This article contains recommended firewall exclusions to ensure the Windows Network Connectivity Status Indicator test works properly when deploying Umbrella Secure Web Gateway.
This article primarily applies to AnyConnect based deployments of SIG. If the exclusions are not in place this may cause Windows to incorrectly display a "No Internet Access" or "Limited Connectivity" status.
This is primarily a cosmetic issue, in the sense that the client machine does still have full internet connectivity. However, some Microsoft applications such as Outlook, Office365, Skype and OneDrive may not even attempt to connect when this “No Internet Access” warning is displayed.
If Direct Internet Acess is not normally possible, we recommend to allow direct access (TCP port 80) to the IP addresses associated with these domains:
These tests may happen before the AnyConnect SWG module is available, and it cannot be guaranteed that this traffic is proxied by Umbrella. Therefore, direct internet access should be made available for these tests.
For other deployment methods, the following domains should be allowed in your web policies:
Adding these domains to the External domains list (found under Domain Management) will ensure the domains bypass Umbrella's Secure Web Gateway. External domains can be applied to both PAC file and the AnyConnect SWG module.