Get Started - Securing Access to Private Applications and Networks

With these you will be able to:

• Secure Applications with granular access control so only authorized users can access them 
• Define and manage internal applications for the use in Access policies
• Provide least privileged access to users that are connecting from anywhere using a client or via a browser
• Only allow user devices that meet the device posture requirements of your organization 

What’s the difference between client based and clientless?

Client based access

With client based, as the DTLS terminates, the user is prompted for authentication, and once authorized the user’s traffic is directly routed through the Cloud Deliver Firewall (CDFW)  for finer-grained access control to private resources based upon contextual controls such as identity and posture.

CDFW policies apply when:

Source Traffic	Destination Traffic
	Application hosted in Private Cloud or  On Prem Data Center	Application hosted in Branch
Anyconnect VPN Client
Branch		Note: Meraki branches connected to the same cloud hub are secured by their local firewalls rather than CDFW.

Clientless Access

Clientless allows you to leverage a web browser for user authentication and application access without requiring users to install the Cisco Anyconnect Client on their devices. This feature addresses situations where it might not be feasible or desirable to install the Cisco Anyconnect client. For example, you might want to:

• Control user access to applications on devices with operating systems that are not currently supported by Cisco Anyconnect.
• Provide third-party access to applications on devices that might not be owned or managed by your company (e.g., contractor or partner-owned devices)

Each user and device is verified and validated by a Browser Access Policy (BAP), before access is permitted to an app or resource. The verification is granular, per session. Users have the freedom to connect from anywhere with any policy-compliant device.