Umbrella Roaming Security Module Requirements

To ensure that the Cisco Secure Client Umbrella Roaming Security module deploys and runs successfully, a user device must meet certain system and network requirements.

Table of Contents

• System Requirements
• Network Requirements
• Transport Layer Security Protocol
• Network Access
• Roaming Security DNS Requirements
• Internal Domains

System Requirements

The Cisco Secure Client supports all vendor-maintained, generally available releases of an operating system unless otherwise noted.

Cisco Secure Client version 5.1.0 and higher is supported on:

• Windows 10 x86 and x64 devices
• Windows 11 x64 and ARM64 devices
  • ARM64 devices only support the Secure Client with the VPN module, DART, Secure Firewall posture, Network Visibility module, Umbrella module, and ISE posture.
• macOS 11.x or higher

For more information about the Cisco Secure Client, see Cisco Secure Client (including AnyConnect) Administrator Guide, Release 5.1.

Network Requirements

Secure Access DNS Block Pages

• For more information, see Network Requirements for Secure Access: DNS Block Pages.

Secure Access and SAML Identity Provider Domains

• For more information, see Network Requirements for Secure Access: SAML Identity Provider Domains.

Note: When using an SSL-VPN, add the IP address of the VPN head-end to the external domains settings. For more information, see Manage Domains.

Transport Layer Security Protocol

• For more information, see Network Requirements for Secure Access: Transport Layer Security Protocol.

Network Access

Host Names

• The Cisco Secure Client Umbrella Roaming Security module uses hostnames for registration. All machines must have a hostname that is unique within your organization.

Secure Access DNS Resolvers

For more information, see Network Requirements for Secure Access: DNS Resolvers.

Encrypted DNS

• For more information, see Network Requirements for Secure Access: Encrypted DNS.

External DNS Resolution

• For more information, see Network Requirements for Secure Access: External DNS Resolution.

HTTP and HTTPS

The Cisco Secure Client Umbrella Roaming Security module uses HTTP (80/TCP) and HTTPS (443/TCP) to communicate with Secure Access for the following uses:

• Initial registration upon installation
• Checking for new versions of the Cisco Secure Client Umbrella (Roaming Security) module
• Reporting the status of Cisco Secure Client Umbrella (Roaming Security) module to Secure Access
• Checking for new internal domains

Windows Only: If you utilize an HTTP proxy that is configured at the user-level (normally using GPO), make sure the SYSTEM user is also configured to use the proxy. Otherwise, add the following rules to your firewall to ensure the Cisco Secure Client Umbrella (Roaming Security) module can reach Secure Access.

Secure Access DNS – Client Configuration Services

• For more information, see Network Requirements for Secure Access: Client Configuration Services.

Secure Access DNS – Client Sync Services

• For more information, see Network Requirements for Secure Access: Client Sync Services.

Secure Access DNS and Web – Client Certificate Revocation Services

For more information, see Network Requirements for Secure Access: Client Certificate Revocation Services.

Roaming Security DNS Requirements

• The Cisco Secure Client Umbrella Roaming Security module is not compatible with other DNS serving software. You should not install the Cisco Secure Client Umbrella module on a device that serves DNS requests.
• Uninstall DNSCrypt before your install the Cisco Secure Client Umbrella (Roaming Security) module. The Cisco Secure Client Umbrella (Roaming Security) module installer automatically detects installations of DNSCrypt and prompts the administrator to uninstall before proceeding with the installation.
• Install the Cisco Secure Client Umbrella Roaming Security module on the C:\ drive. The Cisco Secure Client Umbrella module does not support secondary or remote drive installations.
• The Cisco Secure Client Umbrella Roaming Security module only supports dual-stack IPv4/IPv6 for macOS and Windows. Standalone support for IPv6 for both macOs and Windows is not supported.

Internal Domains

The Cisco Secure Client sends all of your DNS lookups directly from your computer to the Secure Access global network resolvers. Thus, to ensure that Cisco Secure Client directs internal DNS requests to your internal DNS servers for resolution, you must add your local domain names to the internal domains list in Secure Access. The Cisco Secure Client's Umbrella module syncs with Secure Access periodically to check for new internal domains. This is a critical part of the setup process. We recommend that you populate the list of internal domains before you deploy the Umbrella (Roaming Security) module. For more information, see Domain Management.

Download the OrgInfo.json File < Umbrella Roaming Security Module Requirements > Install the Root Certificate for All Browsers