Network Requirements for Secure Access

This document describes the network configurations that support connections to the Secure Access cloud services and other Secure Access services and applications.

For user devices, applications, and network devices to interact with the Secure Access services, an administrator must allow connections from their organization's networks and devices to the Secure Access services. You may have to bypass domains for the Secure Access cloud services and identity provider (IdP) services on the Secure Access secure web gateway (SWG) and configure other device or network settings.

Table of Contents

Secure Access DNS Resolvers

Required by applications or devices connecting to the Secure Access DNS resolvers, including Cisco Secure Client deployments with the Umbrella Roaming Security module (DNS-layer security).
IPv4IPv6Port/ProtocolDescription
208.67.222.2222620:119:35::3553 TCP/UDPPrimary
208.67.220.2202620:119:53::5353 TCP/UDPSecondary
208.67.222.220n/a53 TCP/UDPTertiary
208.67.220.222n/a53 TCP/UDPQuaternary
208.67.221.762620:119:17::7653 TCP/UDPUSA only Primary (For more information, see Best Practices.)
208.67.223.762620:119:76::7653 TCP/UDPUSA only Secondary (For more information, see Best Practices.)
208.67.222.642620.119.53::6453 TCP/UDPDNS64 Primary (For more information, see Best Practices.)
208.67.220.642620:119:53::6453 TCP/UDPDNS64 Secondary (For more information, see Best Practices.)

Best Practices

You can use either IPv4 or IPv6 DNS addresses as your primary or secondary DNS server. You must use both numbers and not the same IP address twice. If your router requires a third or fourth DNS server setting, you can use 208.67.220.222 and 208.67.222.220 or 2620:119:35::35 and 2620:119:53::53 as the third and fourth entry respectively.

DNS64 (RFC 6147) is meant for single-stack IPv6 networks. This is to help with IPv4 to IPv6 transitions. If you are using Secure Access DNS on devices without IPv4 access, these resolvers will synthesize records that can reach those destinations through a NAT64 gateway using the Well-Known Prefix. See details: https://datatracker.ietf.org/doc/html/rfc6147

North America (USA-only) DNS resolvers guarantee only that DNS queries are resolved by a USA-based Secure Access data center. Block pages use global Anycast and may go to any data center, including one located outside of the USA.

Several systems allow you to specify multiple DNS servers. We recommend that you only use the Cisco Secure Access servers and do not include any other DNS servers.

Cisco Secure Client

The Cisco Secure Client Umbrella Roaming Security module uses standard DNS ports 53/UDP and 53/TCP to communicate with Secure Access. If you explicitly block access to third-party DNS servers on your corporate or home network, you must allow certain CIDRs on the ports and protocols in your firewall.

In circumstances where third-party DNS servers are blocked, the Cisco Secure Client Umbrella Roaming Security module transitions to a state where it temporarily uses the DHCP-delegated DNS servers for resolution.

Cisco Secure Client and External DNS Resolution

In normal circumstances, the Cisco Secure Client Umbrella Roaming Security module functions only on networks where external DNS resolution exists. The Cisco Secure Client Umbrella Roaming Security module can not function successfully if DNS connectivity is broken or blocked on the local network.

For the Cisco Secure Client Umbrella Roaming Security module to enable DNS-layer protection, you must allow the following external DNS names to resolve by the local DNS server. You must allow recursive DNS queries to the following domains on the local DNS server:

  • disthost.umbrella.com
  • api.opendns.com
  • crl3.digicert.com
  • crl4.digicert.com
  • ocsp.digicert.com
  • debug.opendns.com— This domain can receive a response to a TXT record query.
    The Cisco DNS resolvers must answer this DNS request.
    Note: NXDOMAIN is accepted, however, timeouts may delay or prevent Secure Access DNS-layer security protection on the network interface where this domain query times out.

Secure Access Encrypted DNS Queries

Required by applications or devices connecting to the Secure Access DNS resolvers, including Cisco Secure Client deployments with the Umbrella Roaming Security module (DNS-layer security).

The Cisco Secure Client Umbrella Roaming Security module supports the encryption of DNS queries sent to Secure Access on port 443 over TCP or UDP. If you would like to ensure encryption is enabled, and use a default deny ruleset in your firewall, allow the following CIDRs on the ports and protocols in your firewall.

Note: The Cisco Secure Client Umbrella Roaming Security module automatically encrypts DNS queries when it senses that 443/UDP is open.

IPv4IPv6Port/ProtocolDescription
208.67.222.2222620:119:35::35443 TCP/UDPPrimary
208.67.220.2202620:119:53::53443 TCP/UDPSecondary

Secure Access DNS – Block Pages

Required by applications or devices connecting to the Secure Access DNS-layer security, including Cisco Secure Client deployments with the Umbrella Roaming Security module (DNS-layer security).

We recommend that you allow all traffic on ports 80 and 443 over TCP for the Secure Access DNS Block Page services.

IPPorts/Protocol
67.215.64.0/1980/443 TCP
146.112.0.0/1680/443 TCP
155.190.0.0/1680/443 TCP
185.60.84.0/2280/443 TCP
204.194.232.0/2180/443 TCP
208.67.216.0/2180/443 TCP
208.69.32.0/2180/443 TCP

Secure Access DNS and Web – Client Configuration Services

Required by applications or devices connecting to the Secure Access DNS-layer security, including the Secure Access Active Director (AD) Connector and Cisco Secure Client deployments with the Umbrella Roaming Security module (DNS-layer security and Web).

We recommend that you allow all traffic on port 443 over TCP for the Secure Access Client Configuration services.

DomainsPort/ProtocolDescription
api.opendns.com443/TCPConfiguration

The Cisco Secure Client Umbrella Roaming Security module uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with Secure Access for the following uses:

  • Initial registration of the Cisco Secure Client Umbrella Roaming Security module upon installation.
  • Checking for new versions of the Cisco Secure Client Umbrella Roaming Security module.
  • Reporting the status of Cisco Secure Client Umbrella Roaming Security module to Secure Access.
  • Checking for new internal domains.
IP RangesPortsProtocol
146.112.0.0/1680/443TCP
155.190.0.0/1680/443TCP

Windows Only

If you utilize an HTTP proxy that is configured at the user-level (normally using GPO), make sure the SYSTEM user is also configured to use the proxy.

Secure Access DNS and Web – Client Sync Services

Required by devices or applications that are protected by Secure Access DNS or Web security. Includes Cisco Secure Client deployments with the Umbrella Roaming Security module.
DomainsIP RangesPort/ProtocolDescription
sync.hydra.opendns.com146.112.63.3 - 146.112.63.9
146.112.63.11 - 146.112.63.13
443/TCPSyncing data

The sync.hydra.opendns.com domain resolves to multiple IP addresses, all within the 146.112.63.0/24 IP range. We recommend that you add this entire range. The IP addresses for sync.hydra.opendns.com are Anycast and may change.

Secure Access DNS and Web – Client Certificate Revocation Services

Required by devices or applications that are protected by Secure Access DNS or Web security. Includes the Secure Access Active Director (AD) Connector and Cisco Secure Client deployments with the Umbrella Roaming Security module.
DomainsIPPort/ProtocolDescription
crl3.digicert.com72.21.91.2980/TCPCRL
crl4.digicert.com117.18.237.2980/TCPCRL
ocsp.digicert.com93.184.220.2980/TCPOCSP

Cisco Secure Client and Captive Portal Detection

The Cisco Secure Client Umbrella Roaming Security module uses multiple techniques to detect captive portals or hotspots. Allow these domains on your firewall for the most accurate captive portal detection:

  • connecttest.cisco.io
  • www․msftconnecttest․com

Cisco Secure Client and Device Host Names

The Cisco Secure Client Umbrella Roaming Security module uses hostnames to register the device in Secure Access. All machines must have a hostname that is unique within your organization.

Transport Layer Security Protocol Requirements

The Secure Access Transport Layer Security (TLS) Protocol Network Information.

Ensure that the operating systems of the devices in the organization support at a minimum TLS 1.2. The TLS 1.0 and TLS 1.1 protocols contain security vulnerabilities and do not support modern cryptographic algorithms.

TLS 1.2 Support in Windows

We recommend that you disable support for SSL, TLS 1.0, and TLS 1.1 in your Windows operating system. You can disable TLS 1.0 and TLS 1.1 in the Windows Registry. For more information, see Configuring Schannel protocols in the Windows Registry.

The latest version of the Cisco Secure Client Umbrella Roaming Security module uses TLS 1.2. Ensure that you have a compatible version of .NET installed with your Windows operating system. Native TLS 1.2 support requires .NET framework 4.6.2+. Prior versions of .NET require registry edits (4.x) or registry edits and manual hot fix patches (3.5).

TLS 1.2 Support in macOS

The Cisco Secure Client Umbrella Roaming Security module for macOS uses TLS 1.2.

Secure Access Secure Web Gateway Services

Required by the Secure Access Network Tunnel and PAC file deployments, and Cisco Secure Client deployments with the Umbrella Roaming Security or Zero Trust modules.

Egress IP Addresses for the Secure Web Gateway

All public IP web traffic through the Secure Access secure web gateway (SWG) egresses from the NAT service (NATaaS) on these ranges:

  • 151.186.144.0/20
  • 151.186.176.0/20

Ingress IP Addresses for the Secure Web Gateway

To enable connections to the Secure Access Secure Web Gateway, allow the following CIDRs in your firewalls on ports 80 and 443 over TCP.

Click to view the regional ingress IP addresses for the Secure Access Secure Web Gateway.
Australia (Sydney)BrazilCanada (Central)GermanyIndia (West)Indonesia (Jakarta)IsraelJapan (Tokyo)SingaporeSwitzerland (Zurich)United KingdomUS (Pacific Northwest)US (Virginia)
13.211.119.915.229.180.5915.156.225.12418.153.111.8713.126.152.179108.136.187.21351.16.148.19018.176.125.19513.214.98.3116.62.10.9513.42.241.158100.20.55.12818.207.48.91
13.238.112.20815.229.226.21515.157.147.10218.153.141.5513.126.229.165108.137.175.751.16.195.20118.177.180.17313.215.125.24216.63.1.6418.135.112.20034.210.182.1943.208.132.58
13.238.122.162 15.229.94.13315.157.151.018.153.182.8213.127.162.15116.78.15.5751.16.196.21918.178.72.16513.228.35.5116.63.119.22018.168.160.2234.211.133.493.220.27.92
13.238.158.129 177.71.157.5815.157.153.3518.153.211.5013.127.38.15443.218.195.12451.16.224.7318.179.18.6318.136.254.19216.63.146.15118.168.223.2335.163.230.2043.224.76.22
13.239.130.15 177.71.172.2413.98.225.13518.153.226.16113.200.185.15943.218.196.14651.17.10.22218.181.113.21418.139.251.4016.63.191.11318.169.141.25235.167.192.1603.229.59.4
3.104.178.82 18.228.146.293.98.254.9718.197.243.10913.200.201.13443.218.238.20951.17.102.14418.181.45.6018.142.126.16216.63.241.24618.170.109.8935.82.37.343.229.98.228
3.105.203.16218.228.72.2113.99.84.12018.198.182.5113.200.232.19943.218.252.5551.17.117.2163.113.110.23318.142.33.9416.63.248.19418.170.162.12444.226.181.12134.199.204.168
3.24.10.1918.229.42.1453.99.95.7118.199.59.813.232.69.20343.218.253.3351.17.125.593.114.181.4318.142.74.9416.63.50.20918.170.245.25244.227.223.7934.234.106.45
3.24.192.4518.230.128.19035.183.163.1993.120.17.18613.233.51.8943.218.254.18451.17.148.21435.75.158.9218.143.9.3416.63.81.14518.171.14.5044.227.59.25335.171.156.209
52.63.52.169 18.230.248.6852.60.79.393.125.254.14715.207.1.10043.218.8.25351.17.150.7535.75.252.1283.0.178.5751.96.4.883.11.157.25444.228.41.4644.205.38.30
52.63.79.18718.231.63.25115.157.113.23.66.137.1433.109.170.206108.136.152.24451.17.150.8135.77.152.1113.0.197.9016.62.175.1913.11.225.12644.231.2.18444.206.168.122
52.64.149.552.67.132.18515.157.126.2253.67.16.2103.109.91.124108.137.117.12451.17.153.1835.78.39.173.0.236.17516.62.234.1673.8.14.23144.232.163.15644.214.98.67
52.64.188.5352.67.148.23515.157.40.2493.67.28.2053.111.127.158108.137.143.15951.17.173.2752.192.121.953.0.39.25516.63.143.463.9.163.16752.10.7.18544.217.43.177
52.65.120.7952.67.210.1653.96.39.03.71.158.1563.111.174.22716.78.12.14451.17.178.17552.193.133.133.1.174.14016.63.184.10835.176.186.5652.24.201.18144.221.120.37
54.153.137.6752.67.90.2273.98.227.703.74.137.873.111.73.18743.218.210.21851.17.181.14252.194.109.23047.128.172.13416.63.216.6435.177.223.9752.35.186.2044.221.97.202
54.253.200.7 54.207.19.933.99.107.22935.158.253.143.6.110.1343.218.214.8851.17.198.6952.69.214.3347.128.191.716.63.224.12735.177.252.17852.36.167.19252.5.115.214
54.253.204.4354.207.22.23.99.3.19635.158.50.065.0.112.17543.218.230.12951.17.200.9354.95.128.8052.74.119.6616.63.230.135.178.14.21552.43.252.15552.86.227.76
54.253.254.5454.232.194.2343.99.93.3152.29.71.1265.1.188.15643.218.248.11551.17.57.2257.180.203.12552.74.87.1516.63.236.6135.178.147.1554.185.253.22954.160.164.245
54.66.46.18854.94.213.635.183.143.18052.58.11.2165.1.87.10543.218.248.21751.17.67.19657.180.88.252.76.130.19816.63.246.935.178.164.2954.68.79.9454.221.27.20
54.79.82.17854.94.232.22099.79.90.11852.58.217.7765.2.65.3743.218.252.8651.17.71.12357.181.86.15154.179.86.19616.63.250.23135.178.223.10654.69.85.24154.227.68.243

Click to view and copy the regional ingress IP addresses for the Secure Access Secure Web Gateway.
# Regional Cisco Secure Access Secure Web Gateway Ingress IPs
regions:
  Australia (Sydney):
    ips:
      - 13.211.119.9
      - 13.238.112.208
      - 13.238.122.162
      - 13.238.158.129
      - 13.239.130.15
      - 3.104.178.82
      - 3.105.203.162
      - 3.24.10.19
      - 3.24.192.45
      - 52.63.52.169
      - 52.63.79.187
      - 52.64.149.5
      - 52.64.188.53
      - 52.65.120.79
      - 54.153.137.67
      - 54.253.200.7
      - 54.253.204.43
      - 54.253.254.54
      - 54.66.46.188
      - 54.79.82.178
  Brazil:
    ips:
      - 15.229.180.59
      - 15.229.226.215
      - 15.229.94.133
      - 177.71.157.58
      - 177.71.172.241
      - 18.228.146.29
      - 18.228.72.211
      - 18.229.42.145
      - 18.230.128.190
      - 18.230.248.68
      - 18.231.63.251
      - 52.67.132.185
      - 52.67.148.235
      - 52.67.210.165
      - 52.67.90.227
      - 54.207.19.93
      - 54.207.22.2
      - 54.232.194.234
      - 54.94.213.6 
      - 54.94.232.220
  Canada (Central):
    ips:
      - 15.156.225.124  
      - 15.157.147.102  
      - 15.157.151.0  
      - 15.157.153.35  
      - 3.98.225.135  
      - 3.98.254.97  
      - 3.99.84.120  
      - 3.99.95.71  
      - 35.183.163.199  
      - 52.60.79.39  
      - 15.157.113.2  
      - 15.157.126.225  
      - 15.157.40.249  
      - 3.96.39.0  
      - 3.98.227.70  
      - 3.99.107.229  
      - 3.99.3.196  
      - 3.99.93.31  
      - 35.183.143.180  
      - 99.79.90.118
  Germany:
    ips:
      - 18.153.111.87
      - 18.153.141.55
      - 18.153.182.82
      - 18.153.211.50
      - 18.153.226.161
      - 18.197.243.109
      - 18.198.182.51
      - 18.199.59.8
      - 3.120.17.186
      - 3.125.254.147
      - 3.66.137.143
      - 3.67.16.210
      - 3.67.28.205
      - 3.71.158.156
      - 3.74.137.87
      - 35.158.253.14
      - 35.158.50.0
      - 52.29.71.12
      - 52.58.11.21
      - 52.58.217.77
  India (West):
    ips:
    - 13.126.152.179
    - 13.126.229.165
    - 13.127.162.151
    - 13.127.38.154
    - 13.200.185.159
    - 13.200.201.134
    - 13.200.232.199
    - 13.232.69.203
    - 13.233.51.89
    - 15.207.1.100
    - 3.109.170.206
    - 3.109.91.124
    - 3.111.127.158
    - 3.111.174.227
    - 3.111.73.187
    - 3.6.110.13
    - 65.0.112.175
    - 65.1.188.156
    - 65.1.87.105
    - 65.2.65.37
  Indonesia (Jakarta):
    ips:
      - 108.136.187.213  
      - 108.137.175.7  
      - 16.78.15.57  
      - 43.218.195.124  
      - 43.218.196.146  
      - 43.218.238.209  
      - 43.218.252.55  
      - 43.218.253.33  
      - 43.218.254.184  
      - 43.218.8.253  
      - 108.136.152.244  
      - 108.137.117.124  
      - 108.137.143.159  
      - 16.78.12.144  
      - 43.218.210.218  
      - 43.218.214.88  
      - 43.218.230.129  
      - 43.218.248.115  
      - 43.218.248.217  
      - 43.218.252.86
  Israel:
   ips:
    - 51.16.148.190
    - 51.16.195.201
    - 51.16.196.219
    - 51.16.224.73
    - 51.17.10.222
    - 51.17.102.144
    - 51.17.117.216
    - 51.17.125.59
    - 51.17.148.214
    - 51.17.150.75
    - 51.17.150.81
    - 51.17.153.18
    - 51.17.173.27
    - 51.17.178.175
    - 51.17.181.142
    - 51.17.198.69
    - 51.17.200.93
    - 51.17.57.22
    - 51.17.67.196
    - 51.17.71.123
  Japan (Tokyo):
    ips:
      - 18.176.125.195
      - 18.177.180.173
      - 18.178.72.165
      - 18.179.18.63
      - 18.181.113.214
      - 18.181.45.60
      - 3.113.110.233
      - 3.114.181.43
      - 35.75.158.92
      - 35.75.252.128
      - 35.77.152.111
      - 35.78.39.17
      - 52.192.121.95
      - 52.193.133.13
      - 52.194.109.230
      - 52.69.214.33
      - 54.95.128.80
      - 57.180.203.125
      - 57.180.88.2
      - 57.181.86.151
  Singapore:
    ips:
     - 13.214.98.31
     - 13.215.125.242
     - 13.228.35.51
     - 18.136.254.192
     - 18.139.251.40
     - 18.142.126.162
     - 18.142.33.94
     - 18.142.74.94
     - 18.143.9.34
     - 3.0.178.57
     - 3.0.197.90
     - 3.0.236.175
     - 3.0.39.255
     - 3.1.174.140
     - 47.128.172.134
     - 47.128.191.7
     - 52.74.119.66
     - 52.74.87.15
     - 52.76.130.198
     - 54.179.86.196
  Switzerland (Zurich):
    ips:
     - 16.62.10.95
     - 16.63.1.64
     - 16.63.119.220
     - 16.63.146.151
     - 16.63.191.113
     - 16.63.241.246
     - 16.63.248.194
     - 16.63.50.209
     - 16.63.81.145
     - 51.96.4.88
     - 16.62.175.191
     - 16.62.234.167
     - 16.63.143.46
     - 16.63.184.108
     - 16.63.216.64
     - 16.63.224.127
     - 16.63.230.1
     - 16.63.236.61
     - 16.63.246.9
     - 16.63.250.231
  United Kingdom:
    ips:
      - 13.42.241.158
      - 18.135.112.200
      - 18.168.160.22
      - 18.168.223.23
      - 18.169.141.252
      - 18.170.109.89
      - 18.170.162.124
      - 18.170.245.252
      - 18.171.14.50
      - 3.11.157.254
      - 3.11.225.126
      - 3.8.14.231
      - 3.9.163.167
      - 35.176.186.56
      - 35.177.223.97
      - 35.177.252.178
      - 35.178.14.215
      - 35.178.147.15
      - 35.178.164.29
      - 35.178.223.106
  US (Pacific Northwest):
    ips:
      - 100.20.55.128
      - 34.210.182.194
      - 34.211.133.49
      - 35.163.230.204
      - 35.167.192.160
      - 35.82.37.34
      - 44.226.181.121
      - 44.227.223.79
      - 44.227.59.253
      - 44.228.41.46
      - 44.231.2.184
      - 44.232.163.156
      - 52.10.7.185
      - 52.24.201.181
      - 52.35.186.20
      - 52.36.167.192
      - 52.43.252.155
      - 54.185.253.229
      - 54.68.79.94
      - 54.69.85.241
  US (Virginia):
    ips:
      - 18.207.48.91
      - 3.208.132.58
      - 3.220.27.92
      - 3.224.76.22
      - 3.229.59.4
      - 3.229.98.228
      - 34.199.204.168
      - 34.234.106.45
      - 35.171.156.209
      - 44.205.38.30 
      - 44.206.168.122
      - 44.214.98.67
      - 44.217.43.177
      - 44.221.120.37
      - 44.221.97.202
      - 52.5.115.214
      - 52.86.227.76
      - 54.160.164.245
      - 54.221.27.20
      - 54.227.68.243

Secure Access SaaS Tenants

Required by Cisco Secure Client deployments with the Virtual Private Network (VPN) and Umbrella Roaming Security modules, or Secure Access PAC file deployments.

The Cisco Secure Client Zero uses HTTPS to communicate with the Secure Web Gateway proxy services.

Microsoft 365

Microsoft 365 traffic is sent directly to the Secure Access secure web gateway (SWG) for these deployment methods:

  • VPN and Network Tunnels established on a network device
  • Cisco Secure Client with the VPN and Umbrella Roaming Security modules
  • Secure Access PAC file

To stop network traffic from connecting to the Secure Access SWG, add External Domain entries manually or route the traffic direct to the internet from your connecting devices.

If your organization's firewall rules prevent any third-party applications, allow the following IP addresses:

  • 52.73.52.135
  • 52.71.142.118
  • 52.40.204.69
  • 52.35.119.173
  • 52.27.150.153

Secure Access SAML Gateway Services

Required by Cisco Secure Client deployments with the Umbrella Roaming Security or Zero Trust modules and Secure Access integrations with SAML identity providers (IdPs).

You must deploy either a Network Tunnel or PAC file in your organization to connect user devices to the Secure Access Secure Web Gateway (SWG).

We recommend that you allow all traffic on port 443 over TCP for the Secure Access SAML Gateway services domains.

Unless noted, send id.sse.cisco.com requests to the SWG, not directly to the internet.

DomainPort/ProtocolDescription
saml.fg.id.sse.cisco.com443 TCPSecure Access SAML Gateway
*.fg.id.sse.cisco.com443 TCPSecure Access SAML Gateway (multiple entity IDs)

Active Directory Federation Service SAML Identity Provider

  • If your organization integrates with SAML Active Directory Federation Service (AD FS) identity provider (IdP), we recommend that you bypass web traffic to *.id.sse.cisco.com on the Secure Access secure web gateway (SWG).

Secure Access SAML Identity Provider Domains

Required by Cisco Secure Client deployments with the Umbrella Roaming Security or Zero Trust modules, and Secure Access integrations with SAML identity providers (IdPs).

To enable connections to your SAML identity providers (IdPs), allow the following domains in your firewalls on ports 80 and 443 over TCP. Ensure that traffic to your SAML IdP is bypassed on the SWG to avoid an authentication loop. For more information, see Manage Domains.

DomainPorts/Protocols
ocsp.int-x3.letsencrypt.org80/443 TCP
isrg.trustid.ocsp.identrust.com80/443 TCP
*.cisco.com80/443 TCP
*.opendns.com80/443 TCP
*.umbrella.com80/443 TCP
*.sse.com80/443 TCP
*.okta.com80/443 TCP
*.pingidentity.com80/443 TCP
secure.aadcdn.microsoftonline-p.com80/443 TCP

Azure AD SAML Identity Provider

To exclude Azure AD SAML Identity Provider domains from Secure Access SSL Decryption, add the following domain names to your list of bypassed domains.

DomainPort/Protocol
login.live.com80/443 TCP
login.microsoftonline.com80/443 TCP
msauth.net80/443 TCP
msftauth.net80/443 TCP

Secure Access SAML Gateway Client Certificate Revocation Services

Required by Cisco Secure Client deployments with the Umbrella Roaming Security or Zero Trust modules, and Secure Access integrations with SAML identity providers (IdPs).

We recommend that you allow all traffic on ports 80 over TCP for the Secure Access SAML Gateway Client Certificate Revocation services domains.

DomainsPort/ProtocolDescription
validation.identrust.com80/TCPValidate SAML certificates

Secure Access VPN Services

Required by Cisco Secure Client deployments with the Virtual Private Network (VPN) module.

The Cisco Secure Client VPN module uses HTTPS to communicate with the Secure Access VPN client head end services. We recommend that you allow all traffic on ports 443 over TCP or UDP, and ports 500/4500 over IPsec (UDP) for the Secure Access VPN domains.

Note: The Cisco Secure Client VPN module automatically uses TLS 443/UDP when it senses that 443/UDP is open.

Remote access virtual private network (VPN) head end services.

DomainPort/Protocol
*.vpn.sse.cisco.com443 TLS (TCP/UDP)
*.vpn.sse.cisco.com500/4500 IPsec (UDP)

Secure Access VPN Client Certificate Revocation Services

Required by Cisco Secure Client deployments with the Virtual Private Network (VPN) module.

The Cisco Secure Client Zero VPN module uses HTTPS to communicate with the Secure Access VPN client certificate revocation services. We recommend that you allow all traffic on ports 80 over TCP for the Secure Access VPN domains.

DomainsPort/ProtocolDescription
*.vpn.sse.cisco.com80/TCPValidate VPN certificates

Secure Access Zero Trust Client-Based Enrollment Services

Required by Cisco Secure Client deployments with the Zero Trust module.

The Cisco Secure Client Zero Trust module uses HTTPS to communicate with the Secure Access Zero Trust device enrollment services. We recommend that you allow all traffic on ports 80 and 443 over TCP for the Secure Access Zero Trust domains.

DomainPorts/Protocol
ztna.sse.cisco.com443 TCP
acme.sse.cisco.com80/443 TCP
devices.api.umbrella.com80/443 TCP
sseposture-routing-commercial.k8s.5c10.org80/443 TCP
sseposture-routing-commercial.posture.duosecurity.com80/443 TCP

Secure Access Zero Trust Client-Based Proxy Services

Required by Cisco Secure Client deployments with the Zero Trust module.

The Cisco Secure Client Zero Trust module uses HTTPS to communicate with the client-based Secure Access Zero Trust proxy services. We recommend that you allow all traffic on ports 443 for the defined protocols on the Secure Access Zero Trust domains.

DomainPorts/Protocol
*.ztna.sse.cisco.com443/TCP
*.zpc.sse.cisco.com443/TCP and UDP

Known Network Restrictions for Zero Trust Clients

Cisco Secure Access Zero Trust supports any TCP or UDP client applications that do not rely on ICMP or DNS SRV discovery, with the following restrictions:

  • The client application must initiate all TCP connections or UDP flows.
  • Any protocol requiring a unique client IP address at the server, for example SMBv1, is not supported.

Secure Access Zero Trust Client-Based Proxy – Client Certificate Revocation Services

Required by Cisco Secure Client deployments with the Zero Trust module.

The Cisco Secure Client Zero Trust module uses HTTPS to communicate with the client-based Secure Access Zero Trust client certificate revocation services. We recommend that you allow all traffic on ports 80 and 443 over TCP for the Secure Access Zero Trust Client Certificate Revocation services domains.

DomainsPort/Protocol
*.ztna.sse.cisco.com443 TCP

Secure Access Zero Trust Proxy Services – Unmanaged Devices

Required by devices that are on an organization's network, connect to Secure Access with Zero Trust, and do not have the Cisco Secure Client deployed.

Unmanaged devices with Secure Access Zero Trust enabled use HTTPS to communicate with the Secure Access Zero Trust proxy services for unmanaged devices. We recommend that you allow all traffic on ports 80 and 443 over TCP for the Secure Access Zero Trust proxy services domains.

DomainsPort/Protocol
*.ztna.sse.cisco.com443 TCP

Secure Access Zero Trust Services and Connector Groups

Required by the Secure Access Zero Trust and Connector Groups deployments in an organization.

The following IP addresses are reserved for use by Secure Access services for Resource Connectors and must not be used elsewhere on your network.

IP Range
100.64.0.0/10

Limitations and Range Limits < Network Requirements for Secure Access > Secure Access NAT as a Service