX"
}
As shown, the file uses UTF-8 encoding and contains an organizationId, fingerprint, and userId. The organization ID represents the organization information for the user that is currently logged into the OpenDNS dashboard. The organization ID is static, unique, and auto-generated by OpenDNS for each organization. The fingerprint is used to validate the OrgInfo.json file during device registration and the user ID represents a unique ID for the logged in user.
When the Roaming module starts on Windows, the OrgInfo.json file is copied to the data directory under the Umbrella directory and used as the working copy. On MAC OS X, information from this file is saved to updater.plist in the data directory under the Umbrella directory. Once the module has successfully read information from the OrgInfo.json file, it attempts to register with OpenDNS with a cloud API. This registration results in OpenDNS assigning a unique device ID to the machine that attempted registration. If a device ID from prior registration is already available, the device skips registration.
After registration is complete, the Roaming module performs a sync operation in order to retrieve policy information for the endpoint. A device ID is necessary for the sync operation to work. Sync data includes syncInterval, internal bypass domains, and IP addresses among other things. The sync interval is the number of minutes after which the module should attempt to resync.
Upon successful registration and sync, the Roaming module sends Domain Name System (DNS) probes to its local resolvers. These DNS requests include TXT queries for debug.opendns.com. Based on the response, the client is able to determine if an on-premise OpenDNS Virtual Appliance (VA) exists in the network.
If a virtual appliance (VA) is present, the client transitions to a 'behind-VA' mode, and DNS enforcement is not performed on the endpoint. The client relies on the VA for DNS enforcement at the network level.
If a VA is not present, the client sends a DNS request to the OpenDNS public resolvers (208.67.222.222) using UDP/443.
A positive response indicates that DNS encryption is possible. If a negative response is received, the client sends a DNS request to the OpenDNS public resolvers using UDP/53.
A positive response to this query indicates that DNS protection is possible. If a negative response is received, the client retries the query in a few seconds.
Upon receipt of a set number of negative responses, the client transitions to the fail-open state. A fail-open state means that DNS encryption and/or protection is not possible. Once the Roaming module has successfully transitioned to a protected and/or encrypted state, all DNS queries for search domains outside of the local search domains and internal bypass domains are sent to the OpenDNS resolvers for name resolution. With encrypted state enabled, all DNS transactions are encrypted by the dnscrypt process.
Note: As shown, the default behavior is for the Roaming module to disable DNS protection while a VPN tunnel with tunnel-all configuration is active. For the module to be active during an AnyConnect tunnel-all configuration, the Disable roaming client while full-tunnel VPN sessions are active option must be unchecked on the OpenDNS portal. The ability to enable this feature requires an advanced subscription level with OpenDNS. The information below assumes that DNS protection via the Roaming module is enabled.
Queried Domain Part of Internal Bypass List
DNS requests that originate from the tunnel adapter are allowed and sent to the tunnel DNS servers, across the VPN tunnel. The query will remain unresolved if it cannot be resolved by the tunnel DNS servers.
Queried Domain Not Part of Internal Bypass List
DNS requests that originate from the tunnel adapter are allowed, and will be proxied to the OpenDNS public resolvers via the Roaming module and sent across the VPN tunnel. To the DNS client it will appear as if name resolution had occurred via the VPN DNS server. If name resolution via OpenDNS resolvers is not successful, the Roaming module fails over to the locally configured DNS servers, starting with the VPN adapter (which is the preferred adapter while the tunnel is up).
Note: All split-DNS domains are automatically added to the Roaming module internal bypass list upon tunnel establishment. This is done in order to provide a consistent DNS handling mechanism between AnyConnect and the Roaming module. Ensure that in a split-DNS configuration (with split-include tunneling) the OpenDNS public resolvers are not included in the split-include networks.
Note: On Mac OS X, if split-DNS is enabled for both IP protocols (IPv4 and IPv6) or it is only enabled for one protocol and there is no address pool configured for the other protocol, true split-DNS similar to Windows is enforced.
If split-DNS is enabled for only one protocol and a client address is assigned for the other protocol, only DNS fallback for split-tunneling is enforced. This means AnyConnect only allows DNS requests that match the split-DNS domains via tunnel (other requests are replied by AC with refused response to force failover to public DNS servers), but cannot enforce that requests which match split-DNS domains are not sent in the clear via the public adapter.
Queried Domain Part of Internal Bypass List and Also Part of Split-DNS Domains
DNS requests that originate from the tunnel adapter are allowed and sent to the tunnel DNS servers, across the VPN tunnel. All other requests for matching domains from other adapters will be responded by the AnyConnect driver with 'no such name' to achieve true split-DNS (prevent DNS fallback). Therefore, only non-tunnel DNS traffic is protected by the Roaming module.
Queried Domain Part of Internal Bypass List, but Not Part of Split-DNS Domains
DNS requests that originate from the physical adapter are allowed and sent to the public DNS servers, outside the VPN tunnel. All other requests for matching domains from the tunnel adapter will be responded by the AnyConnect driver with 'no such name' in order to prevent the query from being sent across the VPN tunnel.
Queried Domain Not Part of Internal Bypass List or Split-DNS Domains
DNS requests that originate from the physical adapter are allowed and proxied to the OpenDNS public resolvers, and sent outside the VPN tunnel. To the DNS client it will appear as if name resolution had occurred via the public DNS server. If name resolution via OpenDNS resolvers is unsuccessful, the Roaming module fails over to the locally configured DNS servers, excluding the ones configured on the VPN adapter. All other requests for matching domains from the tunnel adapter will be responded by the AnyConnect driver with no such name in order to prevent the query from being sent across the VPN tunnel.
Queried Domain Part of Internal Bypass List
Native OS resolver performs DNS resolution based on the order of network adapters, and AnyConnect is the preferred adapter when VPN is active. DNS requests will first originate from the tunnel adapter and be sent to the tunnel DNS servers, across the VPN tunnel. If the query cannot be resolved by the tunnel DNS servers, the OS resolver will attempt to resolve it via the public DNS servers.
Queried Domain Not Part of Internal Bypass List
Native OS resolver performs DNS resolution based on the order of network adapters, and AnyConnect is the preferred adapter when VPN is active. DNS requests will first originate from the tunnel adapter and be sent to the tunnel DNS servers, across the VPN tunnel. If the query cannot be resolved by the tunnel DNS servers, the OS resolver will attempt to resolve it via the public DNS servers.
If the OpenDNS public resolvers are part of the split-include list or not part of the split-exclude list, the proxied request is sent across the VPN tunnel.
If the OpenDNS public resolvers are not part of the split-include list or part of the split-exclude list, the proxied request is sent outside the VPN tunnel.
If name resolution via OpenDNS resolvers is not successful, the Roaming module fails over to the locally configured DNS servers, starting with the VPN adapter (which is the preferred adapter while the tunnel is up). If the final response returned by the Roaming module (and proxied back to the native DNS client) is not successful, the native client will attempt other DNS servers, if available.
In order to integrate OpenDNS Roaming module with the AnyConnect VPN client, the module needs to be installed either via pre-deploment or web deployment method:
Pre-deployment requires manual installation of the OpenDNS Roaming module and copying of the OrgInfo.json file on the user machine. Large scale deployments are typically achieved with enterprise software management systems (SMS).
During AnyConnect package installation, choose the AnyConnect VPN and AnyConnect Umbrella Roaming Security modules:
In order to download the OrgInfo.json file, complete these steps:
Once the file is downloaded it must be saved at one of these paths, which depends on the operating system.
For Mac OS X: /opt/cisco/anyconnect/Umbrella
For Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella
Download the Anyconnect Security Mobility Client package (that is, anyconnect-win-4.3.02039-k9.pkg) from the Cisco website and upload it to ASA's flash. Once uploaded, in the ASDM, choose Group Policy > Advanced > AnyConnect Client > Optional Client Modules to Download and then choose Umbrella Roaming Security.
CLI Equivalent
group-policy <Group_Policy_Name> attributes
webvpn
anyconnect modules value umbrella
1. Download the OrgInfo.json file from the OpenDNS dashboard and upload it to ASA's flash.
2. Configure the ASA to push the OrgInfo.json file to remote endpoints.
webvpn
anyconnect profiles OpenDNS disk0:/OrgInfo.json
!
!
group-policy <Group_Policy_Name> attribute
webvpn
anyconnect profiles value OpenDNS type umbrella
Note: This configuration can only be performed through the CLI. In order to use ASDM for this task, ASDM Version 7.6.2 or later needs to be installed on the ASA.
Once the Umbrella Roaming client is installed via one of the methods discussed, it should appear as an integrated module within the AnyConnect GUI as shown in this image:
Until the OrgInfo.json is deployed on the endpoint at the correct location, the Umbrella Roaming module will not be initialized.
The section shows sample CLI configuration snippets necessary to operate the OpenDNS Roaming module with the various AnyConnect tunneling modes.
!--- ip local pool for vpn
ip local pool vpn_pool 198.51.100.1-198.51.100.9 mask 255.255.255.224
!--- Optional NAT Hairpin configuration to reach OpenDNS servers through VPN tunnel
object network OpenDNS
subnet 198.51.100.0 255.255.255.0
nat (outside,outside) source dynamic OpenDNS interface
!
same-security-traffic permit intra-interface
!--- Global Webvpn Configuration
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect profiles Anyconnect disk0:/anyconnect.xml
anyconnect profiles OpenDNS disk0:/OrgInfo.json
anyconnect enable
tunnel-group-list enable
!--- split-include Configuration
access-list Split_Include standard permit <host/subnet>
group-policy OpenDNS_Split_Include internal
group-policy OpenDNS_Split_Include attributes
wins-server none
dns-server value 198.51.100.11
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Include
split-dns value <internal domains> (Optional Split-DNS Configuration)
webvpn
anyconnect profiles value AnyConnect type user
anyconnect profiles value OpenDNS type umbrella
!
tunnel-group OpenDNS_Split_Include type remote-access
tunnel-group OpenDNS_Split_Include general-attributes
address-pool vpn_pool
default-group-policy OpenDNS_Split_Include
tunnel-group OpenDNS_Split_Include webvpn-attributes
group-alias OpenDNS_Split_Include enable
!--- Split-exclude Configuration
access-list Split_Exclude standard permit <host/subnet>
group-policy OpenDNS_Split_Exclude internal
group-policy OpenDNS_Split_Exclude attributes
wins-server none
dns-server value 198.51.100.11
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy excludespecified
split-tunnel-network-list value Split_Exclude
webvpn
anyconnect profiles value AnyConnect type user
anyconnect profiles value OpenDNS type umbrella
!
tunnel-group OpenDNS_Split_Exclude type remote-access
tunnel-group OpenDNS_Split_Exclude general-attributes
address-pool vpn_pool
default-group-policy OpenDNS_Split_Exclude
tunnel-group OpenDNS_Split_Exclude webvpn-attributes
group-alias OpenDNS_Split_Exclude enable
!--- Tunnelall Configuration
group-policy OpenDNS_Tunnel_All internal
group-policy OpenDNS_Tunnel_All attributes
wins-server none
dns-server value 198.51.100.11
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
webvpn
anyconnect profiles value AnyConnect type user
anyconnect profiles value OpenDNS type umbrella
!
tunnel-group OpenDNS_Tunnel_All type remote-access
tunnel-group OpenDNS_Tunnel_All general-attributes
address-pool vpn_pool
default-group-policy OpenDNS_Tunnel_All
tunnel-group OpenDNS_Tunnel_All webvpn-attributes
group-alias OpenDNS_Tunnel_All enable
There is currently no verification procedure available for this configuration.
Steps to troubleshoot AnyConnect OpenDNS related issues are:
For Windows: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\UmbrellaDiagnostic.exe
For Mac OSX: /opt/cisco/anyconnect/bin/UmbrellaDiagnostic