Prerequisites for Cisco Security for Chromebooks Client

To enable DoH and SWG protection on the Cisco Secure Chromebook client, these prerequisites are required:

  • You must have Cisco Security for Chromebooks Client.
  • You must have Secure Access login credentials.
  • A Google Workspace Admin account to push the Cisco Security for Chromebook client to all the Chromebook devices.
  • Recommended: Sync Google Workspace Identities with Secure Access to apply Google Workspace user and organizational unit based policies. For information, see Integrate Google Workspace Identities.
  • Chrome OS 110 or later (to enable DoH-based DNS layer protection on Chromebooks).
  • Chromebooks must not be in kiosk mode.
  • For DNS-layer protection, port 53 UDP and 443 TCP must be allowed.
  • For SWG-layer protection, port 8888 (TCP) must be accessible to 146.112.0.0/16 and 155.190.0.0/16.
  • You must have access to:
  • Chromebooks must be connected and logged in.
  • Install Cisco Secure Access root certificate on your Chromebooks to avoid certificate errors when accessing a Secure Access block page. For more information, see Install the Secure Access Root Certificate.
  • For more information about how to push the root certificate from Google admin console to all your Chromebook devices, see Set up TLS (or SSL) inspection on Chrome devices.
  • In the Google Workspace Admin console, the incognito window must be disallowed. From the Incognito mode menu, choose Disallow incognito mode. For more information, search for Incognito Mode in Chrome Enterprise and Education Help.
  • For SWG, you can configure the DNS servers on your network to forward DNS traffic to Secure Access. This configuration provides the most accurate selection of SWG Data Center locations. For more information, see Point your DNS to Cisco Secure Access.
  • Third-party web filtering or web proxy solutions may interfere with SWG proxy setup of the Cisco Security for Chromebook client. We recommend that you remove these solutions before deploying Cisco Security for Chromebook client.
  • The following devices and operating systems are not supported:
    • Chrome browser on OS X, Windows, and Linux
    • Devices running variations or third-party distributions of ChromeOS, such as Neverware CloudReady

Network requirements

ProtectionPort and ProtocolSource/DestinationNotes
DNS and SWG Layer53 (UDP)Configured DNS resolvers should be
reachable.
DNS and SWG Layer443 (TCP) Registration.Registration.
polaris.qq.opendns.com
Used for registration of the client.
DNS and SWG Layer443 (TCP) sync.hydra.opendns.comHTTPS. Used to sync device
details and to fetch configuration.
DNS and SWG Layer443 (TCP)doh.sse.cisco.comHTTPS. Used to resolve DNS requests.
SWG Layer8888 (TCP)146.112.0/0/16
155.190.0.0/16
155.190.0.0/16 SWG Proxy IP address ranges

About Cisco Security for Chromebooks < Prerequisites for Cisco Security for Chromebooks > Limitations for Cisco Security for Chromebooks Client