Skip to main content
Cisco Meraki Documentation

Secure Connect - Architecture of Clientless Remote Access

Architecture of Clientless Remote Access (ZTNA)  

Edit section


Clientless Remote Access is a turnkey as-a-service solution. As shown in the diagram above, the customer environment will establish connectivity to Secure Connect fabric. The Edge traffic will be acquired by Secure Connect fabric via Service Edge. Service edge works as a proxy and connects to secure connect services as well as authentication services. The Secure Connect fabric can route traffic to the application as the interconnection establishes. 

The following are the high-level responsibilities of each block. 

Customer Edge  

  • The client initiates a browser connection to the application-specific URL 

  •  This request gets resolved and redirected to the nearest Datacenter based upon AnyCast DNS 

Service Edge  

  • The Datacenter knows which service to reach out to from the connection request 

  • Connects to the nearest Umbrella cloud where the service is running and proxies the traffic coming from the browser 

Fabric Services  

  • The ZTNA Proxy changes the traffic source to an address within or (carrier grade NAT range) 

  •  A request is sent for authentication and posture check 

  • Once authenticated and authorized, it will redirect the request to the policy engine, where the decision is made to let the request in or not based on your set policies 

  • Once decided, it will be sent to our routing engine to deliver traffic to the application correctly 

Customer Environment  

  • The user has secured access to the application 

  • Was this article helpful?