Manage Internet Security

You can configure DNS and web security in Cisco Secure Access for end users. User devices must have the Cisco Secure Client deployed with the Umbrella Roaming Security module or deploy a PAC file.

Table of Contents

• Prerequisites
• Manage Internet Security Bypass
• Manage Cisco Secure Client Settings

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.

Before you begin, navigate to Connect > End User Connectivity > Internet Security.

Visibility of User Identities in Policy Rules

• Deploy the Secure Access Active Directory (AD) Connector. For more information, see Connect Active Directory to Secure Access.
• Provision users and groups in Secure Access. For more information, see Provision Users and Groups from Active Directory.

Copy the PAC file URL

1. Copy the Secure Access PAC File URL. For more information about PAC files, see Manage PAC Files.

Download the OrgInfo.json File

1. Download the Secure Access OrgInfo.json file to the user devices where you have deployed the Cisco Secure Client. For more information, see Download the OrgInfo.json File.

Manage Internet Security Bypass

You can create destination lists that bypass Secure Access. Access requests will instead use local DNS resolvers or directly access the Internet without using the web proxy.

Steer Traffic to Secure Access or Bypass Domains

1. Add domains to your list of bypass domains. The domain names in the bypass domain list should not route to the Cisco Secure Access DNS resolvers, but instead route to your internal DNS servers. For more information, see Manage Domains.

Manage Cisco Secure Client Settings

You can configure settings for devices that have the Cisco Secure Client deployed with the Umbrella Roaming Security module.

Configure DNS and Web Security

Configure DNS and Web security settings for the Cisco Secure Client.

1. For Cisco Secure Client Settings, enable the Web Security (port 80/443 traffic only) toggle button.

Note: The Secure Access DNS-layer security is always enabled on the Cisco Secure Client.

Configure Advanced Cisco Secure Client Settings

The Cisco Secure Client settings advanced panel contains several fields that provide additional control over user authentication, traffic bypass, and VPN compatibility.

User Identities

Enable the Cisco Secure Client to synchronize users and groups identities with the Secure Access Active Directory (AD) connector. Policy rules are applied to user identities and associated with devices that have deployed the Cisco Secure Client.

1. Enable the Use Active Directory for Access Policy toggle button.

Protect DNS Traffic Over IPv6

1. Enable the Protect DNS over IPv6 toggle button. Provides DNS protection through redirection to the Secure Access resolvers for IPv6. For more information, see IPv4 and IPv6 DNS Protection Status.

Do Not Forward DNS Traffic to Secure Access

Bypass DNS traffic from Secure Access for the following contexts:

• Select Trusted Network Detection to disable DNS traffic forwarding from an endpoint to Secure Access if the network is trusted. This setting requires that you have the Trusted Network Detection (TND) setting enabled in the AnyConnect VPN profile for the user devices.
• Select DNS protected network to disable DNS traffic forwarding while on a network protected by Secure Access.
  Relies on the protection of the network. To trigger this setting, you must register the public network in Secure Access and add the network to a rule that has a higher priority than the roaming devices. In addition, the local DNS server egress network must have the same network registration as straight out from the computer to 208.67.222.222.
• Select Trusted Network Subdomains to disable DNS redirects to Secure Access if the domain name added to the Subdomain field is found on the network and resolves to an RFC-1918 local IP address.
  • For Subdomain—enter a domain that Secure Access uses to query the local DNS server.
    Note: You must enable Trusted Network Subdomains.

Do Not Forward Web Traffic to Secure Access

Note: The Trusted Network Detection and Trusted Server options are only supported with user devices that have version 5.1.3.62 or higher of the Cisco Secure Client with the Umbrella Roaming Security module. For information about downloading the Cisco Secure Client software packages, see Cisco Secure Client Version 5.1.3.62 .

Bypass Web traffic from Secure Access for the following contexts:

• Select Trusted Network Detection to disable web traffic forwarding from an endpoint to Secure Access if the network is trusted. This setting requires that you have the Trusted Network Detection (TND) setting enabled in the AnyConnect VPN profile for the user devices.
• Select Your Trusted network to enable endpoints to detect an organization's trusted network, which is identified by the Trusted server and Trusted server SHA256 hash fields. When the endpoint detects trusted networks, traffic from the endpoints bypass Secure Access and the endpoints rely on the network protections.
• • For Trusted server, enter the URL (<domain>:<port>) of the trusted network server, which hosts the trusted server certificate.
    Disables redirects to Secure Access when on the trusted network identified by the trusted network server.
  • For Trusted server SHA256 hash , enter the SHA256 hash for the trusted network server's certificate.
    The ID of the trusted network server's certificate must match the configured SHA256 hash.

Third Party VPN Compatibility

1. Enable the Third Party VPN Compatibility toggle button.
   Improve compatibility for third-party VPN clients on Windows 10 only, or if the local DNS is not resolving resources.

   

---

Manage Virtual Private Networks< Manage Internet Security > Manage PAC Files