Cisco Secure Connect - Remote Access
Overview
Cisco Secure Connect enables remote users to access private applications from anywhere through the Secure Connect fabric using a Cisco Secure Client (formerly the Cisco AnyConnect client). Identity-based access control is possible using SAML authentication through the customer’s IdP. Endpoint Compliance, as known as Endpoint Posture, is also evaluated, enabling granular access control to private resources.
Prerequisites
|
Requirement |
Details |
|---|---|
| Private DNS server IP addresses | Servers used to resolve private application names |
| Corporate domain name | Domains that must be resolved to access private applications |
| Client IP address pools |
Each region specified must have a minimum of two locations each configured with private address pools. (Notice: we recommend to use contiguous private address pools to make it easy to summarize for routing and rule updates.) These pools cannot overlap with existing internal addresses/subnets in use on the internal customer network. One region is required, a second region is optional For a complete list of supported regions and data center locations check here. |
| Any subnets that require tunnel bypass | You may want to direct specific traffic, such as DNS, to bypass (route outside of) the tunnel |
Remote Access Setup
In order to begin, you'll first need to connect your Cisco Meraki and Cisco Umbrella accounts together for a seamless experience. For further instructions, see Cisco Secure Connect Onboarding.
Notice
If you are interested in the new Remote Access UI, please refer to this link for more details.
Getting Started
- Get started with navigate to Secure Connect -> CONNECTIONS -> Remote Access to begin the setup process
-
This "checklist" guides you through the main remote access configuration tasks. As each task is completed, the progress bar advances. These tasks can be done in any order, however, the steps below begins at the top of this checklist at Configure remote access service.
- Click Configure remote access service, it will direct you to the Umbrella dashboard with the hierarchy of Deployments -> Remote Access.
You can always use the upper right corner link RETURN TO SECURE CONNECT to swivel back.
Network Configuration
- When you click CONFIGURE shown in the step 3 figure, it will launch configure remote access service wizard and guide you through Network Configuration -> Traffic Steering -> Client Configuration -> Add Regions. The navigation menu at the top of each screen, indicates the step you are configuring.
- Add the IP address(es) of the DNS Server(s). Secure Client will use these servers to resolve applications accessed through the tunnel.
Add a Default Domain for DNS resolution and additional DNS Names (optional) in the respective fields and Click Next.
Traffic Steering
Traffic Steering, also known as split tunneling, enables you will be able to decide what traffic you want to encrypt and transit over the Secure Client connection (inside the tunnel), and which traffic (if any), you want to go directly to internet resources (outside the tunnel).
Leave this feature disabled by default to direct ALL traffic through Secure Connect services and Click Next. Users will not have access to local resources while connected.
- Toggle Traffic Steering ON to enable traffic steering
- Check Designate LAN access outside secure tunnel if access to local resources, e.g. local printers, is required while connected.
- For Tunnel Mode, specify whether destination networks should be applied to Steer Traffic Inside the Secure Tunnel (split include) or Steer Traffic outside the Secure Tunnel (split exclude) of the secure tunnel. For example, when you choose Steer Traffic Inside the Secure Tunnel, the Destination you specify will be sent through the tunnel and the list under Exceptions will not. Vise versa for the Steer Traffic outside the Secure Tunnel, the Destination you specify will be sent outside of the tunnel and the Exceptions you list will still be sent inside tunnel. To be notified is that all exceptions must match the format used for the DESTINATION (CIDR or domain).
- Then click Add to add the list of desired networks.
5. Select DNS Mode.
- Default (Standard) Mode: All of the DNS queries move through the VPN tunnel. In the case of a negative response, the DNS queries can fall back to DNS servers which are configured on the physical adapter.
- Tunnel All DNS: Client sends all DNS traffic to the DNS servers which are defined under Private Network Configuration through VPN tunnel. If the domain query returns negative it will pass the request to a public resolver. Private and Public DNS queries will go over the VPN tunnel.
- Split DNS: Client sends a query thought the VPN. If domain query returns negative, then it falls back to the public resolver, sending new DNS request directly to public resolver. In case of fall back to public resolver the DNS query will bypass VPN tunnel.
Split DNS mode is only available when "Steer Traffic INSIDE the Secure Tunnel" is selected.
More on behaviour of DNS queries with Secure Client can be found here.
Client Configuration
For Client Configuration, you can leave it as default and click NEXT.
Otherwise, select the desired client options.
Add Regions
Select the Secure Connect data center locations where you client VPN tunnels will terminate. You can choose single or both regions based on your requirements. A location is added by entering an IP address range in the Remote Client IP Address Range field. Leave the space blank if you do not want to use that location, which may be the case if you are using Reserved IP.
There are a few things to note when configuring locations.
- A minimum of two locations must be added per region.
- The IP address ranges must be in the private address space defined in RFC1918.
- The IP address ranges you choose for your Remote Client IP Address Range must not overlapped with other address ranges in your internal network.
- Changing the Display Name is an optional step.
Provision
- Once you complete above steps and click PROVISION, which will re-direct you back to the checklist page and start provisioning on the backend.
Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>.sc.ciscoplus.com.
Alternately, location-specific FQDNs are provided with the following format: <system generated id>.location.sc.ciscoplus.com. Using the above example, the 4 FQDNs generated could be:
123d.pao1.sc.ciscoplus.com
123d.nyc1.sc.ciscoplus.com
123d.lax1.sc.ciscoplus.com
123d.ash1.sc.ciscoplus.com
The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.
Remote Access users may choose to connect to the auto-selecting URL or a specific location via the Secure Client dropdown. Note the drop downs will populate after first connecting to the service.
This may take up to five minutes to complete. It is ok to start the next section while waiting.
- You can verify Remote Access has been provisioned successfully under Deployments -> Remote Access in Umbrella dashboard. To make any changes or verify configuration select Settings at the top right corner of the page.
- To complete the whole experience of Remote Access. You need to configure your remote users, please check Configure and provision users to complete deployments.
- If IdP was configured prior to Remote Access, we would need to add users to Remote Access from the Settings page. In Umbrella dashboard navigate to Deployments > Remote Access. Click on Settings at the top right corner of the page and navigate to Assign Users & Groups. Select users or AD groups that will be allowed to use remote VPN access to connect to the network. For Meraki Auth IdP make sure RemoteAccess group is selected.
- Once its done, you can Click Deploy Secure Client to Users in the checklist page, download the Secure Client via the provided link and start your remote access journey (more details here).
Flexible Location Deployment (optional)
With flexible location deployment, you have the flexibility to choose whichever locations you want to deploy the remote access headend (a minimum requirement of two locations). If organization uses Reserved IPs, then you would enable VPN remote access only for data centers that have your Resrved IP address provisioned (more about Reserved IP address here).
For example, at the beginning, you choose Palo Alto and Los Angeles as the two locations provisioned with remote access.
If you want to make changes on location within the same region, click three dots icon on the top right corner of the Region section and click Edit. Then you can update or add locations in the new page, click Save once you are done with config.
Or, if you want to add another Region. Click ADD NEW on the top right corner of the Region section. In the next page, select the region you want to add and fill out required parameters. Once you are done, click SAVE to finish.
Endpoint Posture
Endpoint Posture, will verify any combination of the following requirements on the endpoint before allowing that endpoint to connect to the Secure Connect cloud.
- Certificate
- Operating System type and version
- Anti-Malware
- Firewall
- Disk encryption
Posture check utilizes the AnyConnect/Cisco Secure Client Secure Firewall Posture module (formally known as hostscan). Certificates on the client device need to be a 1 to 1 match to what is uploaded into the dashboard and should be placed in either the Trusted People, Trusted Publisher, Enterprise Trust, or Personal certificate stores (either local user or local machine as both are checked).
To enable Endpoint Posture for Client-based access, go to Secure Connect -> Endpoint Posture -> Client-based access , and click the pencil icon to edit each type of postures you want to enable.
- Certificate Requirements - The system will verify the endpoint has a specific certificate(s) before allowing it to connect to the network.
- Operating System Requirements - The system will verify the endpoint is running the specified operating systems (OS) and OS versions before allowing it to connect to the network. You can define timeframe for users to upgrade to required version as well.
- Anti-Malware Requirements - The system will verify the endpoint is running the specified anti-malware software before allowing it to connect to the network. Choose the operating system(s) and select the anti-malware software from the drop down.
Here is an example of when the admin choose Mac OS X, you can select multiple operating systems based on your needs. You can also define timeframe for users to upgrade to required version as well.
- Firewall Requirements - The system will verify the endpoint is running a local firewall application before allowing it to connect to the network. Choose the firewall software provider from the dropdown.
Here is an example of when the admin choose Windows, you can select multiple operating systems based on your needs.
- Disk Encryption Requirements - The system will verify the endpoint has disk encryption enabled before allowing it to connect to the network. Choose the disk encryption software provider from the dropdown.
Here is an example of when the admin choose Linux, you can select multiple operating systems based on your needs.
Once you are done, click Save changes to save the configurations.
Next Steps - Network and Policy Setup
After completing the Remote Access setup, the rest of checklist can be complete depending on your situation.
- Step 2 - Enable application connectivity
- Setup a Meraki Network
- Setup a Non-Meraki Network
- Be sure to select tunnel type of Private Access
- Add all internal networks (routes) behind the private tunnel as client prefixes to the tunnel
- Add routes to the IPSec termination device for all remote access client subnets provisioned previously
- Step 3 - Configure and provision users
- Step 4 - Apply policies
- Step 5 - Import policy (Optional)
- Step 6 - Create new firewall rule
Deploying Cisco Secure Client
The final step is to download and deploy the Cisco Secure Client to endpoints. There are two parts to the Cisco Secure Client download. The first is the is the software itself. The second is an XML file that contains the features and attribute values created during the setup process.
Navigate to Secure Connect > Remote Access and click Deploy Secure Client to Users.
New popup window will open. Download the Secure Client installation file and Secure Client Profile xml file via the provided links.
Before downloading Cisco Secure client you may want to check for system requirements.
More information on deploying Cisco Secure Client can be found here.
Note: You will be unable to download the Cisco Secure Client software from Cisco Software Central. This is due to how Secure Connect license is setup. If you need a difference version of the Cisco Secure Client that what is posted in the Secure Connect portal, then contact support.
Remote Access Log Export
This feature enables the ability to export Remote Access logs to a CSV or JSON file so that users can perform a manual analysis of connectivity logs for Remote Access users.
It located in the navigation Secure Connect -> CONNECTIONS -> Remote Access.
After completing the Remote Access setup, you can click Done button on the lower right corner to navigate to Remote Access Log Export page.
You can pick a Range from the dropdown or click View all RA logs to swivel to the Umbrella dashboard to see UI based Remote Access log information.
Once you pick the Range and click Generate.
You can select either csv or json as your export format. Then click Download button to download your log report. If you want to generate another report, click Reset and repeat above steps.
