Prerequisites
To ensure that the Cisco Secure Client with the Umbrella Roaming Security module (formerly AnyConnect) deploys and runs successfully, Umbrella requires that you meet the following prerequisites:
Table of Contents
System Requirements
Cisco Umbrella supports all vendor-supported, generally available releases of an operating system unless otherwise noted.
- Version 5.1.0 and above
- Windows 10 x86 and x64
- Windows 11 x64 and ARM64
- ARM64 supported only in VPN client, DART, Secure Firewall Posture, Network Visibility Module, Umbrella Module, and ISE Posture
- macOS 12 or higher
Note:Azure VDI is not supported.
Transport Layer Security Protocol
Umbrella no longer supports Transport Layer Security (TLS) 1.0 and TLS 1.1. To access the Umbrella dashboard, intelligent proxy, and block pages, ensure that your client operating system supports TLS 1.2. TLS 1.0 and TLS 1.1 contain security vulnerabilities, and do not support modern cryptographic algorithms.
TLS 1.2 Support for Windows
We recommend that you disable support for SSL, TLS 1.0, and TLS 1.1 in your Windows operating system. You can disable TLS 1.0 and TLS 1.1 in the Windows Registry. For more information, see Configuring Schannel protocols in the Windows Registry.
To verify that TLS 1.2 is enabled in your device, follow these steps:
- In your browser, enter the SSL test client URL in the search bar:
https://www.ssllabs.com/ssltest/viewMyClient.html
- In the Protocols Feature section on the page, confirm that Yes appears next to TLS 1.2.
The latest version of the Cisco Secure Client uses TLS 1.2. Ensure that you have a compatible version of .NET installed with your Windows operating system. Native TLS 1.2 support requires .NET framework 4.6.2+. Prior versions of .NET require registry edits (4.x) or registry edits and manual hot fix patches (3.5). For more information, see Requirements for Using AnyConnect Roaming Module Below 4.8 MR2 (or . NET 4.6.1 and below) or AD Connector.
TLS 1.2 Support for macOS
The Cisco Secure Client for macOS support TLS 1.2. To verify that TLS 1.2 is enabled in your device, follow these steps:
- In your browser, enter the SSL test client URL in the search bar:
https://www.ssllabs.com/ssltest/viewMyClient.html
- In the Protocols Feature section on the page, confirm that Yes appears next to TLS 1.2.
Network Requirements
Host Names
The Cisco Secure Client uses hostnames for registration. All machines must have a hostname that is unique within your organization.
DNS
The Cisco Secure Client uses standard DNS ports 53/UDP and 53/TCP to communicate with Umbrella. If you explicitly block access to third-party DNS servers on your corporate or home network, you must add the following allow rules in your firewall.
Port | Protocol | Destination |
---|---|---|
53 | UDP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
53 | TCP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
In circumstances where third-party DNS servers are blocked, the client transitions to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.
Encryption (Optional)
The Cisco Secure Client optionally supports encryption of all queries sent to Umbrella using port 443/UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, you can add the following allow rule in your firewall.
Port | Protocol | Destination |
---|---|---|
443 | UDP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
443 | TCP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
The Cisco Secure Client automatically encrypts DNS queries when it senses that 443/UDP is open.
External DNS Resolution
The Cisco Secure Client functions only on networks where external DNS resolution exists. The client can not function successfully if DNS connectivity is broken or blocked on the local network.
For the client to enable protection, the external DNS names mentioned below must be resolvable by the local DNS server. This requires recursive DNS queries to be allowed on the local DNS server.
disthost.umbrella.com
api.opendns.com
disthost.opendns.com
crl3.digicert.com
crl4.digicert.com
ocsp.digicert.com
In addition, the following domain must receive a response to a TXT record query.
debug.opendns.com
NXDOMAIN is accepted, however, timeouts may delay or prevent Umbrella protection on the network interface on which this domain query times out.
HTTP and HTTPS
The Cisco Secure Client uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with our API for the following uses:
- Initial registration upon installation
- Checking for new versions of the client
- Reporting the status of client to Umbrella
- Checking for new internal domains
Windows Only: If you utilize an HTTP proxy that is configured at the user-level, make sure the "SYSTEM" user is also configured to use the proxy. Otherwise, add the following rules to your firewall to ensure the client can reach the API.
Port | Protocol | Destination |
---|---|---|
80 | TCP | crl3.digicert.com crl4.digicert.com ocsp.digicert.com |
443 | TCP | 146.112.255.101, 67.215.71.201, 67.215.92.210 146.112.255.152/29 (8 IPs) sync.hydra.opendns.com IPv6: 2620:0:cc1:115::210 IPv6: 2a04:e4c7:ffff::20/125 (8 IPs) |
In the table above, the IP addresses resolve to:
- disthost.umbrella.com
- api.opendns.com
- disthost.opendns.com
The Digicert domains resolve to various IP addresses based on CDN and are subject to change. These domains resolve to the following IPs:
- 192.229.211.108
- 192.229.221.95
- 152.195.38.76
- 192.16.49.85
Note: sync.hydra.opendns.com resolves to multiple IP addresses, all within the 146.112.63.0/24 IP range. We recommend adding this entire range as the IP address(es) for sync.hydra.opendns.com is Anycast and may change. These domains resolve to the following IPs:
- 146.112.63.3 to 146.112.63.9
- 146.112.63.11 to 146.112.63.13
Note: For the Cisco Secure Client device registration process to be completed, the following destinations should be sent directly and bypassed from any kind of authentication, SSL inspection, or filtering:
- crl3.digicert.com
- crl4.digicert.com
- ocsp.digicert.com
Internal Domains
The Cisco Secure Client sends all of your DNS lookups directly from your computer to the Umbrella global network resolvers. Thus, to ensure that the client directs internal DNS requests to your internal DNS servers for resolution, you must add your local domain names to the Deployments > Configurations > Domain Management page. The client syncs with our API periodically to check for new internal domains. This is a critical part of the setup process. We recommend that you populate the list of internal domains before you deploy the client. For more information, see Domain Management.
Quick Start Guide < Prerequisites > Deploy Umbrella module in Cisco Secure Client
Updated about 1 month ago