Cisco+ Secure Connect - Setting Up Client-based Remote Access
Overview
Cisco+ Secure Connect enables remote users to access private applications from anywhere through the Cisco+ Secure Connect fabric using a Cisco Secure Client (formerly the Cisco AnyConnect client). Identity-based access control is possible using SAML authentication through the customer’s IdP. Endpoint Compliance, as known as Endpoint Posture, is also evaluated, enabling granular access control to private resources.
Prerequisites
Before you get started setting up remote access, you will want to gather the following information.
|
Requirement |
Details |
|---|---|
| Private DNS server IP addresses | Servers used to resolve private application names |
| Corporate domain name | Domains that must be resolved to access private applications |
| Client IP address pools |
North America and Europe have 4 data centers each. Each region specified must have a complete set (4) private address pools. (Notice: we recommend to use contiguous private address pools to make it easy to summarize for routing and rule updates.) These pools cannot overlap with existing internal addresses/subnets in use on the internal customer network. One region is required, a second region is optional |
| Any subnets that require tunnel bypass | You may want to direct specific traffic, such as DNS, to bypass (route outside of) the tunnel |
| Datacenter gateway device | The physical or software device on the data center side of the VPN connection. Any IKEv2 compatible device is supported, however, configuration details will vary. |
| Customer-premises equipment (CPE) device Public IP* | The internet-routable IP address for the CPE external WAN interface |
| Tunnel IKEv2 pre-shared key | The PSK is needed configure the CPE device with the IPSec tunnel. |
*public IP only required for devices that do not support IKEv2 email identities.
Remote Access Setup
In order to begin, you'll first need to tie Cisco Meraki and Cisco Umbrella management together for a seamless experience. For further instructions, see Cisco+ Secure Connect Onboarding.
Getting Started
- Get started with navigate to Secure Connect -> CONNECTIONS -> Remote Access to begin the setup process
- This "checklist" guides you through the main remote access configuration tasks. As each task is completed, the progress bar advances. These tasks can be done in any order, however, the steps below begins at the top of this checklist at Configure remote access service.
- Click Configure remote access service, it will direct you to the Umbrella dashboard with the hierarchy of Deployments -> Remote Access. You can always use the upper right corner link RETURN TO SECURE CONNECT to swivel back.
Network Configuration
- When you click CONFIGURE shown in the step 3 figure, it will launch configure remote access service wizard and guide you through Network Configuration -> Traffic Steering -> Client Configuration -> Add Regions. The navigation menu at the top of each screen will show your progress.
- Add the IP address(es) of your internal DNS Servers. Secure Client will use these servers to resolve applications accessed through the tunnel. Add a Default Domain for DNS resolution and additional DNS Names (optional) in the respective fields and Click Next.
Traffic Steering
Traffic Steering, also known as split tunneling, enables you to decide what traffic you want to encrypt and transit over the Secure Client connection (inside the tunnel), and which traffic (if any), you want to go directly to internet resources (outside the tunnel).
Leave this feature disabled, the default setting, to direct ALL traffic through Secure Connect services and Click Next. Users will not have access to local resources while connected.
- Toggle Traffic Steering ON to enable traffic steering.
- Check Designate LAN access outside secure tunnel if access to local resources, e.g. local printers, is required while the tunnel is active.
- For Tunnel Mode, specify whether destination networks to follow should be applied to Steer Traffic Inside the Secure Tunnel (split include) or Steer Traffic outside the Secure Tunnel (split exclude) of the secure tunnel. Then click Add to add the list of desired networks.
Split DNS mode is only available when "Steer Traffic INSIDE the Secure Tunnel" is selected.
Client Configuration
- For Client Configuration, you can leave it as default and click NEXT.
- Or if you need granular configuration per your deployment needs (optional)
- Choose to enable Auto-Connect on Start.
- Add a banner message under Post Authentication Banner, which will be displayed to Secure Client users upon connection.
- Configure the Session Timeout to set a session duration for VPN.
- Configure Administrator Settings to allow configure Remote Desktop Protocol (RDP) for Windows and Linux devices.
Add Regions
For Add Regions, select the location of the data center through which your traffic is routed. You can choose single or both based on your own design.
Provision
Once you complete above steps and click PROVISION, it will re-direct you back to the checklist page and start provisioning on the backend.
Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>.sc.ciscoplus.com.
Alternately, location-specific FQDNs are provided with the following format: <system generated id>.location.sc.ciscoplus.com. Using the above example, the 4 FQDNs generated could be:
123d.pao1.sc.ciscoplus.com
123d.nyc1.sc.ciscoplus.com
123d.lax1.sc.ciscoplus.com
123d.ash1.sc.ciscoplus.com
The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.
Remote Access users may choose to connect to the auto-selecting URL or a specific location via the Secure Client dropdown. Note the drop downs will populate after first connecting to the service.
This may take up to five minutes to complete. It is ok to start the next section while waiting.
You can verify Remote Access has been provisioned successfully under Deployments -> Remote Access in Umbrella dashboard.
To complete the whole experience of Remote Access. You need to configure your remote users, please check Configure and provision users to complete deployments. Once its done, you can click Deploy Secure Client to Users in the checklist page, download the Secure Client via the provided link and start your remote access journey.
Endpoint Compliance (optional)
Endpoint Compliance, as known as Endpoint Posture, will verify any combination of the following requirements on the endpoint before allowing that endpoint to connect to the Cisco+ Secure Connect cloud.:
- Certificate
- Operating System type and version and/or
- Anti-Malware
- Firewall
- Disk encryption
To enable Endpoint Compliance click Settings in the top right corner under Deployments -> Remote Access, and click Endpoint Compliance.
- Certificate Requirements - It enables specific certificates check for endpoints attempting to connect to the network.
- Operating System Requirements - It enables specific operating systems and its version check for endpoints attempting to connect to the network. You can define time for users to upgrade to required version as well.
Clicking on the down arrow will allow you to choose more specific Operating System options.
- Anti-Malware Requirements - It enables specific anti-malware software check for endpoints attempting to connect to the network, select your own software from the drop down.
Clicking on the down arrow will allow you to choose more specific Anti-Malware software options.
- Firewall Requirements - It enables specific personal firewall check for endpoints attempting to connect to the network. Choose your own firewall software provider from the dropdown.
Clicking on the down arrow will allow you to choose more specific Firewall options.
- Disk Encryption Requirements - It enables disk encryption check for endpoints attempting to connect to the network. Choose firewall your own Disk Encryption software provider from the dropdown.
Clicking on the down arrow will allow you to choose more specific Disk Encryption options.
Once you are done, click Save to save the configurations.
Setting up Network Connectivity and Policies
After completing the Remote Access setup, the rest of checklist can be complete depending on your situation.
- Step 2 - Enable application connectivity
- Setup a Meraki Network
- Setup a Non-Meraki Network
- Be sure to select tunnel type of Private Access
- Add all internal networks (routes) behind the private tunnel as client prefixes to the tunnel
- Add routes to the IPSec termination device for all remote access client subnets provisioned previously
- Step 3 - Configure and provision users
- Step 4 - Apply policies
- Step 5 - Create new firewall rule
Deploying Cisco Secure Client
The final step is to download and deploy the Cisco Secure Client to endpoints. There are two parts to the Cisco Secure Client download. The first is the is the software itself. The second is an XML file that contains the features and attribute values created during the setup process.
Click Deploy Secure Client to Users, download the Secure Client via the provided link and click Close.
More information on deploying Cisco Secure Client can be found here.
Note: You will be unable to download the Cisco Secure Client software from Cisco Software Central. This is due to how Cisco+ Secure Connect license is setup. If you need a difference version of the Cisco Secure Client that what is posted in the Cisco+ Secure Connect portal, then contact Meraki support through the Cisco+ Secure Connect dashboard.