browse
Overview
This article contains recommended firewall exclusions to ensure the Windows Network Connectivity Status Indicator test works properly when deploying Umbrella Secure Web Gateway.
This article primarily applies to AnyConnect based deployments of SIG. If the exclusions are not in place this may cause Windows to incorrectly display a "No Internet Access" or "Limited Connectivity" status.
Impact
This is primarily a cosmetic issue, in the sense that the client machine does still have full internet connectivity. However, some Microsoft applications such as Outlook, Office365, Skype and OneDrive may not even attempt to connect when this “No Internet Access” warning is displayed.
AnyConnect Recommendations
If Direct Internet Acess is not normally possible, we recommend to allow direct access (TCP port 80) to the IP addresses associated with these domains:
- www.msftconnecttest.com
- www.msftncsi.com
These tests may happen before the AnyConnect SWG module is available, and it cannot be guaranteed that this traffic is proxied by Umbrella. Therefore, direct internet access should be made available for these tests.
Other Recommendations
For other deployment methods, the following domains should be allowed in your web policies:
- www.msftconnecttest.com
- www.msftncsi.com
Adding these domains to the External domains list (found under Domain Management) will ensure the domains bypass Umbrella's Secure Web Gateway. External domains can be applied to both PAC file and the AnyConnect SWG module.