Cisco+ Secure Connect - Setting Up Remote Access Service

Last updated
Save as PDF

2 Remote Access Traffic Steering.png

Prerequisites

Requirement	Details
Private DNS server IP addresses	Servers used to resolve private application names
Corporate domain name	Domains that must be resolved to access private applications
Client IP address pools	North America and Europe have 4 data centers each. Each region specified must have a complete set (4) private address pools. (Notice: we recommend to use contiguous private address pools to make it easy to summarize for routing and rule updates.) These pools cannot overlap with existing internal addresses/subnets in use on the internal customer network. One region is required, a second region is optional
Any subnets that require tunnel bypass	You may want to direct specific traffic, such as DNS, to bypass (route outside of) the tunnel
Datacenter gateway device	The physical or software device on the data center side of the VPN connection. Any IKEv2 compatible device is supported, however, configuration details will vary.
Customer-premises equipment (CPE) device Public IP*	The internet-routable IP address for the CPE external WAN interface
Tunnel IKEv2 pre-shared key	The PSK is needed configure the CPE device with the IPSec tunnel.

*public IP only required for devices that do not support IKEv2 email identities.

Remote Access Setup

In order to begin, you'll first need to tie Cisco Meraki and Cisco Umbrella management together for a seamless experience. For further instructions, see Cisco+ Secure Connect Onboarding.

1. Get started with navigate to Secure Connect -> CONNECTIONS -> Remote Access to begin the setup process

This "checklist" guides you through the main remote access configuration tasks. As each task is completed, the progress bar advances. These tasks can be done in any order, however, the steps below begins at the top of this checklist at Configure remote access service.

1.Remote Access opening page.png

3. Click Configure remote access service, it will direct you to the Umbrella dashboard with the hierarchy of Deployments -> Remote Access.

You can always use the upper right corner link RETURN TO SECURE CONNECT to swivel back.

2. Remote Access Blank Page - UMB side.png

4. When you click CONFIGURE shown in the step 3 figure, it will launch configure remote access service wizard and guide you through Network Configuration -> Traffic Steering -> Client Configuration -> Add Regions.

The navigation menu at the top of each screen, indicates the step you are configuring.

3. Configure Remote Access - 0.png

5. Add the IP address(es) of the DNS Servers. Secure Client will use these servers to resolve applications accessed through the tunnel.

Add a Default Domain for DNS resolution and additional DNS Names (optional) in the respective fields and Click Next.

3. Configure Remote Access - 1.png

6. Traffic Steering, also known as split tunneling, enabled you will be able to decide what traffic you want to encrypt and transit over the Secure Client connection (inside the tunnel), and which traffic (if any), you want to go directly to internet resources (outside the tunnel).

Leave this feature disabled by default to direct ALL traffic through Secure Connect services and Click Next. Users will not have access to local resources while connected.

3. Configure Remote Access - 2.png

(Optional) Toggle Traffic Steering ON for granular configuration per your deployment needs:

3. Configure Remote Access - 5.png

a) Check Designate LAN access outside secure tunnel if access to local resources, e.g. local printers, is required while connected.

b) For Tunnel Mode, specify whether destination networks to follow should be applied to Steer Traffic Inside the Secure Tunnel (split include) or Steer Traffic outside the Secure Tunnel (split exclude) of the secure tunnel. Then click Add to add the list of desired networks.

3. Configure Remote Access - 4.png

Split DNS mode is only available when "Steer Traffic INSIDE the Secure Tunnel" is selected.

7. For Client Configuration, you can leave it as default and click NEXT.

3. Configure Remote Access - 6.1.0.png

(Optional) Or if you need granular configuration per your deployment needs:

Choose to enable Auto-Connect on Start.
Add a banner message under Post Authentication Banner, which will be displayed to Secure Client users upon connection.
Configure the Session Timeout to set a session duration for VPN.
Configure Administrator Settings to allow configure Remote Desktop Protocol (RDP) for Windows and Linux devices.

3. Configure Remote Access - 6.1.png

3. Configure Remote Access - 6.2.png

8. For Add Regions, select the location of the data center through which your traffic is routed. You can choose single or both based on your own design.

3. Configure Remote Access - 7.png

3. Configure Remote Access - 7.2.png

Once you complete above steps and click PROVISION, it will re-direct you back to the checklist page and start provisioning on the backend.

3. Configure Remote Access - 8.png

Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>.sc.ciscoplus.com.

Alternately, location-specific FQDNs are provided with the following format: <system generated id>.location.sc.ciscoplus.com. Using the above example, the 4 FQDNs generated could be:

123d.pao1.sc.ciscoplus.com
123d.nyc1.sc.ciscoplus.com
123d.lax1.sc.ciscoplus.com
123d.ash1.sc.ciscoplus.com

The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.

Remote Access users may choose to connect to the auto-selecting URL or a specific location via the Secure Client dropdown. Note the drop downs will populate after first connecting to the service.

This may take up to five minutes to complete. It is ok to start the next section while waiting.

9. You can verify Remote Access has been provisioned successfully under Deployments -> Remote Access in Umbrella dashboard.

3. Configure Remote Access - 9.png

10. To complete the whole experience of Remote Access. You need to configure your remote users, please check Configure and provision users to complete deployments. Once its done, you can Click Deploy Secure Client to Users in the checklist page, download the Secure Client via the provided link and start your remote access journey.

4. Endpoint Compliance - 9.png

3. Configure Remote Access - 11.png

Endpoint Compliance (optional)

Once you completed Remote Access setup, click Settings in the top right corner under Deployments -> Remote Access, and click Endpoint Compliance. This feature will provide you enhanced security posture options. You can enable any or all per your own deployment.

4. Endpoint Compliance - 1.png

4. Endpoint Compliance - 3.png

Certificate Requirements - It enables specific certificates check for endpoints attempting to connect to the network.

4. Endpoint Compliance - 4.png

Operating System Requirements - It enables specific operating systems and its version check for endpoints attempting to connect to the network. You can define time for users to upgrade to required version as well.

4. Endpoint Compliance - 5.png

4. Endpoint Compliance - 5.1.png

Anti-Malware Requirements - It enables specific anti-malware software check for endpoints attempting to connect to the network, select your own software from the drop down.

4. Endpoint Compliance - 6.png

4. Endpoint Compliance - 6.1.png

Firewall Requirements - It enables specific personal firewall check for endpoints attempting to connect to the network. Choose your own firewall software provider from the dropdown.

4. Endpoint Compliance - 7.png

4. Endpoint Compliance - 7.1.png

Disk Encryption Requirements - It enables disk encryption check for endpoints attempting to connect to the network. Choose firewall your own Disk Encryption software provider from the dropdown.

4. Endpoint Compliance - 8.png

4. Endpoint Compliance - 8.1.png

Once you are done, click Save to save the configurations.

Next Steps

After completing the Remote Access setup, the rest of checklist can be complete depending on your situation.

4. Endpoint Compliance - 9.png

Step 2 - Enable application connectivity
- Setup a Meraki Network
- Setup a Non-Meraki Network
  - Be sure to select tunnel type of Private Access
  - Add all internal networks (routes) behind the private tunnel as client prefixes to the tunnel
  - Add routes to the IPSec termination device for all remote access client subnets provisioned previously
Step 3 - Configure and provision users
Step 4 - Apply policies
Step 5 - Create new firewall rule

Deploying Cisco Secure Client

The final step is to download and deploy the Cisco Secure Client to endpoints. There are two parts to the Cisco Secure Client download. The first is the is the software itself. The second is an XML file that contains the features and attribute values created during the setup process.

Click Deploy Secure Client to Users, download the Secure Client via the provided link and click Close.

3. Configure Remote Access - 10.png

More information on deploying Cisco Secure Client can be found here.

Note: You will be unable to download the Cisco Secure Client software from Cisco Software Central. This is due to how Cisco+ Secure Connect license is setup. If you need a difference version of the Cisco Secure Client that what is posted in the Cisco+ Secure Connect portal, then contact support.