Prerequisites
To ensure that the Cisco Umbrella roaming client deploys and runs successfully, Umbrella requires that you meet the following prerequisites.
Table of Contents
Operating System
Cisco Umbrella supports all vendor-supported, generally available releases of an operating system unless otherwise noted.
Supported Operating Systems
- Windows 10 with .NET 4.6.2 (x86 or x64)
- Windows 11 with .NET 4.8 (x86 or x64)
- macOS 11 or later (Intel or Apple chip)
Unsupported Operating Systems
- Windows 7, 8, and 8.1
- Windows Server (all versions)
- Windows 10 Enterprise Multi-Session (including Azure Virtual Desktop)
- Windows RT based ARM processors
- macOS 10.15 or earlier
Windows Operating System
In Windows, you may observe network locations with a NCSI network connectivity indicator badge (yellow triangle). The NCSI network connectivity indicator may prevent Microsoft Outlook or certain Microsoft Office applications from fetching network content. To resolve this issue, you can configure a Microsoft GPO setting or registry key. For more information, see A Fix from Microsoft (Windows 10 Fall 2017 Creators Update).
Transport Layer Security Protocol
Umbrella no longer supports Transport Layer Security (TLS) 1.0 and TLS 1.1. To access the Umbrella dashboard, intelligent proxy, and block pages, ensure that your client operating system supports TLS 1.2. TLS 1.0 and TLS 1.1 contain security vulnerabilities, and do not support modern cryptographic algorithms.
TLS 1.2 Support for Windows
We recommend that you disable support for SSL, TLS 1.0, and TLS 1.1 in your Windows operating system. You can disable TLS 1.0 and TLS 1.1 in the Windows Registry. For more information, see Configuring Schannel protocols in the Windows Registry.
To verify that TLS 1.2 is enabled in your device, follow these steps:
- In your browser, enter the SSL test client URL in the search bar:
https://www.ssllabs.com/ssltest/viewMyClient.html
- In the Protocol Features section on the page, confirm that Yes appears next to TLS 1.2.
The latest version of the Umbrella roaming client uses TLS 1.2. Ensure that you have a compatible version of .NET installed with your Windows operating system. Native TLS 1.2 support requires .NET framework 4.6.2+. Prior versions of .NET require registry edits (4.x) or registry edits and manual hot fix patches (3.5). For more information, see Requirements for Using AnyConnect Roaming Module Below 4.8 MR2 (or . NET 4.6.1 and below) or AD Connector.
TLS 1.2 Support for macOS
All versions of the Umbrella roaming client for macOS support TLS 1.2. To verify that TLS 1.2 is enabled in your device, follow these steps:
- In your browser, enter the SSL test client URL in the search bar:
https://www.ssllabs.com/ssltest/viewMyClient.html
- In the Protocol Features section on the page, confirm that Yes appears next to TLS 1.2.
Network Access
Host Names
The Umbrella roaming client uses hostnames for registration. All machines must have a hostname that is unique within your organization.
DNS
The Umbrella roaming client uses standard DNS ports 53/UDP and 53/TCP to communicate with Umbrella. If you explicitly block access to third-party DNS servers on your corporate or home network, you must add the following allow rules in your firewall.
Port | Protocol | Destination |
---|---|---|
53 | UDP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
53 | TCP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
In circumstances where third-party DNS servers are blocked, the Umbrella roaming client transitions to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.
Encryption (Optional)
The Umbrella roaming client optionally supports encryption of all queries sent to Umbrella using port 443/UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, you can add the following allow rule in your firewall.
Port | Protocol | Destination |
---|---|---|
443 | UDP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
443 | TCP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
The Umbrella roaming client automatically encrypts DNS queries when it senses that 443/UDP is open.
External DNS Resolution
The Umbrella Roaming Client functions only on networks where external DNS resolution exists. The Umbrella Roaming Client can not function successfully if DNS connectivity is broken or blocked on the local network.
For the Roaming Client to enable protection, the external DNS names mentioned below must be resolvable by the local DNS server. This requires recursive DNS queries to be allowed on the local DNS server.
disthost.umbrella.com
api.opendns.com
disthost.opendns.com
crl3.digicert.com
crl4.digicert.com
ocsp.digicert.com
In addition, the following domain must receive a response to a TXT record query.
debug.opendns.com
NXDOMAIN is accepted, however, timeouts may delay or prevent Umbrella protection on the network interface on which this domain query times out.
HTTP and HTTPS
The Umbrella roaming client uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with our API for the following uses:
- Initial registration upon installation
- Checking for new versions of the Umbrella roaming client
- Reporting the status of Umbrella roaming client to Umbrella
- Checking for new internal domains
Windows Only: If you utilize an HTTP proxy that is configured at the user-level, make sure the "SYSTEM" user is also configured to use the proxy. Otherwise, add the following rules to your firewall to ensure the roaming client can reach the API.
Port | Protocol | Destination |
---|---|---|
80 | TCP | crl3.digicert.com crl4.digicert.com ocsp.digicert.com |
443 | TCP | 146.112.255.101, 67.215.71.201, 67.215.92.210 146.112.255.152/29 (8 IPs) sync.hydra.opendns.com IPv6: 2620:0:cc1:115::210 IPv6: 2a04:e4c7:ffff::20/125 (8 IPs) |
In the table above, the IP addresses resolve to:
- disthost.umbrella.com
- api.opendns.com
- disthost.opendns.com
The Digicert domains resolve to various IP addresses based on CDN and are subject to change. These domains resolve to the following IPs:
- 192.229.211.108
- 192.229.221.95
- 152.195.38.76
- 192.16.49.85
Note: sync.hydra.opendns.com resolves to multiple IP addresses, all within the 146.112.63.0/24 IP range. We recommend adding this entire range as the IP address(es) for sync.hydra.opendns.com is Anycast and may change. These domains resolve to the following IPs:
- 146.112.63.3 to 146.112.63.9
- 146.112.63.11 to 146.112.63.13
Currently, the roaming client only supports connecting to the Umbrella cloud resources using IPv4. This will change as the services that the roaming client requires become available over IPv6.
Software
- The Umbrella roaming client is not compatible with other DNS serving software. You should not install the Umbrella roaming client on a machine serving DNS requests.
- Uninstall DNSCrypt before you install the Umbrella roaming client. The Umbrella roaming client installer automatically detects installations of DNSCrypt and prompts the administrator to uninstall before proceeding with the installation.
- You must install the Umbrella roaming client on the C:\ drive. The Umbrella roaming client does not support secondary or remote drive installations.
IPv6 Support
Currently, the Umbrella roaming client only supports dual-stack IPv4/IPv6 for macOS and Windows. Stand-alone support for IPv6 for both the Mac and Windows operating systems is not supported. For more information, see Umbrella Roaming Client: IPv6 Support.
Internal Domains
The Umbrella roaming client sends all of your DNS lookups directly from your computer to the Umbrella global network resolvers. Thus, to ensure that the Umbrella roaming client directs internal DNS requests to your internal DNS servers for resolution, you must add your local domain names to the Deployments > Configurations > Domain Management page. The Umbrella roaming client syncs with our API periodically to check for new internal domains. This is a critical part of the setup process. We recommend that you populate the list of internal domains before you deploy the Umbrella roaming client. For more information, see Domain Management.
Introduction < Prerequisites > Download and Install the Roaming Client
Updated 10 months ago