Resolve Unprotected or Unencrypted Roaming Client Modes

Available Languages

Download Options

  • PDF     (18.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (81.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (66.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 2, 2025
Document ID:224762

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the meaning of Unprotected and Unencrypted states in the Umbrella Roaming Client and how to troubleshoot them.

    Unprotected and Unencrypted States

    When the Umbrella Roaming Client is in Unprotected or Unencrypted mode, the tray icon (Windows) or menu bar (OS X) displays a yellow state. The status shows as both Unprotected and Unencrypted.

    Communication Requirements

    To provide security and content filtering, the Umbrella Roaming Client must communicate with Umbrella using both UDP and TCP on the provided ports and destinations, in addition to the HTTP destinations listed in the Roaming Client Prerequisites article:

    Port Protocol IPv4 IPv6
    53 UDP 208.67.222.222, 208.67.220.220 2620:119:53::53, 2620:119:35::35
    53 TCP 208.67.222.222, 208.67.220.220 2620:119:53::53, 2620:119:35::35
    443 UDP 208.67.222.222, 208.67.220.220 2620:119:53::53, 2620:119:35::35
    443 TCP 208.67.222.222, 208.67.220.220 2620:119:53::53, 2620:119:35::35

    The Umbrella Roaming Client is unable to protect the computer if both of these conditions exist:

    • The computer is behind a connection that does not allow third-party DNS requests.
    • The computer is behind a connection that has a default deny outbound firewall policy.

    When these conditions are met, the Umbrella Roaming Client restores the DHCP-delegated DNS servers to the network connection properties and continues testing until it can contact Umbrella DNS servers and resume providing security and content filtering. During periods where communication with Umbrella DNS servers is not possible, policy enforcement and reporting are not available.

    Testing Network Connectivity

    To verify if the network allows communication with Umbrella DNS servers, manually perform a DNS query. If the network blocks queries, the output is:

    $ nslookup opendns.com 208.67.222.222
    ;; connection timed out; no servers could be reached

    If the test succeeds but the Umbrella Roaming Client still reports "Unprotected/Unencrypted," open a support ticket and provide the results of a Diagnostic Test. A successful query appears as:

    $ nslookup opendns.com 208.67.222.222
    Server: 208.67.222.222
    Address: 208.67.222.222#53

    Non-authoritative answer:
    Name: opendns.com

    Unencrypted State Only

    If the Umbrella Roaming Client displays Unencrypted, it cannot communicate over port 443/UDP. Allowing this port through your firewall is recommended for security, but the client continues to function without encrypted DNS queries. For further details, refer to the Roaming Client Prerequisites article.

    Revision History

    Revision Publish Date Comments
    1.0
    04-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products