To enable DoH and SWG protection on Cisco Secure Chromebook client, the following prerequisites must be met:

  • You must have Umbrella login credentials.
  • You must have a Google Workspace admin account to push Cisco Security for Chromebook client to all the Chromebook devices.
  • We recommend that you synchronize Google Workspace identities with Umbrella to apply the Google Workspace user and organizational unit-based policies. For information about integrating the Google Workspace identities, see Integrate Google Workspace Identities.
  • Chrome OS 110 or later is required to enable DoH-based DNS layer protection on Chromebooks.
  • Chromebooks must not be in Kiosk mode.
  • For DNS layer protection, ports 53 UDP and 443 TCP must be allowed. For SWG layer protection, port 8888 (TCP) must be accessible to and
  • You must have access to,, and
  • Chromebooks must be connected and logged in.
  • Install Cisco Umbrella root certificate on your Chromebooks to avoid certificate errors when accessing an Umbrella block page. For more information on this installation, see Install the Cisco Umbrella Root Certificate.
    For more information about how to push the Umbrella root certificate from the Google admin console to all your Chromebook devices, see Set up TLS (or SSL) inspection on Chrome devices.
  • In the Google Workspace Admin console, you must disallow the incognito window. From the Incognito mode menu, choose Disallow incognito mode. For more information, see Incognito Mode in Chrome Enterprise and Education Help.
    For SWG, you can optionally configure the DNS servers on your network to forward DNS traffic to Cisco Umbrella. This configuration provides the most accurate selection of SWG Data Center locations. For more information, see Point your DNS to Cisco Umbrella.
  • Third-party web filtering or web proxy solutions may interfere with the SWG proxy setup of Umbrella Chromebook client. We recommend that you remove these solutions before deploying Cisco Security for Chromebook client.
  • The following devices and operating systems are not supported:
    • Chrome browser on OS X, Windows, and Linux.
    • Devices running variations or third-party distributions of ChromeOS, such as Neverware CloudReady.
  • Network requirements
ProtectionPort and
Source / DestinationNotes
DNS and SWG Layer53 (UDP)-Configured DNS
resolvers should be
DNS and SWG Layer443 (TCP)Registration.
HTTPS. Used for
registration of client.
DNS and SWG Layer443 (TCP)sync.hydra.opendns.comHTTPS. Used to synchronize device
details and to fetch
DNS and SWG Layer443 (TCP)doh.umbrella.comHTTPS. Used to resolve DNS requests.
SWG Layer8888 (TCP)
SWG Proxy IP address ranges.

Migration Scenarios > Prerequisites > Limitations