Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IT25
New Contributor

Cisco Umbrella with FortiClient VPN

We are trying to roll out Cisco Umbrella to our employees. However a subsection of our users need to always connect to FortiClient VPN to work. 

Config:

Our FortiGate that everyone is connecting to has Umbrella DNS servers set as its main DNS.

Laptops use what the Default ISP DNS server is when the user is home when umbrella is not installed.

 

Situation: 

  1. Users have no issues with FortiClient VPN over past year.
  2. We installed Cisco umbrella onto users laptops. No issue when not connected to VPN. When we ran an IPConfig /all the DNS server was 127.0.0.1
  3. When they connect to VPN, the VPN connects however, their wifi icon shows "No internet" and nothing loads. 
  4. When we disconnect VPN everything works again.
  5. I uninstalled Fortinet VPN Drivers and ran a repair on the FortiClient VPN. 
  6. Signed back into VPN and everything worked as normal with umbrella. IPconfig /all shows DNS as 127.0.0.1 for local wifi and VPN connection DNS server
  7. after about 2 or 3 days of this working fine. Users begin to say they lose internet when connecting to Forticlient VPN again.

My computer had this issue once but no issue since I ran the repair after uninstalling the drivers.. out of the other 5 users that we are testing with they all lost internet 2 or 3 days after doing the repair when connecting to the VPN with Umbrella. 

 

 

For the time being I just uninstalled Umbrella from all the computers and everything is working again. But I want to know if anyone has these two products running successfully together consistently. 

 

 

2 REPLIES 2
AdmiralSYN-Ackbar
New Contributor

I found it difficult and frustrating to run these together and experienced intermittent issues as well. Here are some things I looked at when I tried to troubleshoot this that you may want to try:

 

FortiClient EMS (if you have it) - modify DNS Cache Control settings. Modify "Prefer SSL VPN DNS" value (assuming you are using SSL and not IPSEC). You can also toggle the XML setting to prefer legacy VPN SSL adapter. Block IPv6 (if you do not need this) on VPN settings. Failing these, you can attempt to try IPSEC (if you're currently using SSL) or vice versa.

 

Umbrella - ensure that local LANs are defined. Turn on VPN Compatibility Mode.

 

I ultimately looked at DNSFilter (https://www.dnsfilter.com/) as a replacement for Cisco Umbrella to run in tandem with FortiClient. DNSFilter works similarly to Umbrella, but has a feature in which you can disable the DNS agent entirely if a client is on VPN. This can help to avoid some of the pain that you're currently experiencing.

 

Let me know if any of this helps, good luck!

OffroadingConvoy4

We are experiencing similar issues after migrating to FortiClient EMS. I've been thinking about replacing or getting rid of Umbrella entirely and just relying on EMS for filtering. Umbrella's pricing structure is very convoluted and seems to be about twice the cost of the Pro license from DNS Filter. Now that it's been another year since you posted, how have you liked it?

 

Labels
Top Kudoed Authors