Guides
ProductDeveloper
Guides
ProductDeveloper

Prerequisites

To deploy the Cisco Security for Chromebook to enable DoH protection, the following prerequisites must be met:

  • You must have Umbrella login credentials.
  • To push the Cisco Security for Chromebook client to all the Chromebook devices, you need a Google Workspace Admin account.
  • Cisco recommends that you sync Google Workspace Identities with Umbrella to apply Google Workspace user and organizational unit based policies. For information about integrating the Google Workspace Identity Service, see Integrate Google Workspace Identity Service.
  • You can synchronize using sync.hydra.opendns.com, deices.api.umbrellagov.com
  • Use dns.umbrellagov.com for the DoH URL
  • Synchronization is done using sync.hydra.opendns.com, devices.api.umbrellagov.com
  • The SAML gateway is gateway.id.swg.umbrellagov.com
  • Chrome OS 110 or later is required to enable DoH-based DNS layer protection on Chromebooks.
  • Chromebooks must not be in Kiosk mode.
  • For DNS layer protection, Port 53 UDP and 443 TCP must be allowed.
  • https://registration.polaris.qq.opendns.com, https://sync.hydra.opendns.com and https://doh.umbrella.com must be accessible.
  • Chromebooks must be connected and logged in.
  • Install Cisco Umbrella root certificate on your Chromebooks to avoid certificate errors when accessing an Umbrella block page. For more information, see  Install the Cisco Umbrella Root Certificate.
    For more information about how to push the Umbrella root certificate from Google admin console to all your Chromebook devices, see  Set up TLS (or SSL) inspection on Chrome devices.
  • In the Google Workspace Admin console, you must disallow the incognito window. From the Incognito mode menu, choose Disallow incognito mode. For more information, search for Incognito Mode in Chrome Enterprise and Education Help.
  • The following devices and operating systems are not supported:
    • Chrome browser on OS X, Windows, and Linux.
    • Devices running variations or third-party distributions of ChromeOS, such as Neverware CloudReady.
  • Network requirements
Port and
Protocol		Source / DestinationNotes
53 (UDP)dns.umbrellagov.comConfigured DNS
Resolvers should be
reachable.
443 (TCP)Registration.
polaris.qq.opendns.com
devices.api.umbrellagov.com		HTTPS. Used for
registration of the client.
443 (TCP)sync.hydra.opendns.com
devices.api.umbrellagov.com		HTTPS. Used to sync device
details and to fetch
configuration.
443 (TCP)dns.umbrellagov.comHTTPS. Used to resolve DNS requests.

Get Started > Prerequisites > Limitations

Updated about 1 month ago