Cisco+ Secure Connect enables remote users to access private applications from anywhere through the Cisco+ Secure Connect fabric using a Cisco Secure Client (formerly the Cisco AnyConnect client). Identity-based access control is possible using SAML authentication through the customer’s IdP. Endpoint Compliance, as known as Endpoint Posture, is also evaluated, enabling granular access control to private resources.
|Private DNS server IP addresses||Servers used to resolve private application names|
|Corporate domain name||Domains that must be resolved to access private applications|
|Client IP address pools||
North America and Europe have 4 data centers each. Each region specified must have a complete set (4) private address pools.
(Notice: we recommend to use contiguous private address pools to make it easy to summarize for routing and rule updates.)
These pools cannot overlap with existing internal addresses/subnets in use on the internal customer network. One region is required, a second region is optional
|Any subnets that require tunnel bypass||You may want to direct specific traffic, such as DNS, to bypass (route outside of) the tunnel|
Remote Access Setup
In order to begin, you'll first need to connect your Cisco Meraki and Cisco Umbrella accounts together for a seamless experience. For further instructions, see Cisco+ Secure Connect Onboarding.
- Get started with navigate to Secure Connect -> CONNECTIONS -> Remote Access to begin the setup process
This "checklist" guides you through the main remote access configuration tasks. As each task is completed, the progress bar advances. These tasks can be done in any order, however, the steps below begins at the top of this checklist at Configure remote access service.
- Click Configure remote access service, it will direct you to the Umbrella dashboard with the hierarchy of Deployments -> Remote Access.
You can always use the upper right corner link RETURN TO SECURE CONNECT to swivel back.
- When you click CONFIGURE shown in the step 3 figure, it will launch configure remote access service wizard and guide you through Network Configuration -> Traffic Steering -> Client Configuration -> Add Regions. The navigation menu at the top of each screen, indicates the step you are configuring.
- Add the IP address(es) of the DNS Server(s). Secure Client will use these servers to resolve applications accessed through the tunnel.
Add a Default Domain for DNS resolution and additional DNS Names (optional) in the respective fields and Click Next.
Traffic Steering, also known as split tunneling, enables you will be able to decide what traffic you want to encrypt and transit over the Secure Client connection (inside the tunnel), and which traffic (if any), you want to go directly to internet resources (outside the tunnel).
Leave this feature disabled by default to direct ALL traffic through Secure Connect services and Click Next. Users will not have access to local resources while connected.
- Toggle Traffic Steering ON to enable traffic steering
- Check Designate LAN access outside secure tunnel if access to local resources, e.g. local printers, is required while connected.
- For Tunnel Mode, specify whether destination networks should be applied to Steer Traffic Inside the Secure Tunnel (split include) or Steer Traffic outside the Secure Tunnel (split exclude) of the secure tunnel. For example, when you choose Steer Traffic Inside the Secure Tunnel, the Destination you specify will be sent through the tunnel and the list under Exceptions will not. Vise versa for the Steer Traffic outside the Secure Tunnel, the Destination you specify will be sent outside of the tunnel and the Exceptions you list will still be sent inside tunnel. To be notified is that all exceptions must match the format used for the DESTINATION (CIDR or domain).
- Then click Add to add the list of desired networks.
Split DNS mode is only available when "Steer Traffic INSIDE the Secure Tunnel" is selected.
For Client Configuration, you can leave it as default and click NEXT.
Otherwise, select the desired client options.
Select the Cisco+ Secure Connect data center locations where you client VPN tunnels will terminate. You can choose single or both regions based on your requirements. A location is added by entering an IP address range in the Remote Client IP Address Range field. Leave the space blank if you do not want to use that location, which may be the case if you are using Reserved IP.
There are a few things to note when configuring locations.
- A minimum of two locations must be added per region.
- The IP address ranges must be in the private address space defined in RFC1918.
- The IP address ranges you choose for your Remote Client IP Address Range must not overlapped with other address ranges in your internal network.
- Changing the Display Name is an optional step.
- Once you complete above steps and click PROVISION, which will re-direct you back to the checklist page and start provisioning on the backend.
Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>.sc.ciscoplus.com.
Alternately, location-specific FQDNs are provided with the following format: <system generated id>.location.sc.ciscoplus.com. Using the above example, the 4 FQDNs generated could be:
The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.
Remote Access users may choose to connect to the auto-selecting URL or a specific location via the Secure Client dropdown. Note the drop downs will populate after first connecting to the service.
This may take up to five minutes to complete. It is ok to start the next section while waiting.
- You can verify Remote Access has been provisioned successfully under Deployments -> Remote Access in Umbrella dashboard.
- To complete the whole experience of Remote Access. You need to configure your remote users, please check Configure and provision users to complete deployments. Once its done, you can Click Deploy Secure Client to Users in the checklist page, download the Secure Client via the provided link and start your remote access journey (more details here).
Flexible Location Deployment (optional)
With flexible location deployment, you have the flexibility to choose whichever locations you want to deploy the remote access headend (a minimum requirement of two locations). If organization uses Reserved IPs, then you would enable VPN remote access only for data centers that have your Resrved IP address provisioned (more about Reserved IP address here).
For example, at the beginning, you choose Palo Alto and Los Angeles as the two locations provisioned with remote access.
If you want to make changes on location within the same region, click three dots icon on the top right corner of the Region section and click Edit. Then you can update or add locations in the new page, click Save once you are done with config.
Or, if you want to add another Region. Click ADD NEW on the top right corner of the Region section. In the next page, select the region you want to add and fill out required parameters. Once you are done, click SAVE to finish.
Endpoint Posture (optional)
Endpoint Posture, will verify any combination of the following requirements on the endpoint before allowing that endpoint to connect to the Cisco+ Secure Connect cloud.
- Operating System type and version
- Disk encryption
To enable Endpoint Posture for Client-based access, go to Secure Connect -> Endpoint Posture -> Client-based access , and click the pencil icon to edit each type of postures you want to enable.
- Certificate Requirements - The system will verify the endpoint has a specific certificate(s) before allowing it to connect to the network.
- Operating System Requirements - The system will verify the endpoint is running the specified operating systems (OS) and OS versions before allowing it to connect to the network. You can define timeframe for users to upgrade to required version as well.
- Anti-Malware Requirements - The system will verify the endpoint is running the specified anti-malware software before allowing it to connect to the network. Choose the operating system(s) and select the anti-malware software from the drop down.
Here is an example of when the admin choose Mac OS X, you can select multiple operating systems based on your needs. You can also define timeframe for users to upgrade to required version as well.
- Firewall Requirements - The system will verify the endpoint is running a local firewall application before allowing it to connect to the network. Choose the firewall software provider from the dropdown.
Here is an example of when the admin choose Windows, you can select multiple operating systems based on your needs.
- Disk Encryption Requirements - The system will verify the endpoint has disk encryption enabled before allowing it to connect to the network. Choose the disk encryption software provider from the dropdown.
Here is an example of when the admin choose Linux, you can select multiple operating systems based on your needs.
Once you are done, click Save changes to save the configurations.
Next Steps - Network and Policy Setup
After completing the Remote Access setup, the rest of checklist can be complete depending on your situation.
- Step 2 - Enable application connectivity
- Step 3 - Configure and provision users
- Step 4 - Apply policies
- Step 5 - Create new firewall rule
The final step is to download and deploy the Cisco Secure Client to endpoints. There are two parts to the Cisco Secure Client download. The first is the is the software itself. The second is an XML file that contains the features and attribute values created during the setup process.
Click Deploy Secure Client to Users, download the Secure Client via the provided link and click Close.
Before downloading Cisco Secure client you may want to check for system requirements.
More information on deploying Cisco Secure Client can be found here.
Note: You will be unable to download the Cisco Secure Client software from Cisco Software Central. This is due to how Cisco+ Secure Connect license is setup. If you need a difference version of the Cisco Secure Client that what is posted in the Cisco+ Secure Connect portal, then contact support.