The Umbrella Deployment Documentation Developer Hub

Welcome to the Umbrella Deployment Documentation developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella Deployment Documentation as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Prerequisites

The following prerequisites must be met in order to use the Cisco Umbrella roaming client successfully. Ensure that prerequisites are met to avoid conflicts and potential problems.

Supported Operating Systems

  • Windows 10 with .NET 4.5
  • Windows 8 (includes 8.1) (64-bit) with .NET 4.5
  • Windows 7 (64-bit/32-bit) with .NET 3.5.
  • Mac OS X 10.9 or newer.

Unsupported Operating Systems

  • Windows Server (All versions)
  • Windows RT (Currently we do not support ARM processors)
  • Mac OS X 10.8 or older.

Network Access

DNS

The Umbrella roaming client uses standard DNS ports 53/UDP and 53/TCP to communicate with Umbrella. If you explicitly block access to third-party DNS servers on your corporate or home network, you must add the following allow rules in your firewall.

Port
Protocol
Destination

53

UDP

208.67.222.222 / 208.67.220.220
2620:119:53::53 /
2620:119:35::35

53

TCP

208.67.222.222 / 208.67.220.220
2620:119:53::53 /
2620:119:35::35

In circumstances where third-party DNS servers are blocked, the Umbrella roaming client will transition to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.

Encryption (Optional)

The Umbrella roaming client optionally supports encryption of all queries sent to Umbrella using port 443/UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, you can add the following allow rule in your firewall.

Port
Protocol
Destination

443

UDP

208.67.222.222 / 208.67.220.220
2620:119:53::53 /
2620:119:35::3

The Umbrella roaming client automatically encrypts DNS queries when it senses that 443/UDP is open.

HTTP and HTTPS

The Umbrella roaming client uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with our API for the following uses:

  • Initial registration upon installation
  • Checking for new versions of the Umbrella roaming client
  • Reporting the status of Umbrella roaming client to Umbrella
  • Checking for new internal domains

Windows Only: If you utilize an HTTP proxy that is configured at the user-level (normally using GPO), make sure the "SYSTEM" user is also configured to use the proxy. Otherwise, add the following rules to your firewall to ensure the roaming client can reach the API.

Port
Protocol
Destination

80

TCP

crl3.digicert.com and crl4.digicert.com

443

TCP

146.112.255.101, 67.215.71.201, 67.215.92.210, 146.112.255.155, sync.hydra.opendns.com, crl3.digicert.com and crl4.digicert.com

In the table above, the 146.112.255.101, 67.215.71.201, 67.215.92.210, and 146.112.255.155 IP addresses resolve to:

  • disthost.umbrella.com
  • api.opendns.com
  • disthost.opendns.com

The Digicert domains resolve to various IP addresses based on CDN and are subject to change. Currently, these domains resolve to the following IPs:

  • 72.21.91.29, 117.18.237.29
  • 93.184.220.29, 205.234.175.175

Note: sync.hydra.opendns.com resolves to multiple IP addresses, all within the 146.112.63.0/24 IP range. We recommend adding this entire range as the IP address(es) for sync.hydra.opendns.com are Anycast and may change. Currently, the IP addresses this domain resolves to are:

146.112.63.3 to 146.112.63.9 and 146.112.63.11 to 146.112.63.13

Currently, the roaming client only supports connecting to the Umbrella cloud resources using IPv4. This will change as the services that the roaming client requires become available over IPv6.

Windows Operating System

When using the roaming client on Windows, some network locations may observe a yellow triangle NCSI network connectivity indicator badge. This may prevent Outlook from fetching or some Office applications from fetching network content. A setting from Microsoft is available to resolve this issue via GPO setting or registry key. For more information, see A Fix from Microsoft (Windows 10 Fall 2017 Creators Update) .

Software

  • The Umbrella roaming client is not compatible with other DNS serving software, so it should not be installed on a machine serving DNS requests.
  • DNSCrypt must be uninstalled prior to installing the Umbrella roaming client. The installer will automatically detect installations of DNSCrypt and prompt the administrator to uninstall prior to proceeding with the installation.
  • The Umbrella roaming client must be installed on the C:\ drive and does not support secondary or remote drive installations.

IPv6 Support

Currently, the Umbrella roaming client only supports dual stack IPv4/IPv6 for the Mac OS and Windows. Stand alone support for IPv6 for both the Mac and Windows operating systems is not supported. For more information, see Umbrella Roaming Client: IPv6 Support.

Internal Domains

When using the Umbrella roaming client, all of your DNS lookups are sent directly from your computer to Umbrella global network resolvers. However, in order to ensure that the Umbrella roaming client directs internal DNS requests to your internal DNS servers for resolution, you must add your local domain names to the Deployments > Configurations > Internal Domains page. The Umbrella roaming client syncs with our API periodically to check for new internal domains. This is a critical part of the setup process, and this list should be populated before you deploy the Umbrella roaming client. For more information, see Appendix D – Internal Domains.

Prerequisites


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.