The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    


The Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time—both on and off your corporate VPN. The Roaming Security module enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port. Umbrella provides real-time visibility into all internet activity per hostname (and optionally AD username) both on and off your network or VPN. The client may optionally be disabled on network to defer to on network settings.

The Roaming Security module can replace your existing Umbrella roaming client if you already have AnyConnect configured. The roaming module allows for full update control, and an option to disable automatically behind a full tunnel VPN connection.

For more information, watch Cisco Product Manager Adam Winn discuss the solution here.


The Roaming Security module requires a subscription to either Cisco Umbrella Roaming service or Cisco Umbrella services (DNS Security Essentials, DNS Security Advantage, or SIG Essentials).

The Roaming Security module is available in a limited roaming security only package which provides only basic DNS-layer security. Looking for the full Umbrella experience? Cisco Umbrella subscriptions provide IP Layer Enforcement, access to the intelligent proxy for URL blocks, content filtering, multiple policies, robust reporting, active directory integration, and more. The same Umbrella Roaming Security module is used regardless of the subscription.

The Roaming Security module profile (OrgInfo.json) associates each deployment with the corresponding service, and the corresponding protection features are enabled automatically.

Umbrella provides real-time visibility into all of the internet activity originating from the Roaming Security module. The level of granularity in policies and reports depends on the Umbrella subscription.

Refer to our package comparison page for detailed information about which features are included in each service level subscription.

Note: IP layer enforcement is not available for all Umbrella packages. To get the full functionality of Umbrella Roaming Security, rather than just DNS-layer security when off the network and single security policies with basic reports (by hostname), you must have the Insight or Platform Cisco​ Umbrella packages. For more information about these packages, please read this.

Introduction > The AnyConnect Plugin: Umbrella Roaming Security Client Administrator Guide

Updated about a year ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.