Prerequisites
To ensure that the Cisco Umbrella Roaming Security module for AnyConnect deploys and runs successfully, Umbrella requires that you meet certain system and network requirements.
Table of Contents
System Requirements
Cisco Umbrella supports all vendor-maintained, generally available releases of an operating system unless otherwise noted.
Supported Operating Systems
- Roaming Security module for Cisco Security Connector 5.0 or later, or AnyConnect version 4.10 or later
- Windows 10 with .NET 4.6.2 (x86, x64, Arm*)
- Windows 11 with .NET 4.8 (x86, x64, Arm*)
- macOS 11 or later (Intel or Apple chip)
- TCP 443/80 proxy destinations ranges 146.112.0.0/16, 151.186.0.0/16, and 155.190.0.0/16
Note: Arm devices require Cisco Secure Client version 5.0.02075 or later.
Unsupported Operating Systems
- Windows 7, 8, and 8.1
- Windows Server (all versions)
- Windows 10 Enterprise Multi-Session
- Windows RT based ARM processors
- macOS 10.15 or earlier
For information about additional system requirements and licensing dependencies, see AnyConnect Secure Mobility Client Feature Guides.
Important
The Umbrella Roaming Security module for AnyConnect is compatible with both the full-featured Umbrella dashboard or a dashboard purchased as part of the Cisco Umbrella Roaming Package. The configuration and deployment instructions vary based on which dashboard you use. Review the instructions to configure the security module through the OrgInfo.json file, and verify the steps to deploy the Roaming Security module for AnyConnect clients.
Transport Layer Security Protocol
Umbrella no longer supports Transport Layer Security (TLS) 1.0 and TLS 1.1. To access the Umbrella dashboard, intelligent proxy, and block pages, ensure that your client operating system supports TLS 1.2. TLS 1.0 and TLS 1.1 contain security vulnerabilities, and do not support modern cryptographic algorithms.
TLS 1.2 Support in Windows
We recommend that you disable support for SSL, TLS 1.0, and TLS 1.1 in your Windows operating system. You can disable TLS 1.0 and TLS 1.1 in the Windows Registry. For more information, see Configuring Schannel protocols in the Windows Registry.
To verify that TLS 1.2 is enabled in your device, follow these steps:
- In your browser, enter the SSL test client URL in the search bar:
https://www.ssllabs.com/ssltest/viewMyClient.html
- In the Protocols section on the page, confirm that Yes appears next to TLS 1.2.
The latest version of the Umbrella Roaming Security module for AnyConnect uses TLS 1.2. Ensure that you have a compatible .NET version installed with your Windows operating system. Native TLS 1.2 support requires .NET framework 4.6.2+. Prior versions of .NET require registry edits (4.x) or registry edits and manual hot fix patches (3.5). For more information, see Requirements for Using AnyConnect Roaming Module Below 4.8 MR2 (or . NET 4.6.1 and below) or AD Connector.
TLS 1.2 Support in macOS
All versions of the Umbrella AnyConnect Roaming Security module for macOS support TLS 1.2. To verify that TLS 1.2 is enabled in your device, follow these steps:
- In your browser, enter the SSL test client URL in the search bar:
https://www.ssllabs.com/ssltest/viewMyClient.html
- In the Protocols section on the page, confirm that Yes appears next to TLS 1.2.
Network Access
Host Names
The Umbrella Roaming Security module for AnyConnect uses hostnames for registration. All machines must have a hostname that is unique within your organization.
DNS
The Umbrella Roaming Security module for AnyConnect uses standard DNS ports 53/UDP and 53/TCP to communicate with Umbrella. If you explicitly block access to third-party DNS servers on your corporate or home network, you must add the following allow rules in your firewall.
Port | Protocol | Destination |
---|---|---|
53 | UDP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
53 | TCP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
In circumstances where third-party DNS servers are blocked, the Umbrella Roaming Security module transitions to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.
Encryption (Optional)
The Umbrella Roaming Security module for AnyConnect optionally supports encryption of all queries sent to Umbrella using port 443/UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, you can add the following allow rule in your firewall.
Port | Protocol | Destination |
---|---|---|
443 | UDP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
443 | TCP | 208.67.222.222 / 208.67.220.220 2620:119:53::53 / 2620:119:35::35 |
The Umbrella Roaming Security module for AnyConnect automatically encrypts DNS queries when it senses that 443/UDP is open.
External DNS Resolution
In normal circumstances, the Umbrella Roaming Security module functions only on networks where external DNS resolution exists. The Umbrella Roaming Security module for AnyConnect can not function successfully if DNS connectivity is broken or blocked on the local network.
For the Umbrella Roaming Security module for AnyConnect to enable protection, the external DNS names mentioned below must be resolvable by the local DNS server. This requires recursive DNS queries to be allowed on the local DNS server.
disthost.umbrella.com
api.opendns.com
disthost.opendns.com
crl3.digicert.com
crl4.digicert.com
ocsp.digicert.com
In addition, the following domain must receive a response to a TXT record query.
debug.opendns.com
NXDOMAIN is accepted, however, timeouts may delay or prevent Umbrella protection on the network interface on which this domain query times out.
HTTP and HTTPS
The Umbrella Roaming Security module for AnyConnect uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with our API for the following uses:
- Initial registration upon installation
- Checking for new versions of the Umbrella Roaming Security module
- Reporting the status of Umbrella Roaming Security module to Umbrella
- Checking for new internal domains
Windows Only: If you utilize an HTTP proxy that is configured at the user-level (normally using GPO), make sure the "SYSTEM" user is also configured to use the proxy. Otherwise, add the following rules to your firewall to ensure that the Umbrella Roaming Security module can reach the Umbrella API.
Port | Protocol | Destination |
---|---|---|
80 | TCP | crl3.digicert.com crl4.digicert.com ocsp.digicert.com |
443 | TCP | 146.112.255.101, 67.215.71.201, 67.215.92.210 146.112.255.152/29 (8 IPs) sync.hydra.opendns.com IPv6: 2620:0:cc1:115::210 IPv6: 2a04:e4c7:ffff::20/125 (8 IPs) |
In the table above, the IP addresses resolve to:
- disthost.umbrella.com
- api.opendns.com
- disthost.opendns.com
The Digicert domains resolve to various IP addresses based on CDN and are subject to change. These domains resolve to the following IPs:
- 192.229.211.108
- 192.229.221.95
- 152.195.38.76
- 192.16.49.85
Note: sync.hydra.opendns.com
resolves to multiple IP addresses, all within the 146.112.63.0/24 IP range. We recommend adding this entire range as the IP addresses for sync.hydra.opendns.com
are Anycast and may change. These domains resolve to the following IPs:
- 146.112.63.3 to 146.112.63.9
- 146.112.63.11 to 146.112.63.13
Currently, the Umbrella Roaming Security module for AnyConnect only supports connecting to the Umbrella cloud resources using IPv4. This will change as the services that the Umbrella Roaming Security module requires become available over IPv6.
Software
- The Umbrella Roaming Security module for AnyConnect is not compatible with other DNS serving software. You should not install the Umbrella Roaming Security module on a machine serving DNS requests.
- Uninstall DNSCrypt before your install the Umbrella roaming security module. The Umbrella Roaming Security module installer automatically detects installations of DNSCrypt and prompts the administrator to uninstall before proceeding with the installation.
- You must install the Umbrella roaming security module on the C:\ drive. The Umbrella Roaming Security module does not support secondary or remote drive installations.
IPv6 Support
Currently, the Umbrella Roaming Security module for AnyConnect only supports dual-stack IPv4/IPv6 for macOS and Windows. Stand-alone support for IPv6 for both the Mac and Windows operating systems is not supported. For more information, see Umbrella Roaming Client: IPv6 Support.
Internal Domains
The Umbrella Roaming Security module sends all of your DNS lookups directly from your computer to the Umbrella global network resolvers. Thus, in order to ensure that the Umbrella Roaming Security module directs internal DNS requests to your internal DNS servers for resolution, you must add your local domain names to the Deployments > Configurations > Domain Management page. The Umbrella roaming security module syncs with the Umbrella API periodically to check for new internal domains. This is a critical part of the setup process. We recommend that you populate the list of internal domains before you deploy the Umbrella roaming security module. For more information, see Domain Management.
Quick Start Guide < Prerequisites > Before You Begin
Updated 12 months ago