Introduction
This document describes how Cisco Security Connector interacts with Virtual Appliances (VAs).
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Cisco Umbrella Secure Internet Gateway (SIG).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Overview
When you are using Virtual Appliances (VAs) for Internal Network or Active Directory visibility and granularity, Cisco Security Connector behavior changes. VAs act as DNS forwarders and send all public DNS requests to Cisco Umbrella and forward internal DNS requests to the network's internal DNS servers.
Behavior
If an iPhone running the Cisco Security Connector enters a network with VAs set in DHCP's DNS settings, it enters a "Behind VA Mode". The Cisco Security Connector completes these actions so long as it has unimpeded access to 208.67.222.222 &208.67.220.220 via UDP 443:
- While in Behind VA mode the Cisco Security Connector forwards all DNS to the VAs.
- The Apple process still sends the DNS via the Cisco Security Connector to the VAs so this works differently than Umbrella's Roaming Clients.
- Reporting in the Umbrella dashboard displays as the Internal Network IP identity instead of displaying as the mobile device.
- Mobile device-specific policies are not enforced until you roam onto a network without VAs.
If you have concerns that your device is not on the correct policy, and it is not connected to a Virtual Appliance, please complete the instructions found in the Umbrella documentation and contact Cisco Umbrella Support.