Guides
ProductDeveloperPartnerPersonal
Guides

Prerequisites

To ensure that the Cisco Umbrella module for Cisco Secure Client deploys and runs successfully, Umbrella requires that you meet the following prerequisites:

Table of Contents

System Requirements

Cisco Umbrella supports all vendor-supported, generally available releases of an operating system unless otherwise noted.

  • Version 5.1.0 and above
    • Windows 10 x86 and x64
    • Windows 11 x64 and ARM64
      • ARM64 supported only in VPN client, DART, Secure Firewall Posture, Network Visibility Module, Umbrella Module, and ISE Posture
    • macOS 12 or higher
  • Note:Azure VDI is not supported.
    • Unsupported Operating Systems

      • Windows 7, 8, and 8.1
      • Windows Server (all versions)
      • Windows 10 Enterprise Multi-Session (including Azure Virtual Desktop)
      • Windows RT based ARM processors
      • macOS 10.15 or earlier

Network Requirements

To connect efficiently to Umbrella's Secure Web Gateway (SWG), allow the following CIDRs in your firewalls with TCP on ports 80 and 443:

  • 67.215.64.0/19
  • 146.112.0.0/16
  • 151.186.0.0/16
  • 155.190.0.0/16
  • 185.60.84.0/22
  • 204.194.232.0/21
  • 208.67.216.0/21
  • 208.69.32.0/21

We recommend that you bypass the following domains directly to allow all traffic with TCP on ports 80 and 443:

  • isrg.trustid.ocsp.identrust.com
  • *.cisco.com
  • *.opendns.com
  • *.umbrella.com
  • *.okta.com
  • *.oktacdn.com
  • *.pingidentity.com
  • secure.aadcdn.microsoftonline-p.com

Note: When using an SSL-VPN, add the IP address of the VPN head-end to the external domains settings. For more information, see Manage Domains.

Note: For the Cisco Secure Client device registration process to be completed, the following destinations should be sent directly and bypassed from any kind of authentication, SSL inspection, or filtering:

  • crl3.digicert.com
  • crl4.digicert.com
  • ocsp.digicert.com

Roaming Client Prerequisites

Roaming Client prerequisites must be met to use the Umbrella module for Cisco Secure Client. For more information on the full requirements, see Roaming Client Prerequisites.

Users of the Umbrella Roaming module must allow the following ports and destinations:

Umbrella DNS and SWG Requirements

  • See our core Umbrella Client Prerequisites.
  • To connect efficiently to Umbrella's Secure Internet Gateway – including Umbrella block pages for DNS, the following CIDRs should be allowed in your firewalls with TCP on ports 80 and 443:
  • 67.215.64.0/19
  • 146.112.0.0/16
  • 155.190.0.0/16
  • 185.60.84.0/22
  • 204.194.232.0/21
  • 208.67.216.0/21
  • 208.69.32.0/21

The following domains should be bypassed directly to allow all traffic with TCP on ports 80 and 443:

  • isrg.trustid.ocsp.identrust.com
  • .cisco.com
  • .opendns.com
  • .umbrella.com
  • www.msftconnecttest.com
  • connecttest.cisco.io

Users of the Secure Web Gateway feature are recommended to ensure access to their identity provider of choice is available direct:

Identity provider domains (IdP). For example:

  • *.okta.com
  • *.oktacdn.com
  • *.pingidentity.com
  • secure.aadcdn.microsoftonline-p.com

Note: When using an SSL-VPN, add the IP address of the VPN head-end to the external domains settings. For more information, see Manage Domains.


Umbrella Roaming Security: Cisco Secure Client (formerly AnyConnect) < Prerequisites > Deploy Umbrella module in Cisco Secure Client