Upgrade Endpoints to Support TLS 1.2 for Umbrella Services

Available Languages

Download Options

PDF (44.7 KB)
View with Adobe Reader on a variety of devices
ePub (103.2 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (160.5 KB)
View on Kindle device or Kindle app on multiple devices

Updated:August 29, 2025

Document ID:224757

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to prepare endpoints and applications for Umbrella services that require TLS 1.2.

TLS 1.2 Requirement Overview

As of March 31, 2020, Transport Layer Security (TLS) 1.0 and 1.1 are no longer supported by Umbrella servers and services. All endpoints must support TLS 1.2 to function properly with Umbrella.

Updates to TLS 1.0/1.1 Support

Except for AnyConnect, the Umbrella Roaming Client, and the AD Connector, Umbrella ended support for TLS 1.0/1.1 in March 2020.
Due to backend dependencies, certain dashboard and API services continued to accept TLS 1.0/1.1 connections until January 27, 2021. After this date, these services no longer accept TLS 1.0/1.1 connections.
Devices unable to access the dashboard or APIs must be checked for TLS 1.2 support.

Protection for AnyConnect or Roaming Client Devices

Umbrella extended the deadline to January 27, 2021 to complete the upgrade to TLS 1.2. No further extensions exist. AnyConnect and Roaming Client devices not meeting TLS 1.2 requirements after January 27, 2021 no longer receive protection from Umbrella.

Secure Web Gateway Support

Umbrella does not support HTTPS traffic using TLS 1.0 or 1.1 in the Secure Gateway product.
Prior to January 27, 2021, Secure Web Gateway offered limited support for these protocols only when HTTPS Decryption was disabled.
Configure all client operating systems to support TLS 1.2.
Upgrade or modify non-browser applications as needed to ensure TLS 1.2 compatibility. Contact application vendors for guidance.

Umbrella Active Directory Connector Requirements

Umbrella does not support Active Directory connectors deployed on Windows operating systems that have reached end of life. AD connectors running on unsupported Windows versions (Windows Server 2008, 2008 R2, or Windows 7) stop synchronizing to Umbrella and enter error state on January 27, 2021.

Umbrella Agents: Minimum Version Requirements

Windows Roaming Client or AnyConnect Module

Cisco Umbrella roaming client: Version 2.2.356 or newer
Cisco AnyConnect with Umbrella roaming module: Version 4.8.02042 or newer
To use an older client version, configure TLS 1.2 through Windows Registry changes (see steps below).
Microsoft .NET Framework: Version 4.6.2 or newer, or a patched Windows 7 with .NET 3.5.1
(AnyConnect requires .NET 4.x or newer)
Supported Windows versions: 7, 8, 8.1, 10

macOS Roaming Client or AnyConnect Module

Any version of Umbrella Roaming Client or AnyConnect roaming module supports TLS 1.2
Supported macOS version: 10.9 or newer

Additional FAQ

What happens if endpoints are not updated by the deadline?

Endpoints unable to negotiate a TLS 1.2 connection cannot access Umbrella systems, including the dashboard, intelligent proxy services, and block pages.
For customers running the Umbrella Roaming Module in AnyConnect, the Umbrella Enterprise Roaming Client, or the Umbrella AD Connector, the client cannot connect to any Umbrella service. This results in the client not synchronizing configuration and status with the Umbrella dashboard.

Existing roaming clients stop activating and remain unprotected at the next service start. New clients that do not support TLS 1.2 cannot register with Umbrella. These clients fail open; DNS continues to resolve through the local network stack, but roaming client security services do not activate.

Devices attempting to access blocked sites or those routed through the Intelligent Proxy cannot connect. Devices using the roaming client cannot access Umbrella websites, block pages, or proxy services.

Does the registry key work for older versions?

Yes, for AnyConnect. Continue to use older versions after applying the registry edit to prefer strongcrypto. Prior to the minimum versions listed, the roaming client initiated HTTPS connections without specifying TLS 1.2 strongcrypto explicitly. If .NET supports TLS 1.2, it uses it by default. The registry keys enforce .NET to use strongcrypto, replicating the updates in new client versions. Standalone roaming clients older than the latest release are not supported.

Can I test TLS 1.2 only?

Yes. Disable TLS 1.0 and TLS 1.1 in the Windows Registry to validate that devices operate fully using only TLS 1.2.

Why deprecate TLS 1.0 and 1.1?

TLS 1.0 and 1.1 are outdated and lack support for modern cryptographic algorithms. They contain vulnerabilities that attackers can exploit. The Internet Engineering Task Force is deprecating both protocols. The majority of encrypted Internet traffic uses TLS 1.2, which was introduced over ten years ago.

Why was March 31, 2020 selected?

The industry is deprecating TLS 1.0 and 1.1 in this timeframe. Google, Microsoft, Apple, and Mozilla have all announced that their browsers no longer support TLS 1.0 and 1.1 as of March 2020.

Can this impact users with up-to-date devices?

No. Most websites support TLS 1.2. According to Qualys SSL Labs, 95.2 percent of websites support TLS 1.2. Expect this number to increase as March 2020 approaches. A small number of websites cannot function, but overall user impact is minimal. Ensure up-to-date devices include the correct version of .NET for Windows machines.

After updating an endpoint for TLS 1.2, is further action required to re-enable Umbrella support?

In most cases, no further action is required. The client re-establishes communication with Umbrella systems using the secure TLS 1.2 protocol. For the Umbrella Enterprise Roaming Client or the Umbrella Roaming Client for AnyConnect, there can be a delay in restoration if the system was offline during a client software update. The client needs to download updates before service is fully restored.

How can I confirm endpoint support for TLS 1.2?

Windows Web Browser Support
- Access the Umbrella dashboard and related websites.
- Run the SSL Labs Browser Test. Confirm a "Yes" appears next to TLS 1.2 in the Protocols section.
Windows .NET Framework Support
- Applies to Enterprise Roaming Client, AnyConnect Roaming Module, or AD Connector.
- .NET 4.6.2 or newer provides native TLS 1.2 support.
- Prior versions require registry edits (4.x) or registry edits and manual hotfix patches (3.5).
- This information applies to Umbrella software running on .NET framework, including AD Connector and Roaming Client.
- Disable SSL, TLS 1.0, and TLS 1.1 at the operating system level by completing the instructions provided by Microsoft.
  blobid0.png
For Apple Mac and other systems
Perform the SSL Labs Browser Test. Confirm that a "Yes" appears next to TLS 1.2 in the Protocols section.

Revision History

Revision	Publish Date	Comments
1.0	04-Sep-2025	Initial Release

Contributed by Cisco Engineers

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Umbrella