Cisco Umbrella and Netskope Interoperability

At activereach Ltd, we understand that there are multiple solutions to address various needs within a business for IT security. We strive to ensure various solutions can work together, giving you the visibility and flexibility you require.

One example here is Umbrella and Netskope. These two excellent solutions have their own endpoint client, and management interfaces.

However, if you wish to run both solutions, you MUST ensure these steps are taken before deployment! The clients will not work together without these steps, and could cause security issues within your infrastructure.

We have simplified this solution into a step-by-step guide, please contact activereach Technical Support for assistance with this, as it is best for an engineer who is familiar with the Netskope platform to make these changes – and we are always happy to help our customers!

This solution is carried out within the Netskope tenant admin interface, and no changes are required within Umbrella.

 

  1. Add a profile containing the Umbrella IP addresses
  2. Edit the Traffic Steering Exceptions:
    – Add an exception for the previously created IP addresses
    – Add an exception for the Umbrella processes
  3. Enable the Perform SNI Check option

 

1. Add a profile containing the Umbrella IP addresses

Log in to the Netskope tenant admin interface
Go to Policies – Under Profiles, click Network Location

The required IP addresses can be found within these links:

https://docs.umbrella.com/deployment-umbrella/docs/testing-the-intelligent-proxy
https://www.opendns.com/data-center-locations/
https://support.umbrella.com/hc/en-us/articles/115001357688-What-are-the-Cisco-Umbrella-Block-Page-IP-Addresses-

However, they are compressed here for your convenience:
(Accurate as of 04/05/2022)

  • 67.215.64.0/19
  • 146.112.0.0/16
  • 155.190.0.0/18
  • 185.60.84.0/22
  • 204.194.232.0/21
  • 208.67.216.0/21
  • 208.69.32.0/21

2. Edit the Traffic Steering Exceptions

There are 2 required entries:

  1. Add an exception for the previously created IP addresses
  2. Add an exception for the Umbrella processes

Log in to the Netskope tenant admin interface

Go to Settings – Security Cloud Platform – Steering Configuration

Edit the required config to contain the new exceptions

Click New Exception, and then from the list, Destination Locations

As above, select the Umbrella Servers IP list created earlier, and ensure you check the ‘Treat like local IP address’ option. Then click SAVE.

Add an exception for the Umbrella processes

Click New Exception, this time select ‘Certificate Pinned Applications’:

In the dialog box, click where it says ‘Certificate Pinned App = None’, a list will appear.
Click the + button:

Enter Cisco Umbrella as the Application Name, Select ‘Windows’ for the Platform. Another entry for the Mac client can be added at a later stage if required.

In the definition, add the Cisco Umbrella processes as follows:

dnscrypt-proxy.exe,dnscryptproxy.exe,ercservice.exe,acumbrellaagent.exe,ERCInterface.exe,UmbrellaDiagnostic.exe

Click SAVE

Enter an asterisk for the domains, and the other settings as per below:

Click SAVE.

You will see your 2 new exceptions at the bottom of the list as follows:

3. Finally, Enable the Perform SNI Check option

Go to Settings – Security Cloud Platform – Netskope Client

Click CLIENT CONFIGURATIONS:

Click on the tenant config that requires the change.

Under Advanced, enable the Perform SNI (Server Name Indication) Check option:

Click SAVE, and you are done.

Please contact activereach Technical Support for assistance with this, as it is best for an engineer who is familiar with the Netskope platform to make these changes – and we are always happy to help our customers.

End note

There are many types of deployment and scenarios for both Umbrella and Netskope that may not be covered by this guide. While we aim to provide a solution that will fit for most deployments, we cannot guarantee that there is something we may have overlooked in regards to customised larger setups. Please ensure you have discussed this in detail with your technical contacts.