Network Requirements for Secure Access
This document describes the network configurations that support connections to the Secure Access cloud services and other Secure Access services and applications.
For user devices, applications, and network devices to interact with the Secure Access services, an administrator must allow connections from their organization's networks and devices to the Secure Access services. You may have to bypass domains for the Secure Access cloud services and identity provider (IdP) services on the Secure Access secure web gateway (SWG) and configure other device or network settings.
Table of Contents
- Secure Access DNS Resolvers
- Secure Access Encrypted DNS Queries
- Secure Access DNS – Block Pages
- Secure Access DNS and Web – Client Configuration Services
- Secure Access DNS and Web – Client Sync Services
- Secure Access DNS and Web – Client Certificate Revocation Services
- Cisco Secure Client and Captive Portal Detection
- Cisco Secure Client and Device Host Names
- TLS Protocol Requirements
- Secure Access Secure Web Gateway Services
- Secure Access Realtime DLP Secure ICAP
- Secure Access SaaS Tenants
- Secure Access SAML Gateway Services
- Secure Access SAML Identity Provider Domains
- Secure Access SAML Gateway Client Certificate Revocation Services
- Secure Access VPN Services
- Secure Access VPN Client Certificate Revocation Services
- Secure Access Zero Trust Client-Based Enrollment Services
- Secure Access Zero Trust Client-Based Proxy Services
- Secure Access Zero Trust Client-Based Proxy – Client Certificate Revocation Services
- Secure Access Zero Trust Proxy Services – Unmanaged Devices
- Secure Access Resource Connectors
Secure Access DNS Resolvers
Required by applications or devices connecting to the Secure Access DNS resolvers, including Cisco Secure Client deployments with the Umbrella Roaming Security module (DNS-layer security).
IPv4 | IPv6 | Port/Protocol | Description |
---|---|---|---|
208.67.222.222 | 2620:119:35::35 | 53 TCP/UDP | Primary |
208.67.220.220 | 2620:119:53::53 | 53 TCP/UDP | Secondary |
208.67.222.220 | n/a | 53 TCP/UDP | Tertiary |
208.67.220.222 | n/a | 53 TCP/UDP | Quaternary |
208.67.221.76 | 2620:119:17::76 | 53 TCP/UDP | USA only Primary (For more information, see Best Practices.) |
208.67.223.76 | 2620:119:76::76 | 53 TCP/UDP | USA only Secondary (For more information, see Best Practices.) |
208.67.222.64 | 2620.119.53::64 | 53 TCP/UDP | DNS64 Primary (For more information, see Best Practices.) |
208.67.220.64 | 2620:119:53::64 | 53 TCP/UDP | DNS64 Secondary (For more information, see Best Practices.) |
Best Practices
You can use either IPv4 or IPv6 DNS addresses as your primary or secondary DNS server. You must use both numbers and not the same IP address twice. If your router requires a third or fourth DNS server setting, you can use 208.67.220.222 and 208.67.222.220 or 2620:119:35::35 and 2620:119:53::53 as the third and fourth entry respectively.
DNS64 (RFC 6147) is meant for single-stack IPv6 networks. This is to help with IPv4 to IPv6 transitions. If you are using Secure Access DNS on devices without IPv4 access, these resolvers will synthesize records that can reach those destinations through a NAT64 gateway using the Well-Known Prefix. See details: https://datatracker.ietf.org/doc/html/rfc6147
North America (USA-only) DNS resolvers guarantee only that DNS queries are resolved by a USA-based Secure Access data center. Block pages use global Anycast and may go to any data center, including one located outside of the USA.
Several systems allow you to specify multiple DNS servers. We recommend that you only use the Cisco Secure Access servers and do not include any other DNS servers.
Cisco Secure Client
The Cisco Secure Client Umbrella Roaming Security module uses standard DNS ports 53/UDP and 53/TCP to communicate with Secure Access. If you explicitly block access to third-party DNS servers on your corporate or home network, you must allow certain CIDRs on the ports and protocols in your firewall.
In circumstances where third-party DNS servers are blocked, the Cisco Secure Client Umbrella Roaming Security module transitions to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.
Cisco Secure Client and External DNS Resolution
In normal circumstances, the Cisco Secure Client Umbrella Roaming Security module functions only on networks where external DNS resolution exists. The Cisco Secure Client Umbrella Roaming Security module can not function successfully if DNS connectivity is broken or blocked on the local network.
For the Cisco Secure Client Umbrella Roaming Security module to enable DNS-layer protection, you must allow the following external DNS names to resolve by the local DNS server. You must allow recursive DNS queries to the following domains on the local DNS server:
- disthost.umbrella.com
- api.opendns.com
- crl3.digicert.com
- crl4.digicert.com
- ocsp.digicert.com
- debug.opendns.com— This domain can receive a response to a TXT record query.
The Cisco DNS resolvers must answer this DNS request.
Note:NXDOMAIN
is accepted, however, timeouts may delay or prevent Secure Access DNS-layer security protection on the network interface where this domain query times out.
Secure Access Encrypted DNS Queries
Required by applications or devices connecting to the Secure Access DNS resolvers, including Cisco Secure Client deployments with the Umbrella Roaming Security module (DNS-layer security).
The Cisco Secure Client Umbrella Roaming Security module supports the encryption of DNS queries sent to Secure Access on port 443 over TCP or UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, allow the following CIDRs on the ports and protocols in your firewall.
Note: The Cisco Secure Client Umbrella Roaming Security module automatically encrypts DNS queries when it senses that 443/UDP is open.
IPv4 | IPv6 | Port/Protocol | Description |
---|---|---|---|
208.67.222.222 | 2620:119:35::35 | 443 TCP/UDP | Primary |
208.67.220.220 | 2620:119:53::53 | 443 TCP/UDP | Secondary |
Secure Access DNS – Block Pages
Required by applications or devices connecting to the Secure Access DNS-layer security, including Cisco Secure Client deployments with the Umbrella Roaming Security module (DNS-layer security).
We recommend that you allow all traffic on ports 80 and 443 over TCP for the Secure Access DNS Block Page services.
IP | Ports/Protocol |
---|---|
67.215.64.0/19 | 80/443 TCP |
146.112.0.0/16 | 80/443 TCP |
155.190.0.0/16 | 80/443 TCP |
185.60.84.0/22 | 80/443 TCP |
204.194.232.0/21 | 80/443 TCP |
208.67.216.0/21 | 80/443 TCP |
208.69.32.0/21 | 80/443 TCP |
Secure Access DNS and Web – Client Configuration Services
Required by applications or devices connecting to the Secure Access DNS-layer security, including the Secure Access Active Director (AD) Connector and Cisco Secure Client deployments with the Umbrella Roaming Security module (DNS-layer security and Web).
We recommend that you allow all traffic on port 443 over TCP for the Secure Access Client Configuration services.
Domains | Port/Protocol | Description |
---|---|---|
api.opendns.com | 443/TCP | Configuration |
The Cisco Secure Client Umbrella Roaming Security module uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with Secure Access for the following uses:
- Initial registration of the Cisco Secure Client Umbrella Roaming Security module upon installation.
- Checking for new versions of the Cisco Secure Client Umbrella Roaming Security module.
- Reporting the status of Cisco Secure Client Umbrella Roaming Security module to Secure Access.
- Checking for new internal domains.
IP Ranges | Ports | Protocol |
---|---|---|
146.112.0.0/16 | 80/443 | TCP |
155.190.0.0/16 | 80/443 | TCP |
Windows Only
If you utilize an HTTP proxy that is configured at the user-level (normally using GPO), make sure the SYSTEM
user is also configured to use the proxy.
Secure Access DNS and Web – Client Sync Services
Required by devices or applications that are protected by Secure Access DNS or Web security. Includes Cisco Secure Client deployments with the Umbrella Roaming Security module.
Domains | IP Ranges | Port/Protocol | Description |
---|---|---|---|
sync.hydra.opendns.com | 146.112.63.3 - 146.112.63.9 146.112.63.11 - 146.112.63.13 | 443/TCP | Syncing data |
The sync.hydra.opendns.com domain resolves to multiple IP addresses, all within the 146.112.63.0/24 IP range. We recommend that you add this entire range. The IP addresses for sync.hydra.opendns.com are Anycast and may change.
Secure Access DNS and Web – Client Certificate Revocation Services
Required by devices or applications that are protected by Secure Access DNS or Web security. Includes the Secure Access Active Director (AD) Connector and Cisco Secure Client deployments with the Umbrella Roaming Security module.
Domains | IP | Port/Protocol | Description |
---|---|---|---|
crl3.digicert.com | 72.21.91.29 | 80/TCP | CRL |
crl4.digicert.com | 117.18.237.29 | 80/TCP | CRL |
ocsp.digicert.com | 93.184.220.29 | 80/TCP | OCSP |
Cisco Secure Client and Captive Portal Detection
The Cisco Secure Client Umbrella Roaming Security module uses multiple techniques to detect captive portals or hotspots. Allow these domains on your firewall for the most accurate captive portal detection:
- connecttest.cisco.io
- www․msftconnecttest․com
Cisco Secure Client and Device Host Names
The Cisco Secure Client Umbrella Roaming Security module uses hostnames to register the device in Secure Access. All machines must have a hostname that is unique within your organization.
Transport Layer Security Protocol Requirements
The Secure Access Transport Layer Security (TLS) Protocol Network Information.
Ensure that the operating systems of the devices in the organization support at a minimum TLS 1.2. The TLS 1.0 and TLS 1.1 protocols contain security vulnerabilities and do not support modern cryptographic algorithms.
TLS 1.2 Support in Windows
We recommend that you disable support for SSL, TLS 1.0, and TLS 1.1 in your Windows operating system. You can disable TLS 1.0 and TLS 1.1 in the Windows Registry. For more information, see Configuring Schannel protocols in the Windows Registry.
The latest version of the Cisco Secure Client Umbrella Roaming Security module uses TLS 1.2. Ensure that you have a compatible version of .NET installed with your Windows operating system. Native TLS 1.2 support requires .NET framework 4.6.2+. Prior versions of .NET require registry edits (4.x) or registry edits and manual hot fix patches (3.5).
TLS 1.2 Support in macOS
The Cisco Secure Client Umbrella Roaming Security module for macOS uses TLS 1.2.
Secure Access Secure Web Gateway Services
Required by the Secure Access Network Tunnel and PAC file deployments, and Cisco Secure Client deployments with the Umbrella Roaming Security or Zero Trust modules.
Egress IP Addresses for the Secure Web Gateway
All public web traffic through the SWG egresses from the NATaaS with public addresses from the shared ranges listed under Web Traffic and NAT as a Service.
Ingress IP Addresses for the Secure Web Gateway
To enable connections to the Secure Access Secure Web Gateway, allow the following CIDRs in your firewalls on ports 80 and 443 over TCP.
Click to view the regional ingress IP addresses for the Secure Access Secure Web Gateway.
Asia
Asia Pacific (Hong Kong) | Asia Pacific (Osaka) | Asia Pacific (Singapore) | India (South) | India (West) | Indonesia (Jakarta) | Israel | Japan (Tokyo) | Middle East (UAE) |
---|---|---|---|---|---|---|---|---|
16.162.156.15 | 13.208.132.179 | 13.214.98.31 | 18.60.194.164 | 13.126.152.179 | 108.136.187.213 | 51.16.148.190 | 18.176.125.195 | 3.28.30.234 |
16.162.214.98 | 13.208.52.205 | 13.215.125.242 | 18.60.248.246 | 13.126.229.165 | 108.137.175.7 | 51.16.195.201 | 18.177.180.173 | 3.29.10.20 |
16.163.136.232 | 13.208.71.239 | 13.228.35.51 | 18.60.35.221 | 13.127.162.151 | 16.78.15.57 | 51.16.196.219 | 18.178.72.165 | 3.29.120.102 |
18.162.198.132 | 15.152.126.67 | 18.136.254.192 | 18.60.94.51 | 13.127.38.154 | 43.218.195.124 | 51.16.224.73 | 18.179.18.63 | 3.29.251.187 |
18.162.206.128 | 15.152.137.233 | 18.139.251.40 | 18.61.109.18 | 13.200.185.159 | 43.218.196.146 | 51.17.10.222 | 18.181.113.214 | 3.29.38.214 |
18.163.169.209 | 15.152.182.240 | 18.142.126.162 | 18.61.192.168 | 13.200.201.134 | 43.218.238.209 | 51.17.102.144 | 18.181.45.60 | 3.29.45.234 |
18.163.248.233 | 15.152.189.225 | 18.142.33.94 | 18.61.218.23 | 13.200.232.199 | 43.218.252.55 | 51.17.117.216 | 3.113.110.233 | 40.172.32.63 |
18.163.42.219 | 15.152.239.183 | 18.142.74.94 | 18.61.222.116 | 13.232.69.203 | 43.218.253.33 | 51.17.125.59 | 3.114.181.43 | 40.172.44.109 |
18.166.14.134 | 15.168.104.82 | 18.143.9.34 | 18.61.239.220 | 13.233.51.89 | 43.218.254.184 | 51.17.148.214 | 35.75.158.92 | 40.172.47.132 |
18.167.143.158 | 15.168.181.48 | 3.0.178.57 | 18.61.46.124 | 15.207.1.100 | 43.218.8.253 | 51.17.150.75 | 35.75.252.128 | 40.172.58.138 |
18.167.154.183 | 15.168.205.155 | 3.0.197.90 | 98.130.21.18 | 3.109.170.206 | 108.136.152.244 | 51.17.150.81 | 35.77.152.111 | 40.172.59.24 |
18.167.251.6 | 15.168.205.247 | 3.0.236.175 | 98.130.23.174 | 3.109.91.124 | 108.137.117.124 | 51.17.153.18 | 35.78.39.17 | 40.172.64.122 |
18.167.40.135 | 15.168.208.192 | 3.0.39.255 | 98.130.27.157 | 3.111.127.158 | 108.137.143.159 | 51.17.173.27 | 52.192.121.95 | 40.172.67.216 |
18.167.45.52 | 15.168.220.15 | 3.1.174.140 | 98.130.31.27 | 3.111.174.227 | 16.78.12.144 | 51.17.178.175 | 52.193.133.13 | 40.172.68.53 |
18.167.49.16 | 15.168.224.29 | 47.128.172.134 | 98.130.38.229 | 3.111.73.187 | 43.218.210.218 | 51.17.181.142 | 52.194.109.230 | 40.172.74.42 |
43.198.145.86 | 15.168.225.141 | 47.128.191.7 | 98.130.39.60 | 3.6.110.13 | 43.218.214.88 | 51.17.198.69 | 52.69.214.33 | 40.172.75.235 |
43.198.200.190 | 15.168.36.169 | 52.74.119.66 | 98.130.75.29 | 65.0.112.175 | 43.218.230.129 | 51.17.200.93 | 54.95.128.80 | 40.172.82.196 |
43.198.213.27 | 15.168.42.247 | 52.74.87.15 | 98.130.76.179 | 65.1.188.156 | 43.218.248.115 | 51.17.57.22 | 57.180.203.125 | 51.112.58.162 |
43.198.65.196 | 15.168.79.33 | 52.76.130.198 | 98.130.77.91 | 65.1.87.105 | 43.218.248.217 | 51.17.67.196 | 57.180.88.2 | 51.112.85.49 |
43.199.5.8 | 15.168.88.51 | 54.179.86.196 | 98.130.80.125 | 65.2.65.37 | 43.218.252.86 | 51.17.71.123 | 57.181.86.151 | 51.112.87.103 |
Australia
Sydney |
---|
13.211.119.9 |
13.238.112.208 |
13.238.122.162 |
13.238.158.129 |
13.239.130.15 |
3.104.178.82 |
3.105.203.162 |
3.24.10.19 |
3.24.192.45 |
52.63.52.169 |
52.63.79.187 |
52.64.149.5 |
52.64.188.53 |
52.65.120.79 |
54.153.137.67 |
54.253.200.7 |
54.253.204.43 |
54.253.254.54 |
54.66.46.188 |
54.79.82.178 |
Europe
Germany | Stockholm | Switzerland (Zurich) | United Kingdom |
---|---|---|---|
18.153.111.87 | 13.48.0.216 | 16.62.10.95 | 13.42.241.158 |
18.153.141.55 | 13.48.163.57 | 16.63.1.64 | 18.135.112.200 |
18.153.182.82 | 13.48.51.151 | 16.63.119.220 | 18.168.160.22 |
18.153.211.50 | 13.49.210.230 | 16.63.146.151 | 18.168.223.23 |
18.153.226.161 | 13.49.82.243 | 16.63.191.113 | 18.169.141.252 |
18.197.243.109 | 13.49.99.155 | 16.63.241.246 | 18.170.109.89 |
18.198.182.51 | 13.50.188.96 | 16.63.248.194 | 18.170.162.124 |
18.199.59.8 | 13.50.219.204 | 16.63.50.209 | 18.170.245.252 |
3.120.17.186 | 13.50.60.146 | 16.63.81.145 | 18.171.14.50 |
3.125.254.147 | 13.50.82.81 | 51.96.4.88 | 3.11.157.254 |
3.66.137.143 | 13.51.227.10 | 16.62.175.191 | 3.11.225.126 |
3.67.16.210 | 13.60.111.239 | 16.62.234.167 | 3.8.14.231 |
3.67.28.205 | 16.16.140.11 | 16.63.143.46 | 3.9.163.167 |
3.71.158.156 | 16.16.181.111 | 16.63.184.108 | 35.176.186.56 |
3.74.137.87 | 16.170.127.220 | 16.63.216.64 | 35.177.223.97 |
35.158.253.14 | 16.170.176.42 | 16.63.224.127 | 35.177.252.178 |
35.158.50.0 | 16.171.77.186 | 16.63.230.1 | 35.178.14.215 |
52.29.71.12 | 51.21.138.79 | 16.63.236.61 | 35.178.147.15 |
52.58.11.21 | 51.21.34.233 | 16.63.246.9 | 35.178.164.29 |
52.58.217.77 | 51.21.83.189 | 16.63.250.231 | 35.178.223.106 |
North America
Canada (Central) | US (Pacific Northwest) | US (Virginia) |
---|---|---|
15.156.225.124 | 100.20.55.128 | 18.207.48.91 |
15.157.147.102 | 34.210.182.194 | 3.208.132.58 |
15.157.151.0 | 34.211.133.49 | 3.220.27.92 |
15.157.153.35 | 35.163.230.204 | 3.224.76.22 |
3.98.225.135 | 35.167.192.160 | 3.229.59.4 |
3.98.254.97 | 35.82.37.34 | 3.229.98.228 |
3.99.84.120 | 44.226.181.121 | 34.199.204.168 |
3.99.95.71 | 44.227.223.79 | 34.234.106.45 |
35.183.163.199 | 44.227.59.253 | 35.171.156.209 |
52.60.79.39 | 44.228.41.46 | 44.205.38.30 |
15.157.113.2 | 44.231.2.184 | 44.206.168.122 |
15.157.126.225 | 44.232.163.156 | 44.214.98.67 |
15.157.40.249 | 52.10.7.185 | 44.217.43.177 |
3.96.39.0 | 52.24.201.181 | 44.221.120.37 |
3.98.227.70 | 52.35.186.20 | 44.221.97.202 |
3.99.107.229 | 52.36.167.192 | 52.5.115.214 |
3.99.3.196 | 52.43.252.155 | 52.86.227.76 |
3.99.93.31 | 54.185.253.229 | 54.160.164.245 |
35.183.143.180 | 54.68.79.94 | 54.221.27.20 |
99.79.90.118 | 54.69.85.241 | 54.227.68.243 |
South America
Brazil |
---|
15.229.180.59 |
15.229.226.215 |
15.229.94.133 |
177.71.157.58 |
177.71.172.241 |
18.228.146.29 |
18.228.72.211 |
18.229.42.145 |
18.230.128.190 |
18.230.248.68 |
18.231.63.251 |
52.67.132.185 |
52.67.148.235 |
52.67.210.165 |
52.67.90.227 |
54.207.19.93 |
54.207.22.2 |
54.232.194.234 |
54.94.213.6 |
54.94.232.220 |
Click to view and copy the regional ingress IP addresses for the Secure Access Secure Web Gateway.
# Regional Cisco Secure Access Secure Web Gateway Ingress IPs
regions:
Asia Pacific (Hong Kong):
ips:
- 16.162.156.15
- 16.162.214.98
- 16.163.136.232
- 18.162.198.132
- 18.162.206.128
- 18.163.169.209
- 18.163.248.233
- 18.163.42.219
- 18.166.14.134
- 18.167.143.158
- 18.167.154.183
- 18.167.251.6
- 18.167.40.135
- 18.167.45.52
- 18.167.49.16
- 43.198.145.86
- 43.198.200.190
- 43.198.213.27
- 43.198.65.196
- 43.199.5.8
Asia Pacific (Osaka):
ips:
- 13.208.132.179
- 13.208.52.205
- 13.208.71.239
- 15.152.126.67
- 15.152.137.233
- 15.152.182.240
- 15.152.189.225
- 15.152.239.183
- 15.168.104.82
- 15.168.181.48
- 15.168.205.155
- 15.168.205.247
- 15.168.208.192
- 15.168.220.15
- 15.168.224.29
- 15.168.225.141
- 15.168.36.169
- 15.168.42.247
- 15.168.79.33
Australia (Sydney):
ips:
- 13.211.119.9
- 13.238.112.208
- 13.238.122.162
- 13.238.158.129
- 13.239.130.15
- 3.104.178.82
- 3.105.203.162
- 3.24.10.19
- 3.24.192.45
- 52.63.52.169
- 52.63.79.187
- 52.64.149.5
- 52.64.188.53
- 52.65.120.79
- 54.153.137.67
- 54.253.200.7
- 54.253.204.43
- 54.253.254.54
- 54.66.46.188
- 54.79.82.178
Brazil:
ips:
- 15.229.180.59
- 15.229.226.215
- 15.229.94.133
- 177.71.157.58
- 177.71.172.241
- 18.228.146.29
- 18.228.72.211
- 18.229.42.145
- 18.230.128.190
- 18.230.248.68
- 18.231.63.251
- 52.67.132.185
- 52.67.148.235
- 52.67.210.165
- 52.67.90.227
- 54.207.19.93
- 54.207.22.2
- 54.232.194.234
- 54.94.213.6
- 54.94.232.220
Canada (Central):
ips:
- 15.156.225.124
- 15.157.147.102
- 15.157.151.0
- 15.157.153.35
- 3.98.225.135
- 3.98.254.97
- 3.99.84.120
- 3.99.95.71
- 35.183.163.199
- 52.60.79.39
- 15.157.113.2
- 15.157.126.225
- 15.157.40.249
- 3.96.39.0
- 3.98.227.70
- 3.99.107.229
- 3.99.3.196
- 3.99.93.31
- 35.183.143.180
- 99.79.90.118
Europe (Stockholm):
ips:
- 13.48.0.216
- 13.48.163.57
- 13.48.51.151
- 13.49.210.230
- 13.49.82.243
- 13.49.99.155
- 13.50.188.96
- 13.50.219.204
- 13.50.60.146
- 13.50.82.81
- 13.51.227.10
- 13.60.111.239
- 16.16.140.11
- 16.16.181.111
- 16.170.127.220
- 16.170.176.42
- 16.171.77.186
- 51.21.138.79
- 51.21.34.233
- 51.21.83.189
Germany:
ips:
- 18.153.111.87
- 18.153.141.55
- 18.153.182.82
- 18.153.211.50
- 18.153.226.161
- 18.197.243.109
- 18.198.182.51
- 18.199.59.8
- 3.120.17.186
- 3.125.254.147
- 3.66.137.143
- 3.67.16.210
- 3.67.28.205
- 3.71.158.156
- 3.74.137.87
- 35.158.253.14
- 35.158.50.0
- 52.29.71.12
- 52.58.11.21
- 52.58.217.77
India (South):
ips:
- 18.60.194.164
- 18.60.248.246
- 18.60.35.221
- 18.60.94.51
- 18.61.109.18
- 18.61.192.168
- 18.61.218.23
- 18.61.222.116
- 18.61.239.220
- 18.61.46.124
- 98.130.21.18
- 98.130.23.174
- 98.130.27.157
- 98.130.31.27
- 98.130.38.229
- 98.130.39.60
- 98.130.75.29
- 98.130.76.179
- 98.130.77.91
- 98.130.80.125
India (West):
ips:
- 13.126.152.179
- 13.126.229.165
- 13.127.162.151
- 13.127.38.154
- 13.200.185.159
- 13.200.201.134
- 13.200.232.199
- 13.232.69.203
- 13.233.51.89
- 15.207.1.100
- 3.109.170.206
- 3.109.91.124
- 3.111.127.158
- 3.111.174.227
- 3.111.73.187
- 3.6.110.13
- 65.0.112.175
- 65.1.188.156
- 65.1.87.105
- 65.2.65.37
Indonesia (Jakarta):
ips:
- 108.136.187.213
- 108.137.175.7
- 16.78.15.57
- 43.218.195.124
- 43.218.196.146
- 43.218.238.209
- 43.218.252.55
- 43.218.253.33
- 43.218.254.184
- 43.218.8.253
- 108.136.152.244
- 108.137.117.124
- 108.137.143.159
- 16.78.12.144
- 43.218.210.218
- 43.218.214.88
- 43.218.230.129
- 43.218.248.115
- 43.218.248.217
- 43.218.252.86
Israel:
ips:
- 51.16.148.190
- 51.16.195.201
- 51.16.196.219
- 51.16.224.73
- 51.17.10.222
- 51.17.102.144
- 51.17.117.216
- 51.17.125.59
- 51.17.148.214
- 51.17.150.75
- 51.17.150.81
- 51.17.153.18
- 51.17.173.27
- 51.17.178.175
- 51.17.181.142
- 51.17.198.69
- 51.17.200.93
- 51.17.57.22
- 51.17.67.196
- 51.17.71.123
Japan (Tokyo):
ips:
- 18.176.125.195
- 18.177.180.173
- 18.178.72.165
- 18.179.18.63
- 18.181.113.214
- 18.181.45.60
- 3.113.110.233
- 3.114.181.43
- 35.75.158.92
- 35.75.252.128
- 35.77.152.111
- 35.78.39.17
- 52.192.121.95
- 52.193.133.13
- 52.194.109.230
- 52.69.214.33
- 54.95.128.80
- 57.180.203.125
- 57.180.88.2
- 57.181.86.151
Middle East (UAE):
ips:
- 3.28.30.234
- 3.29.10.20
- 3.29.120.102
- 3.29.251.187
- 3.29.38.214
- 3.29.45.234
- 40.172.32.63
- 40.172.44.109
- 40.172.47.132
- 40.172.58.138
- 40.172.59.24
- 40.172.64.122
- 40.172.67.216
- 40.172.68.53
- 40.172.74.42
- 40.172.75.235
- 40.172.82.196
- 51.112.58.162
- 51.112.85.49
- 51.112.87.103
Singapore:
ips:
- 13.214.98.31
- 13.215.125.242
- 13.228.35.51
- 18.136.254.192
- 18.139.251.40
- 18.142.126.162
- 18.142.33.94
- 18.142.74.94
- 18.143.9.34
- 3.0.178.57
- 3.0.197.90
- 3.0.236.175
- 3.0.39.255
- 3.1.174.140
- 47.128.172.134
- 47.128.191.7
- 52.74.119.66
- 52.74.87.15
- 52.76.130.198
- 54.179.86.196
Switzerland (Zurich):
ips:
- 16.62.10.95
- 16.63.1.64
- 16.63.119.220
- 16.63.146.151
- 16.63.191.113
- 16.63.241.246
- 16.63.248.194
- 16.63.50.209
- 16.63.81.145
- 51.96.4.88
- 16.62.175.191
- 16.62.234.167
- 16.63.143.46
- 16.63.184.108
- 16.63.216.64
- 16.63.224.127
- 16.63.230.1
- 16.63.236.61
- 16.63.246.9
- 16.63.250.231
United Kingdom:
ips:
- 13.42.241.158
- 18.135.112.200
- 18.168.160.22
- 18.168.223.23
- 18.169.141.252
- 18.170.109.89
- 18.170.162.124
- 18.170.245.252
- 18.171.14.50
- 3.11.157.254
- 3.11.225.126
- 3.8.14.231
- 3.9.163.167
- 35.176.186.56
- 35.177.223.97
- 35.177.252.178
- 35.178.14.215
- 35.178.147.15
- 35.178.164.29
- 35.178.223.106
US (Pacific Northwest):
ips:
- 100.20.55.128
- 34.210.182.194
- 34.211.133.49
- 35.163.230.204
- 35.167.192.160
- 35.82.37.34
- 44.226.181.121
- 44.227.223.79
- 44.227.59.253
- 44.228.41.46
- 44.231.2.184
- 44.232.163.156
- 52.10.7.185
- 52.24.201.181
- 52.35.186.20
- 52.36.167.192
- 52.43.252.155
- 54.185.253.229
- 54.68.79.94
- 54.69.85.241
US (Virginia):
ips:
- 18.207.48.91
- 3.208.132.58
- 3.220.27.92
- 3.224.76.22
- 3.229.59.4
- 3.229.98.228
- 34.199.204.168
- 34.234.106.45
- 35.171.156.209
- 44.205.38.30
- 44.206.168.122
- 44.214.98.67
- 44.217.43.177
- 44.221.120.37
- 44.221.97.202
- 52.5.115.214
- 52.86.227.76
- 54.160.164.245
- 54.221.27.20
- 54.227.68.243
Secure Access Realtime DLP Secure ICAP
If you use ICAP to integrate the Secure Access Realtime DLP with your on-premesis DLP, we recommend you allow only the following IP addresses to your firewall (to prevent abuse of the API connection):
- 50.18.191.74
- 54.153.85.86
- 54.90.48.200
- 3.234.7.118
Secure Access SaaS Tenants
Required by Cisco Secure Client deployments with the Virtual Private Network (VPN) and Umbrella Roaming Security modules, or Secure Access PAC file deployments.
The Cisco Secure Client Zero uses HTTPS to communicate with the Secure Web Gateway proxy services.
Microsoft 365
Microsoft 365 traffic is sent directly to the Secure Access secure web gateway (SWG) for these deployment methods:
- VPN and Network Tunnels established on a network device
- Cisco Secure Client with the VPN and Umbrella Roaming Security modules
- Secure Access PAC file
To stop network traffic from connecting to the Secure Access SWG, add External Domain
entries manually or route the traffic direct to the internet from your connecting devices.
If your organization's firewall rules prevent any third-party applications, allow the following IP addresses:
- 52.73.52.135
- 52.71.142.118
- 52.40.204.69
- 52.35.119.173
- 52.27.150.153
Secure Access SAML Gateway Services
Required by Cisco Secure Client deployments with the Umbrella Roaming Security or Zero Trust modules and Secure Access integrations with SAML identity providers (IdPs).
You must deploy either a Network Tunnel or PAC file in your organization to connect user devices to the Secure Access Secure Web Gateway (SWG).
We recommend that you allow all traffic on port 443 over TCP for the Secure Access SAML Gateway services domains.
Unless noted, send id.sse.cisco.com requests to the SWG, not directly to the internet.
Domain | Port/Protocol | Description |
---|---|---|
saml.fg.id.sse.cisco.com | 443 TCP | Secure Access SAML Gateway |
*.fg.id.sse.cisco.com | 443 TCP | Secure Access SAML Gateway (multiple entity IDs) |
Active Directory Federation Service SAML Identity Provider
- If your organization integrates with SAML Active Directory Federation Service (AD FS) identity provider (IdP), we recommend that you bypass web traffic to *.id.sse.cisco.com on the Secure Access secure web gateway (SWG).
Secure Access SAML Identity Provider Domains
Required by Cisco Secure Client deployments with the Umbrella Roaming Security or Zero Trust modules, and Secure Access integrations with SAML identity providers (IdPs).
To enable connections to your SAML identity providers (IdPs), allow the following domains in your firewalls on ports 80 and 443 over TCP. Ensure that traffic to your SAML IdP is bypassed on the SWG to avoid an authentication loop. For more information, see Manage Domains.
Domain | Ports/Protocols |
---|---|
ocsp.int-x3.letsencrypt.org | 80/443 TCP |
isrg.trustid.ocsp.identrust.com | 80/443 TCP |
*.cisco.com | 80/443 TCP |
*.opendns.com | 80/443 TCP |
*.umbrella.com | 80/443 TCP |
*.sse.com | 80/443 TCP |
*.okta.com | 80/443 TCP |
*.pingidentity.com | 80/443 TCP |
secure.aadcdn.microsoftonline-p.com | 80/443 TCP |
Azure AD SAML Identity Provider
To exclude Azure AD SAML Identity Provider domains from Secure Access SSL Decryption, add the following domain names to your list of bypassed domains.
Domain | Port/Protocol |
---|---|
login.live.com | 80/443 TCP |
login.microsoftonline.com | 80/443 TCP |
msauth.net | 80/443 TCP |
msftauth.net | 80/443 TCP |
Secure Access SAML Gateway Client Certificate Revocation Services
Required by Cisco Secure Client deployments with the Umbrella Roaming Security or Zero Trust modules, and Secure Access integrations with SAML identity providers (IdPs).
We recommend that you allow all traffic on ports 80 over TCP for the Secure Access SAML Gateway Client Certificate Revocation services domains.
Domains | Port/Protocol | Description |
---|---|---|
validation.identrust.com | 80/TCP | Validate SAML certificates |
Secure Access VPN Services
Required by Cisco Secure Client deployments with the Virtual Private Network (VPN) module.
The Cisco Secure Client VPN module uses HTTPS to communicate with the Secure Access VPN client head end services. We recommend that you allow all traffic on ports 443 over TCP or UDP, and ports 500/4500 over IPsec (UDP) for the Secure Access VPN domains.
Note: The Cisco Secure Client VPN module automatically uses TLS 443/UDP when it senses that 443/UDP is open.
Remote access virtual private network (VPN) head end services.
Domain | Port/Protocol |
---|---|
*.vpn.sse.cisco.com | 443 TLS (TCP/UDP) |
*.vpn.sse.cisco.com | 500/4500 IPsec (UDP) |
Secure Access VPN Client Certificate Revocation Services
Required by Cisco Secure Client deployments with the Virtual Private Network (VPN) module.
The Cisco Secure Client Zero VPN module uses HTTPS to communicate with the Secure Access VPN client certificate revocation services. We recommend that you allow all traffic on ports 80 over TCP for the Secure Access VPN domains.
Domains | Port/Protocol | Description |
---|---|---|
*.vpn.sse.cisco.com | 80/TCP | Validate VPN certificates |
Secure Access Zero Trust Client-Based Enrollment Services
Required by Cisco Secure Client deployments with the Zero Trust module.
The Cisco Secure Client Zero Trust module uses HTTPS to communicate with the Secure Access Zero Trust device enrollment services. We recommend that you allow all traffic on ports 80 and 443 over TCP for the Secure Access Zero Trust domains.
Domain | Ports/Protocol |
---|---|
ztna.sse.cisco.com | 443 TCP |
acme.sse.cisco.com | 80/443 TCP |
devices.api.umbrella.com | 80/443 TCP |
sseposture-routing-commercial.k8s.5c10.org | 80/443 TCP |
sseposture-routing-commercial.posture.duosecurity.com | 80/443 TCP |
Secure Access Zero Trust Client-Based Proxy Services
Required by Cisco Secure Client deployments with the Zero Trust module.
The Cisco Secure Client Zero Trust module uses HTTPS to communicate with the client-based Secure Access Zero Trust proxy services. We recommend that you allow all traffic on ports 443 for the defined protocols on the Secure Access Zero Trust domains.
Domain | Ports/Protocol |
---|---|
*.ztna.sse.cisco.com | 443/TCP |
*.zpc.sse.cisco.com | 443/TCP and UDP |
Known Network Restrictions for Zero Trust Clients
Cisco Secure Access Zero Trust supports any TCP or UDP client applications that do not rely on ICMP or DNS SRV discovery, with the following restrictions:
- The client application must initiate all TCP connections or UDP flows.
- Any protocol requiring a unique client IP address at the server, for example SMBv1, is not supported.
Secure Access Zero Trust Client-Based Proxy – Client Certificate Revocation Services
Required by Cisco Secure Client deployments with the Zero Trust module.
The Cisco Secure Client Zero Trust module uses HTTPS to communicate with the client-based Secure Access Zero Trust client certificate revocation services. We recommend that you allow all traffic on ports 80 and 443 over TCP for the Secure Access Zero Trust Client Certificate Revocation services domains.
Domains | Port/Protocol |
---|---|
*.ztna.sse.cisco.com | 443 TCP |
Secure Access Zero Trust Proxy Services – Unmanaged Devices
Required by devices that are on an organization's network, connect to Secure Access with Zero Trust, and do not have the Cisco Secure Client deployed.
Unmanaged devices with Secure Access Zero Trust enabled use HTTPS to communicate with the Secure Access Zero Trust proxy services for unmanaged devices. We recommend that you allow all traffic on ports 80 and 443 over TCP for the Secure Access Zero Trust proxy services domains.
Domains | Port/Protocol |
---|---|
*.ztna.sse.cisco.com | 443 TCP |
Secure Access Zero Trust Services and Connector Groups
Required by the Secure Access Zero Trust and Connector Groups deployments in an organization.
The following IP addresses are reserved for use by Secure Access services for Resource Connectors and must not be used elsewhere on your network.
IP Range |
---|
100.64.0.0/10 |
Limitations and Range Limits < Network Requirements for Secure Access > Secure Access NAT as a Service
Updated 8 days ago