Prerequisites

To ensure that the Cisco Umbrella Roaming Security module for AnyConnect deploys and runs successfully, Umbrella requires that you meet certain system and network requirements.

Table of Contents

• System Requirements
• Network Requirements
• Transport Layer Security Protocol
• Network Access
• Software
• Internal Domains

System Requirements

Cisco Umbrella supports all vendor-maintained, generally available releases of an operating system unless otherwise noted.

Supported Operating Systems

• Roaming Security module for Cisco Security Connector 5.0 or later, or AnyConnect version 4.10 or later
  • Windows 10 with .NET 4.6.2 (x86, x64, Arm*)
  • Windows 11 with .NET 4.8 (x86, x64, Arm*)
  • macOS 11 or later (Intel or Apple chip)
• TCP 443/80 proxy destinations ranges 146.112.0.0/16, 151.186.0.0/16, and 155.190.0.0/16

Note: Arm devices require Cisco Secure Client version 5.0.02075 or later.

Unsupported Operating Systems

• Windows 7, 8, and 8.1
• Windows Server (all versions)
• Windows 10 Enterprise Multi-Session
• Windows RT based ARM processors
• macOS 10.15 or earlier

For information about additional system requirements and licensing dependencies, see AnyConnect Secure Mobility Client Feature Guides.

👍

The Umbrella Roaming Security module for AnyConnect is compatible with both the full-featured Umbrella dashboard or a dashboard purchased as part of the Cisco Umbrella Roaming Package. The configuration and deployment instructions vary based on which dashboard you use. Review the instructions to configure the security module through the OrgInfo.json file, and verify the steps to deploy the Roaming Security module for AnyConnect clients.

Network Requirements

To connect efficiently to Umbrella's Secure Web Gateway (SWG), allow the following CIDRs in your firewalls with TCP on ports 80 and 443:

• 67.215.64.0/19
• 146.112.0.0/16
• 151.186.0.0/16
• 155.190.0.0/16
• 185.60.84.0/22
• 204.194.232.0/21
• 208.67.216.0/21
• 208.69.32.0/21

Bypass Domains for Web Traffic

We recommend that you bypass the following domains directly to allow all traffic with TCP on ports 80 and 443:

• ocsp.int-x3.letsencrypt.org
• isrg.trustid.ocsp.identrust.com
• *.cisco.com
• *.opendns.com
• *.umbrella.com

If you use SAML to deploy Users and Groups in an Umbrella Web policy, we recommend that you bypass the following domains directly to allow all traffic with TCP on ports 80 and 443:

• *.okta.com
• *.oktacdn.com
• *.pingidentity.com
• secure.aadcdn.microsoftonline-p.com

For more information about SAML, see Configure SAML Integrations.

SSL-VPN and External Domain Settings

When using an SSL-VPN, add the IP address of the VPN head-end to the external domains settings. For more information, see Manage Domains.

Transport Layer Security Protocol

Umbrella no longer supports Transport Layer Security (TLS) 1.0 and TLS 1.1. To access the Umbrella dashboard, intelligent proxy, and block pages, ensure that your client operating system supports TLS 1.2. TLS 1.0 and TLS 1.1 contain security vulnerabilities, and do not support modern cryptographic algorithms.

TLS 1.2 Support in Windows

We recommend that you disable support for SSL, TLS 1.0, and TLS 1.1 in your Windows operating system. You can disable TLS 1.0 and TLS 1.1 in the Windows Registry. For more information, see Configuring Schannel protocols in the Windows Registry.

To verify that TLS 1.2 is enabled in your device, follow these steps:

1. In your browser, enter the SSL test client URL in the search bar:

   https://www.ssllabs.com/ssltest/viewMyClient.html
   

2. In the Protocols section on the page, confirm that Yes appears next to TLS 1.2.

The latest version of the Umbrella Roaming Security module for AnyConnect uses TLS 1.2. Ensure that you have a compatible version of .NET installed with your Windows operating system. Native TLS 1.2 support requires .NET framework 4.6.2+. Prior versions of .NET require registry edits (4.x) or registry edits and manual hot fix patches (3.5). For more information, see Requirements for Using AnyConnect Roaming Module Below 4.8 MR2 (or . NET 4.6.1 and below) or AD Connector.

TLS 1.2 Support in macOS

All versions of the Umbrella roaming security module for macOS support TLS 1.2. To verify that TLS 1.2 is enabled in your device, follow these steps:

1. In your browser, enter the SSL test client URL in the search bar:

   https://www.ssllabs.com/ssltest/viewMyClient.html
   

2. In the Protocols section on the page, confirm that Yes appears next to TLS 1.2.

Network Access

Host Names

The Umbrella Roaming Security module for AnyConnect uses hostnames for registration. All machines must have a hostname that is unique within your organization.

DNS

The Umbrella Roaming Security module for AnyConnect uses standard DNS ports 53/UDP and 53/TCP to communicate with Umbrella. If you explicitly block access to third-party DNS servers on your corporate or home network, you must add the following allow rules in your firewall.

In circumstances where third-party DNS servers are blocked, the Umbrella Roaming Security module transitions to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.

Encryption

The Umbrella Roaming Security module for AnyConnect supports encryption of queries sent to Umbrella using port 443/UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, add the following allow rule in your firewall.

The Umbrella Roaming Security module automatically encrypts DNS queries when it senses that 443/UDP is open.

External DNS Resolution

In normal circumstances, the Umbrella Roaming Security module functions only on networks where external DNS resolution exists. The Umbrella Roaming Security module for AnyConnect can not function successfully if DNS connectivity is broken or blocked on the local network.

For the Umbrella Roaming Security module for AnyConnect to enable protection, the external DNS names mentioned below must be resolvable by the local DNS server. This requires recursive DNS queries to be allowed on the local DNS server.

disthost.umbrella.com
api.opendns.com
disthost.opendns.com
crl3.digicert.com
crl4.digicert.com
ocsp.digicert.com

In addition, the following domain must receive a response to a TXT record query.

debug.opendns.com

NXDOMAIN is accepted, however, timeouts may delay or prevent Umbrella protection on the network interface on which this domain query times out.

Secure Web Gateway and Encryption

The Umbrella Roaming Security module for AnyConnect supports encryption of web queries sent to Umbrella using port 443/TCP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, add the following allow rule in your firewall.

HTTP and HTTPS

The Umbrella Roaming Security module for AnyConnect uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with the Umbrella API for the following uses:

• Initial registration upon installation
• Checking for new versions of the Umbrella Roaming Security module
• Reporting the status of Umbrella Roaming Security module to Umbrella
• Checking for new internal domains

Windows Only: If you utilize an HTTP proxy that is configured at the user-level, make sure the "SYSTEM" user is also configured to use the proxy. Otherwise, add the following rules to your firewall to ensure the Umbrella Roaming Security module can reach the Umbrella API.

In the table above, the IP addresses resolve to:

• disthost.umbrella.com
• api.opendns.com
• disthost.opendns.com

The Digicert domains resolve to various IP addresses based on CDN and are subject to change. These domains resolve to the following IPs: 

• 192.229.211.108
• 192.229.221.95
• 152.195.38.76
• 192.16.49.85

Note: sync.hydra.opendns.com resolves to multiple IP addresses, all within the 146.112.63.0/24 IP range. We recommend that you add this entire range. The IP addresses for sync.hydra.opendns.com are Anycast and may change. These domains resolve to the following IPs:

• 146.112.63.3 to 146.112.63.9
• 146.112.63.11 to 146.112.63.13

Currently, the Umbrella Roaming Security module only supports connections to Umbrella using IPv4.

Software

• The Umbrella Roaming Security module for AnyConnect is not compatible with other DNS serving software. You should not install the Umbrella Roaming Security module on a machine serving DNS requests.
• Uninstall DNSCrypt before your install the Umbrella roaming security module. The Umbrella Roaming Security module installer automatically detects installations of DNSCrypt and prompts the administrator to uninstall before proceeding with the installation.
• You must install the Umbrella roaming security module on the C:\ drive. The Umbrella Roaming Security module does not support secondary or remote drive installations.

👍

IPv6 Support

Currently, the Umbrella Roaming Security module for AnyConnect only supports dual-stack IPv4/IPv6 for the Mac OS and Windows. Stand-alone support for IPv6 for both the Mac and Windows operating systems is not supported. For more information, see Umbrella Roaming Client: Support for Dual Stack IPv6 Network Configurations.

Internal Domains

The Umbrella Roaming Security module sends all of your DNS lookups directly from your computer to the Umbrella global network resolvers. Thus, to ensure that the Umbrella security module directs internal DNS requests to your internal DNS servers for resolution, you must add your local domain names to the Deployments > Configurations > Internal Domains page. The Umbrella roaming security module syncs with our API periodically to check for new internal domains. This is a critical part of the setup process. We recommend that you populate the list of internal domains before you deploy the Umbrella Roaming Security module. For more information, see Domain Management.

---

Quick Start Guide < Prerequisites > Before You Begin