Guides
ProductDeveloperPartnerPersonal

Prerequisites

To ensure that the Cisco Umbrella Roaming Security module for AnyConnect deploys and runs successfully, Umbrella requires that you meet the following prerequisites:

Table of Contents

System Requirements

Cisco Umbrella supports all vendor-supported, generally available releases of an operating system unless otherwise noted.

  • Version 5.1.0 and above
    • Windows 10 x86 and x64
    • Windows 11 x64 and ARM64
      • ARM64 supported only in VPN client, DART, Secure Firewall Posture, Network Visibility Module, Umbrella Module, and ISE Posture
    • macOS 11.x or higher

Network Requirements

To connect efficiently to Umbrella's Secure Web Gateway (SWG), allow the following CIDRs in your firewalls with TCP on ports 80 and 443:

  • 67.215.64.0/19
  • 146.112.0.0/16
  • 151.186.0.0/16
  • 155.190.0.0/16
  • 185.60.84.0/22
  • 204.194.232.0/21
  • 208.67.216.0/21
  • 208.69.32.0/21

We recommend that you bypass the following domains directly to allow all traffic with TCP on ports 80 and 443:

  • ocsp.int-x3.letsencrypt.org
  • isrg.trustid.ocsp.identrust.com
  • *.cisco.com
  • *.opendns.com
  • *.umbrella.com
  • *.okta.com
  • *.oktacdn.com
  • *.pingidentity.com
  • secure.aadcdn.microsoftonline-p.com

Note: When using an SSL-VPN, add the IP address of the VPN head-end to the external domains settings. For more information, see Manage Domains.

Roaming Client Prerequisites

Roaming Client prerequisites must be met to use the Umbrella module for Cisco Secure Client. For more information on the full requirements, see Roaming Client Prerequisites.

Users of the Umbrella Roaming module must allow the following ports and destinations:

Umbrella DNS and SWG Requirements

  • See our core Umbrella Client Prerequisites.
  • To connect efficiently to Umbrella's Secure Internet Gateway – including Umbrella block pages for DNS, the following CIDRs should be allowed in your firewalls with TCP on ports 80 and 443:
  • 67.215.64.0/19
  • 146.112.0.0/16
  • 155.190.0.0/16
  • 185.60.84.0/22
  • 204.194.232.0/21
  • 208.67.216.0/21
  • 208.69.32.0/21

The following domains should be bypassed directly to allow all traffic with TCP on ports 80 and 443:

  • ocsp.int-x3.letsencrypt.org
  • isrg.trustid.ocsp.identrust.com
  • .cisco.com
  • .opendns.com
  • .umbrella.com
  • www․msftconnecttest․com

Users of the Secure Web Gateway feature are recommended to ensure access to their identity provider of choice is available direct:

Identity provider domains (IdP). For example:

  • *.okta.com
  • *.oktacdn.com
  • *.pingidentity.com
  • secure.aadcdn.microsoftonline-p.com

Note: When using an SSL-VPN, add the IP address of the VPN head-end to the external domains settings. For more information, see Manage Domains.


Quick Start Guide < Prerequisites > Before You Begin