Migrate from Cisco Umbrella to Cloud Secure Edge

Steps to complete a full migration to Cloud Secure Edge while concurrently running Cisco Umbrella and SonicWall

  • Updated on Jan 21, 2025
  • 5 minutes to read

Overview

The following solution guide offers the complete set of steps required to migrate from Cisco Umbrella’s Roaming Client to Cloud Secure Edge.

Set up requirements

  • Configured Cloud Secure Edge (CSE) with relevant users, roles, networks, and services. Follow our Getting Started Guide to determine which licenses and configurations are required for your org.

  • End user devices with Cisco Umbrella’s Roaming Client must be excluded from CSE’s Internet Threat Protection. Configure the Excluded Device Policy (under Internet Access > Internet Threat Protection) in CSE’s Command Center. Internet Threat Protection (ITP) cannot be used as long as Cisco Umbrella is installed.

  • NRPT enabled for your CSE organization if Windows devices are accessing your Service Tunnels (Settings > Configuration > Service Tunnel).

Once the above requirements have been completed, CSE apps can be deployed to end users within your organization.

Note: For each of the following scenarios, we recommend to first verify CSE services on a device that has only the CSE app installed (without Cisco Umbrella installed).

Replicate Cisco Umbrella DNS policies for remote access to internal resources in Cloud Secure Edge

1. Create a CSE Connector on your SonicWall firewall. If you do not have a SonicWall firewall, then install the Connector on Cloud Secure Edge infrastructure.

2. Configure remote access to these internal resources (a Secure Private Access license is required) in Cloud Secure Edge (CSE). Ensure that the remote access configuration functions.

3. Disable the Cisco Umbrella policies that you’re replicating.

Replicate Cisco Umbrella DNS policies for protecting your SaaS apps in Cloud Secure Edge using a self-hosted Access Tier

1. Create a CSE Connector on your SonicWall firewall. If you do not have a SonicWall firewall, then install the Connector on Cloud Secure Edge infrastructure.

2. Configure policies to protect your SaaS apps (Secure Private Access license is required) in Cloud Secure Edge. Ensure that the SaaS app protection policy functions.

3. Disable the Cisco Umbrella policies that you’re replicating.

Replicate Cisco Umbrella DNS policies for protecting your SaaS apps in Cloud Secure Edge using Global Edge Access Tiers

1. Configure policies to protect your SaaS apps (Secure Private Access license is required) in Cloud Secure Edge. Ensure that the SaaS app protection policy functions.

2. Disable the Cisco Umbrella policies that you’re replicating.

Replicate Cisco Umbrella Content Categories in Cloud Secure Edge

1. Configure CSE’s Internet Threat Protection (ITP) policies to block the same categories of malicious content (Secure Internet Access license is required). Ensure that the ITP policy functions.

2. Disable the Cisco Umbrella content category policies that you’re replicating.

1. Once Cloud Secure Edge is configured, end users can remove the Umbrella Roaming Client from their devices (or have it removed automatically). To do so, adhere to Cisco’s documentation:

Umbrella Roaming Client: Uninstalling – Cisco Umbrella

2. Once devices have uninstalled the Roaming Client and all Umbrella services, enable Cloud Secure Edge’s Internet Threat Protection policies (if these devices have an SIA license) by removing those devices from the Excluded Devices Policy list. At this point, end user devices are considered fully migrated.

3. When the entire organization has been fully migrated, then disable the NRPT rules from the Cloud Secure Edge services in the CSE Command Center.

4. As a final step, update your default DNS settings so that they no longer point to Cisco Umbrella’s DNS servers.