Impact to MDATP protection / visibility / investigations when using Cisco Umbrella Roaming Client

%3CLINGO-SUB%20id%3D%22lingo-sub-1409993%22%20slang%3D%22en-US%22%3EImpact%20to%20MDATP%20protection%20%2F%20visibility%20%2F%20investigations%20when%20using%20Cisco%20Umbrella%20Roaming%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409993%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Experts%2C%3C%2FP%3E%3CP%3EIntegrated%20Cyren%20web%20filtering%20is%20not%20yet%20prod.%20EMS%20customer%20with%20MDATP%20planning%20to%20deploy%20Cisco%20Umbrella%20DNS%20protection%20on%20endpoints%20to%20get%20non-productive%20and%20malware%20URLs%20blocked.%20I%20have%20a%20concern%20on%20how%20Umbrella%20Roaming%20client%20will%20coexist%20with%20the%20existing%20deployment%20of%20MDATP.%20Please%20see%20my%20thoughts%20and%20questions%20below%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUmbrella%20Roaming%20Client%20(URC)%20uses%20DNS%20to%20make%20a%20decision%20if%20the%20page%20is%20allowed.%20If%20it%20is%20allowed%20original%20unmodified%20IP%20address%20returned%20to%20the%20client.%20If%20the%20page%20is%20not%20allowed%20then%20IP%20address%20within%20the%20range%20146.112%20%2F%2016%20returned.%20This%20is%20Cisco%20scrubbing%20farm%20built%20of%20transparent%20proxies.%20It%20will%20display%20a%20block%20page.%3C%2FP%3E%3CP%3EMy%20concern%20is%20that%20URC%20will%20make%20DNS%20protocol%20invisible%20to%20other%20endpoint%20protection%20products%20(like%20MDATP).%20Does%20anyone%20have%20experience%20or%20thoughts%20with%20MDATP%20and%20Umbrella%20Roaming%20Client%20(URC)%20coexistence%3F%20Will%20the%20customer%20be%20loosing%20out%20because%20MDATP%20unable%20to%20see%20RAW%20DNS%20requests%3F%20Are%20those%20requests%20even%20monitored%20to%20begin%20with%3F%20Here%20is%20a%20blog%20about%20coexistence%20MDATP%20in%20Proxy%20environment%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fmdatp-monitoring-network-connection-behind-forward-proxy-public%2Fba-p%2F758274%22%20target%3D%22_self%22%3EMDATP%20Monitoring%20network%20connection%20behind%20forward%20proxy%20-%20Public%20Preview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%23%23%23%20references%20%E2%80%93%20a%20few%20words%20about%20Umbrella%20Roaming%20Client%20(URC)%20%23%23%23%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EUmbrella%20Roaming%20Client%20%E2%80%93%20DNS%20filtering%20DNS%20proxy%20(local%20domains%20can%20be%20added%20to%20exception%20list)%3C%2FP%3E%3CP%3EAfter%20you%20install%20the%20Cisco%20Umbrella%20roaming%20client%20you'll%20notice%20that%20the%20IP%20address%20gets%20changed%20to%20localhost%20or%20127.0.0.1%2C%20otherwise%20known%20as%20the%20loopback%20interface.%20This%20is%20normal%20and%20expected%20behavior.%3C%2FP%3E%3CP%3EThe%20Umbrella%20roaming%20client%20runs%20as%20a%20local%20service%20which%20is%20used%20as%20a%20local%20resolver%20and%20DNS%20forwarder%2C%20encrypting%20and%20authenticating%20requests%20using%20the%20DNSCrypt%20protocol.%20Requests%20are%20then%20forwarded%20to%20Umbrella%E2%80%99s%20anycast%20IPs%2C%20with%20the%20replies%20returned%20to%20the%20host%20through%20the%20loopback%20interface.%20This%20essentially%20makes%20the%20Umbrella%20roaming%20client%20a%20DNS%20Proxy%2C%20which%20is%20why%20you%20see%20the%20DNS%20change%20to%20localhost%2F127.0.0.1.%20The%20DNSCrypt%20protocol%20makes%20all%20of%20your%20transactions%20secure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIntelligent%20proxy%20feature%3C%2FP%3E%3CP%3EFrom%20%3CA%20href%3D%22https%3A%2F%2Fdocs.umbrella.com%2Fdeployment-umbrella%2Fdocs%2Fmanage-intelligent-proxy%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EDOC%26nbsp%3B%3C%2FA%3E%3A%20intelligent%20proxy%20intercepts%20and%20proxies%20requests%20for%20malicious%20files%20embedded%20within%20certain%20so-called%20%22grey%22%20domains.%20Can%20work%20with%20or%20without%20SSL%20decryption.%20Cisco%20recommends%20SSL%20encryption%3C%2FP%3E%3CP%3EFrom%20%3CA%20href%3D%22https%3A%2F%2Fdocs.umbrella.com%2Fdeployment-umbrella%2Fdocs%2Ftesting-the-intelligent-proxy%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ETESTING%20DOC%20%3A%20%3C%2FA%3EIf%20the%20IP%20address%20of%20%22domain.com%22%20comes%20back%20with%20an%20IP%20address%20within%20the%20range%20146.112%20%2F%2016%20(for%20example%2C%20146.112.0.0%20%2F%20255.255.0.0)%2C%20then%20it's%20being%20directed%20through%20the%20intelligent%20proxy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1513425%22%20slang%3D%22en-US%22%3ERe%3A%20Impact%20to%20MDATP%20protection%20%2F%20visibility%20%2F%20investigations%20when%20using%20Cisco%20Umbrella%20Roaming%20Clien%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1513425%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283216%22%20target%3D%22_blank%22%3E%40Sergg%3C%2FA%3E%26nbsp%3B%20did%20you%20ever%20see%20what%20happened%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520721%22%20slang%3D%22en-US%22%3ERe%3A%20Impact%20to%20MDATP%20protection%20%2F%20visibility%20%2F%20investigations%20when%20using%20Cisco%20Umbrella%20Roaming%20Clien%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520721%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F724293%22%20target%3D%22_blank%22%3E%40adamgwinn%3C%2FA%3EI%20did%20not%20found%20any%20info%20if%20this%20supported%2Funsupported%2Fgives%20any%20complications.%20Besides%20the%20customer%20decided%20against%20OpenDNS%20so%20I%20did%20not%20had%20a%20chance%20to%20try%20and%20see%20what%20will%20happen%20live.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Dear Experts,

Integrated Cyren web filtering is not yet prod. EMS customer with MDATP planning to deploy Cisco Umbrella DNS protection on endpoints to get non-productive and malware URLs blocked. I have a concern on how Umbrella Roaming client will coexist with the existing deployment of MDATP. Please see my thoughts and questions below,

 

Umbrella Roaming Client (URC) uses DNS to make a decision if the page is allowed. If it is allowed original unmodified IP address returned to the client. If the page is not allowed then IP address within the range 146.112 / 16 returned. This is Cisco scrubbing farm built of transparent proxies. It will display a block page.

My concern is that URC will make DNS protocol invisible to other endpoint protection products (like MDATP). Does anyone have experience or thoughts with MDATP and Umbrella Roaming Client (URC) coexistence? Will the customer be loosing out because MDATP unable to see RAW DNS requests? Are those requests even monitored to begin with? Here is a blog about coexistence MDATP in Proxy environment MDATP Monitoring network connection behind forward proxy - Public Preview

 

### references – a few words about Umbrella Roaming Client (URC) ###

Umbrella Roaming Client – DNS filtering DNS proxy (local domains can be added to exception list)

After you install the Cisco Umbrella roaming client you'll notice that the IP address gets changed to localhost or 127.0.0.1, otherwise known as the loopback interface. This is normal and expected behavior.

The Umbrella roaming client runs as a local service which is used as a local resolver and DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol. Requests are then forwarded to Umbrella’s anycast IPs, with the replies returned to the host through the loopback interface. This essentially makes the Umbrella roaming client a DNS Proxy, which is why you see the DNS change to localhost/127.0.0.1. The DNSCrypt protocol makes all of your transactions secure.

 

Intelligent proxy feature

From DOC : intelligent proxy intercepts and proxies requests for malicious files embedded within certain so-called "grey" domains. Can work with or without SSL decryption. Cisco recommends SSL encryption

From TESTING DOC : If the IP address of "domain.com" comes back with an IP address within the range 146.112 / 16 (for example, 146.112.0.0 / 255.255.0.0), then it's being directed through the intelligent proxy.

2 Replies

@adamgwinnI did not found any info if this supported/unsupported/gives any complications. Besides the customer decided against OpenDNS so I did not had a chance to try and see what will happen live.