Skip to main content
Cisco Meraki Documentation

Secure Connect - Clientless ZTNA Prerequisites


Edit section

The main prerequisites for clientless remote access to work properly are as follows. 

  • Identity configuration 

  • Connectivity to the application hosting sites 

  • Routing requirements 

Let’s understand each in detail. 

Identity configuration: 

Clientless remote access method relies on two key aspects: Authentication and Authorization. Hence Identity configuration is a necessary part of Client-less Remote Access to work. Please click here to learn how to set up an identity provider in the Secure Connect dashboard. 

Connecting application hosting sites to the Fabric: 

There are several possibilities depending on the environment and the deployment of the application.  

  1. If the application is hosted on-prem, appropriate tunnel creation to the Secure Connect Cloud is needed. 

  • If it is a Meraki device, AutoVPN is the fastest possible way 

  • If it is a non-Meraki device, you will need to setup a standard IPsec site to site tunnel.   

  1. If the application is hosted in the Cloud, depending on the cloud provider and the connector being used in the Cloud,  

  • If AWS and vMX, AutoVPN tunnel is a way to go 

  • If AWS, Azure, GCP, or any other cloud provider, standard IPsec or SLVPN from the respective cloud provider’s gateway or virtual firewall is appropriate. 

To learn more about this, please click here

Routing requirements: 

  • Our proxy IP blocks: 

  • For Meraki routers (MX on-prem), the AutoVPN configuration should share the default route to the Secure Connect hub, which will cover this routing requirement. 

  • The default route for vMX in the Cloud (AWS or Azure) will generally go to the internet via the AWS gateway or Azure Gateway. To make the clientless ZTNA work, you must inject static routes of our proxy blocks that go through the vMX interface instead of the AWS or Azure gateway.   

  • Dynamic routing is not currently available for non-Meraki routers on the Application hosting site. Therefore, for return traffic, the application side router must have a route to our proxy blocks through the backhaul tunnel. 

  • Was this article helpful?