Introduction
This document describes firewall exclusions for the Windows Network Connectivity Status Indicator (NCSI) test.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Cisco Umbrella Secure Web Gateway (SWG).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Overview
This article contains recommended firewall exclusions to ensure the Windows Network Connectivity Status Indicator (NCSI) test works properly when deploying Umbrella Secure Web Gateway.
This article primarily applies to AnyConnect-based deployments of SIG. If the exclusions are not in place this can cause Windows to incorrectly display a "No Internet Access" or "Limited Connectivity" status.
Impact
This is primarily a cosmetic issue, in the sense that the client machine does still have full internet connectivity. However, some Microsoft applications such as Outlook, Office365, Skype and OneDrive cannot even attempt to connect when this “No Internet Access” warning is displayed.
AnyConnect Recommendations
If Direct Internet Acess is not normally possible, Cisco Umbrella recommends allowing direct access (TCP port 80) to the IP addresses associated with these domains:
These tests can happen before the AnyConnect SWG module is available, and it cannot be guaranteed that this traffic is proxied by Umbrella. Therefore, direct internet access can be made available for these tests.
Other Recommendations
For other deployment methods, allow these domains in your web policies:
Adding these domains to the External domains list (found under Domain Management) can ensure the domains bypass Umbrella's Secure Web Gateway. External domains can be applied to both PAC file and the AnyConnect SWG module.
Feedback