Cisco Secure Connect - Client-based ZTNA
Overview
Client-based ZTNA offers secure private access to internal network resources for devices with Cisco Secure Client. ZTNA provides more granular control than traditional remote access VPNs as it operates higher up the network stack with full visibility to the fully qualified domain name (FQDN) of your private application. This additionally visibility combined with per app connection provides greater security by limiting access to only the required network resources, adhering to Zero Trust Principles.
Client-based ZTNA works well with most modern applications that are client-initiated. Most web applications will work out of the box. Applications that can struggle with the reverse proxy architecture of ZTNA are server-initiated or client-to-client applications. For customers with private applications not supported by ZTNA, Cisco recommends using the traditional remote access VPN that is offered in Cisco Secure Connect. For a deeper dive on ZTNA architecture please work with your Cisco Sales representative.
Prerequisites
|
Requirement |
Details |
|---|---|
| Feature enablement | At launch Client-based ZTNA must be enabled by Secure Connect support. If you do not have the "client-based" access method slider on the applications edit page your org is NOT enabled for client-based ZTNA. Open a ticket and request that your organization be enabled with client-based ZTNA. |
| SAML authentication must be configure | To enroll in Zero Trust Access users must enroll and authenticate with SAML via Cisco Secure Client and the Zero Trust Module. *Note: Meraki IDP is not supported for Client-based ZTNA authentication* |
| Users and Groups provisioned | Users and groups must be synced with Secure Connect to authorize access to private resources via a Zero Trust Access policy. |
| Connection details for private applications | Private Applications must be defined and enabled for client-based Zero Trust Access. Client-initated applications are ideal for client-based ZTA |
| Internal DNS server (some cases) | For fully qualified domain name (FQDN) based applications, a DNS resolution must occur. If your DNS is internal only, you must specify an Internal DNS server. |
Setup Steps
Private Application
Private applications are defined in the Meraki dashboard under Secure Connect > Identities & Connections > Resources & Applications.
On the Resouces & Applications page you can manage and view your current applications. To add a new application, hit the "Add App" button
On the Resource & Application create page, Input the name of the application. Add the address of the private application as an IP, CDIR, FQDN or wildcard FQDN with associate protocol and port(s).
