browse
Unprotected and Unencrypted
When a Cisco Umbrella Roaming Client goes into Unprotected/Unencrypted mode, it is represented as a yellow state on the tray icon (Windows) or menu bar (OS X). When clicking on it, you'll see that the status shows as both Unprotected and Unencrypted.
Details
As outlined in our Roaming Client Prerequisites article, in order to provide security and content filtering, the Umbrella Roaming Client must be able to communicate with Umbrella via one of the following ports for both UDP and TCP, in addition to the HTTP destinations in the Prerequisites article:
Port | Protocol | IPv4 | IPv6 |
53 | UDP | 208.67.222.222, 208.67.220.220 | 2620:119:53::53, 2620:119:35::35 |
53 | TCP | 208.67.222.222, 208.67.220.220 | 2620:119:53::53, 2620:119:35::35 |
443 | UDP | 208.67.222.222, 208.67.220.220 | 2620:119:53::53, 2620:119:35::35 |
443 | TCP | 208.67.222.222, 208.67.220.220 | 2620:119:53::53, 2620:119:35::35 |
The Umbrella Roaming Client will be unable to protect the computer if both of the following are true:
- The computer is behind a connection which does not allow third-party DNS requests.
- The computer is behind a connection which has a default deny outbound firewall policy.
The Umbrella Roaming Client will restore the DHCP-delegated DNS servers to your network connection properties, and keep testing until it can again contact our DNS servers and begin providing security and content filtering. However, during the period where it cannot communicate with Umbrella DNS servers, both policy enforcement and reporting are not available.
Testing
You can test to make sure this is the case by manually performing a DNS query against Umbrella DNS servers. If your network is not allowing you to query Umbrella DNS servers (and likely any other third-party DNS providers), it will look like this:
$ nslookup opendns.com 208.67.222.222
;; connection timed out; no servers could be reached
If you receive a successful response from this test and your Umbrella Roaming Client still reports "Unprotected/Unencrypted", please open a support ticket and provide the results of a Diagnostic Test. This is how a successful test appears:
$ nslookup opendns.com 208.67.222.222
Server: 208.67.222.222
Address: 208.67.222.222#53Non-authoritative answer:
Name: opendns.com
Unencrypted Only
If your Umbrella Roaming Client is saying it is Unencrypted, it means that the Umbrella roaming client cannot communicate with us over port 443/UDP. We recommend allowing this in your corporate or home firewall for security reasons, but the Umbrella roaming client works regardless of being able to encrypt the DNS queries. Refer to our Roaming Client Prerequisites article for more information.
Want to learn more? Check out our tutorial: Roaming Client Troubleshooting