The following prerequisites must be met in order to use the Cisco Umbrella roaming client successfully. Ensure that prerequisites are met to avoid conflicts or potential problems.

Supported Operating Systems

  • Windows 10 with .NET 4.6.2 (x86 or x64)
  • Windows 11 with .NET 4.8 (x86 or x64)
  • macOS 11 or later (Intel or Apple chip)

Unsupported Operating Systems

  • Windows 7, 8, and 8.1
  • Windows Server (all versions)
  • Windows 10 Enterprise Multi-Session (including Azure Virtual Desktop)
  • Windows RT based ARM processors
  • macOS 10.15 or earlier

Network Access


The Umbrella roaming client uses standard DNS ports 53/UDP and 53/TCP to communicate with Umbrella. If you explicitly block access to third-party DNS servers on your corporate or home network, you will need to add the following allow rules in your firewall.

53UDP208.67.222.222 /
2620:119:53::53 /
53TCP208.67.222.222 /
2620:119:53::53 /

In circumstances where third-party DNS servers are blocked, the Umbrella roaming client will transition to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.

Encryption (Optional)

The Umbrella roaming client optionally supports encryption of all queries sent to Umbrella using port 443/UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, you can add the following allow rule in your firewall.

443UDP208.67.222.222 /
2620:119:53::53 /

The Umbrella roaming client automatically encrypts DNS queries when it senses that 443/UDP is open. 


The Umbrella roaming client uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with our API for the following uses:

  • Initial registration upon installation
  • Checking for new versions of the Umbrella roaming client
  • Reporting the status of the Umbrella roaming client to Umbrella
  • Checking for new internal domains (discussed below).

Windows Only: If you utilize an HTTP proxy that is configured at the user-level, make sure the "SYSTEM" user is also configured to use the proxy. Otherwise, add the following rules to your firewall to ensure the roaming client can reach the API.

PortProtocolDestination and
443TCP67.215.71.201,, and

In the table above, the IP addresses are AnyCast IP addresses and resolve to:


The Digicert domains resolve to various IP addresses based on CDN and are subject to change. These domains resolve to the following IPs: 



  • The Umbrella roaming client is not compatible with other DNS serving software, so it should not be installed on any machine serving DNS requests.
  • DNSCrypt must be uninstalled prior to installing the Umbrella roaming client. The installer will automatically detect installations of DNSCrypt and prompt the administrator to uninstall prior to proceeding with the installation. 
  • The Umbrella roaming client must be installed on the C:\ drive and does not support secondary or remote drive installations. 


IPv6 Support

Currently, the Umbrella roaming client only supports dual stack IPv4/IPv6 for the Mac OS and Windows. Stand alone support for IPv6 for both the Mac and Windows operating systems is not supported. For more information, see Umbrella Roaming Client: IPv6 Support.

Internal Domains

When using the Umbrella roaming client, all of your DNS lookups are sent directly from your computer to Umbrella global network resolvers. However, in order to ensure that the Umbrella roaming client directs internal DNS requests to your internal DNS servers for resolution, you must add your local domain names to the Deployments > Configurations > Internal Domains page. The Umbrella roaming client syncs with our API periodically to check for new internal domains. This is a critical part of the setup process, and this list should be populated before you deploy the Umbrella roaming client. For more information, see Domain Management.


Introduction < Prerequisites for the Umbrella Roaming Client > Manual Deployment