The following prerequisites must be met in order to use the Cisco Umbrella roaming client. Please read through this list and ensure that prerequisites are met to avoid conflicts or potential problems.
Supported Operating Systems
Unsupported Operating Systems
The Umbrella roaming client uses standard DNS ports 53/UDP and 53/TCP to communicate with Umbrella. If you explicitly block access to third-party DNS servers on your corporate or home network, you will need to add the following allow rules in your firewall:
|53||UDP||184.108.40.206 and 220.127.116.11|
|53||TCP||18.104.22.168 and 22.214.171.124|
In circumstances where third-party DNS servers are blocked, the Umbrella roaming client will transition to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.
The Umbrella roaming client optionally supports encryption of all queries sent to Umbrella using port 443/UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, you can add the following allow rule in your firewall:
|443||UDP||126.96.36.199 and 188.8.131.52|
The Umbrella roaming client automatically encrypts DNS queries when it senses that 443/UDP is open.
IP Layer Enforcement:
The IP Layer Enforcement feature of the roaming client requires additional network access. Please refer to this document for details: https://docs.umbrella.com/product/umbrella/6-adding-ip-layer-enforcement/.
Internet Protocol Security (IPSec) traffic must be allowed through firewalls. The following ports and protocols must be allowed:
- Protocol 50 (ESP)
- Protocol 51 (AH)
- UDP Port 500
- UDP Port 4500
IPSec uses IP protocol 50 for Encapsulated Security Protocol (ESP), IP protocol 51 for Authentication Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. UDP port 4500 is also used.
To restrict IPSec to only the Umbrella servers providing malicious IP blocking, allow ESP, AH, UDP Port 500 and UDP Port 4500 to these IP ranges only:
184.108.40.206/23 220.127.116.11/23 18.104.22.168/24 22.214.171.124/24 126.96.36.199/23 188.8.131.52/23 184.108.40.206/24 220.127.116.11/22 18.104.22.168/23
If you would like to simply allow access to all of the Umbrella ranges used:
22.214.171.124/19 126.96.36.199/21 188.8.131.52/21 184.108.40.206/21
Note: A full list of the exact IP addresses—not just the ranges—can be found in a text file attached to the bottom of the above linked article.
HTTP and HTTPS
The Umbrella roaming client uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with our API for the following uses:
- Initial registration upon installation
- Checking for new versions of the Umbrella roaming client
- Reporting the status of the Umbrella roaming client to Umbrella
- Checking for new Internal domains (discussed later in this article)
Windows Only: If you utilize an HTTP proxy that is configured at the user-level (normally using GPO), you will need to make sure the "SYSTEM" user is also configured to use the proxy.
Simply add the following rules to your firewall to ensure the roaming client can reach the API:
|80||TCP||ocsp.digicert.com, crl3.digicert.com and crl4.digicert.com|
|443||TCP||220.127.116.11, 18.104.22.168, sync.hydra.opendns.com
crl3.digicert.com and crl4.digicert.com
|443||UDP||crl3.digicert.com and crl4.digicert.com may be required|
*Note: The 22.214.171.124, 126.96.36.199 IP addresses resolve to api.opendns.com, and disthost.opendns.com.
**Note: The Digicert domains resolve to various IP addresses based on CDN and are these subject to change. As of current, these domains resolve to the following IPs: 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
***Note: sync.hydra.opendns.com resolves to multiple IP addresses, all within the 22.214.171.124/24 IP range. We recommend adding this entire range as the IP address(es) for sync.hydra.opendns.com are Anycast and may change. Currently, the IP addresses this domain resolves to are:
126.96.36.199 to 188.8.131.52 and 184.108.40.206 to 220.127.116.11
The Umbrella roaming client does not currently support IPv6 or dual stack IPv4/IPv6.
- The Umbrella roaming client is not compatible with other DNS serving software, so it should not be installed on any machine serving DNS requests.
- DNSCrypt must be uninstalled prior to installing the Umbrella roaming client. The installer will automatically detect installations of DNSCrypt and prompt the administrator to uninstall prior to proceeding with the installation.
Installation Directory: The Umbrella roaming client must be installed on the C:\ drive at this time and does not support secondary or remote drive installations.
When using the Umbrella roaming client, all of your DNS lookups are sent directly from your computer to the Umbrella global network's resolvers. However, in order to ensure the Umbrella roaming client directs internal DNS requests to your internal DNS servers for resolution, you must add your local domain names to the Internal Domains section of the dashboard as shown below (Settings > Internal Domains.) The Umbrella roaming client syncs with our API every 10 minutes to check for new internal domains. This is a critical part of the setup process and this list should be populated before you deploy the Umbrella roaming client.
To read more about internal domains, including in-depth technical details of how this works, see: https://support.umbrella.com/hc/en-us/articles/230905228-Umbrella-Roaming-Client-Deployment-Guide-Internal-Domains