Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Setting Up Client-based Remote Access

Overview

Cisco+ Secure Connect enables remote users to access private applications from anywhere through the Cisco+ Secure Connect fabric using a Cisco Secure Client (formerly the Cisco AnyConnect client). Identity-based access control is possible using SAML authentication through the customer’s IdP. Endpoint Compliance, as known as Endpoint Posture, is also evaluated, enabling granular access control to private resources.

2 Remote Access Traffic Steering.png

Prerequisites  

Before you get started setting up remote access, you will want to gather the following information.

Requirement

Details

Private DNS server IP addresses Servers used to resolve private application names
Corporate domain name Domains that must be resolved to access private applications 
Client IP address pools

North America and Europe have 4 data centers each. Each region specified must have a complete set (4) private address pools.

(Notice: we recommend to use contiguous private address pools to make it easy to summarize for routing and rule updates.) 

These pools cannot overlap with existing internal addresses/subnets in use on the internal customer network. One region is required, a second region is optional

Any subnets that require tunnel bypass You may want to direct specific traffic, such as DNS, to bypass (route outside of) the tunnel 
Datacenter gateway device The physical or software device on the data center side of the VPN connection. Any IKEv2 compatible device is supported, however, configuration details will vary.  
Customer-premises equipment (CPE) device Public IP* The internet-routable IP address for the CPE external WAN interface
Tunnel IKEv2 pre-shared key The PSK is needed configure the CPE device with the IPSec tunnel.

*public IP only required for devices that do not support IKEv2 email identities. 

Remote Access Setup  

In order to begin, you'll first need to tie Cisco Meraki and Cisco Umbrella management together for a seamless experience.  For further instructions, see Cisco+ Secure Connect Onboarding.

Getting Started

  1. Get started with navigate to Secure Connect -> CONNECTIONS -> Remote Access to begin the setup process
  2. This "checklist" guides you through the main remote access configuration tasks.  As each task is completed, the progress bar advances. These tasks can be done in any order, however, the steps below begins at the top of this checklist at Configure remote access service.

1.Remote Access opening page.png

  1. Click Configure remote access service, it will direct you to the Umbrella dashboard with the hierarchy of Deployments -> Remote Access. You can always use the upper right corner link RETURN TO SECURE CONNECT to swivel back.

2. Remote Access Blank Page - UMB side.png

Network Configuration

  1. When you click CONFIGURE shown in the step 3 figure, it will launch configure remote access service wizard and guide you through Network Configuration -> Traffic Steering -> Client Configuration -> Add Regions.  The navigation menu at the top of each screen will show your progress. 

3. Configure Remote Access - 0.png

  1. Add the IP address(es) of your internal DNS Servers.  Secure Client will use these servers to resolve applications accessed through the tunnel. Add a Default Domain for DNS resolution and additional DNS Names (optional) in the respective fields and Click Next.

3. Configure Remote Access - 1.png

Traffic Steering

Traffic Steering, also known as split tunneling, enables you to decide what traffic you want to encrypt and transit over the Secure Client connection (inside the tunnel), and which traffic (if any), you want to go directly to internet resources (outside the tunnel). 

Leave this feature disabled, the default setting, to direct ALL traffic through Secure Connect services and Click Next. Users will not have access to local resources while connected.

3. Configure Remote Access - 2.png

  1. Toggle Traffic Steering ON to enable traffic steering.
  2. Check Designate LAN access outside secure tunnel if access to local resources, e.g. local printers, is required while the tunnel is active.
  3. For Tunnel Mode, specify whether destination networks to follow should be applied to Steer Traffic Inside the Secure Tunnel (split include) or              Steer Traffic outside the Secure Tunnel (split exclude) of the secure tunnel.  Then click Add to add the list of desired networks.

3. Configure Remote Access - 4.png

 

Split DNS mode is only available when "Steer Traffic INSIDE the Secure Tunnel" is selected.

Client Configuration

  1. For Client Configuration, you can leave it as default and click NEXT.

3. Configure Remote Access - 6.1.0.png

  1. Or if you need granular configuration per your deployment needs (optional)
  • Choose to enable Auto-Connect on Start.
  •  Add a banner message under Post Authentication Banner, which will be displayed to Secure Client users upon connection. 
  •  Configure the Session Timeout to set a session duration for VPN.
  • Configure Administrator Settings to allow configure Remote Desktop Protocol (RDP) for Windows and Linux devices.

3. Configure Remote Access - 6.1.png

3. Configure Remote Access - 6.2.png

Add Regions

For Add Regions, select the location of the data center through which your traffic is routed. You can choose single or both based on your own design.

3. Configure Remote Access - 7.png
3. Configure Remote Access - 7.1.png

3. Configure Remote Access - 7.2.png

Provision

Once you complete above steps and click PROVISION, it will re-direct you back to the checklist page and start provisioning on the backend.

3. Configure Remote Access - 8.png

Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>.sc.ciscoplus.com.

Alternately, location-specific FQDNs are provided with the following format: <system generated id>.location.sc.ciscoplus.com.  Using the above example, the 4 FQDNs generated could be:

123d.pao1.sc.ciscoplus.com
123d.nyc1.sc.ciscoplus.com
123d.lax1.sc.ciscoplus.com
123d.ash1.sc.ciscoplus.com

The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.  

Remote Access users may choose to connect to the auto-selecting URL or a specific location via the Secure Client dropdown. Note the drop downs will populate after first connecting to the service. 

This may take up to five minutes to complete. It is ok to start the next section while waiting. 

 

You can verify Remote Access has been provisioned successfully under Deployments -> Remote Access in Umbrella dashboard.

3. Configure Remote Access - 9.png

To complete the whole experience of Remote Access. You need to configure your remote users, please check Configure and provision users to complete deployments. Once its done, you can click Deploy Secure Client to Users in the checklist page, download the Secure Client via the provided link and start your remote access journey.

4. Endpoint Compliance - 9.png

Endpoint Compliance (optional)

Endpoint Compliance, as known as Endpoint Posture, will verify any combination of the following requirements on the endpoint before allowing that endpoint to connect to the Cisco+ Secure Connect cloud.:

  1. Certificate
  2. Operating System type and version and/or
  3. Anti-Malware
  4. Firewall
  5. Disk encryption

To enable Endpoint Compliance click Settings in the top right corner under Deployments -> Remote Access, and click Endpoint Compliance

4. Endpoint Compliance - 1.png

4. Endpoint Compliance - 3.png

  1. Certificate Requirements - It enables specific certificates check for endpoints attempting to connect to the network.

4. Endpoint Compliance - 4.png

  1. Operating System Requirements - It enables specific operating systems and its version check for endpoints attempting to connect to the network. You can define time for users to upgrade to required version as well.

4. Endpoint Compliance - 5.png

Clicking on the down arrow will allow you to choose more specific Operating System options.

4. Endpoint Compliance - 5.1.png

  1. Anti-Malware Requirements - It enables specific anti-malware software check for endpoints attempting to connect to the network, select your own software from the drop down.

4. Endpoint Compliance - 6.png

Clicking on the down arrow will allow you to choose more specific Anti-Malware software options.

4. Endpoint Compliance - 6.1.png

  1. Firewall Requirements - It enables specific personal firewall check for endpoints attempting to connect to the network. Choose your own firewall software provider from the dropdown.

4. Endpoint Compliance - 7.png

Clicking on the down arrow will allow you to choose more specific Firewall options.

4. Endpoint Compliance - 7.1.png

  1. Disk Encryption Requirements - It enables disk encryption check for endpoints attempting to connect to the network. Choose firewall your own Disk Encryption software provider from the dropdown.

4. Endpoint Compliance - 8.png

Clicking on the down arrow will allow you to choose more specific Disk Encryption options.

4. Endpoint Compliance - 8.1.png

Once you are done, click Save to save the configurations.

Setting up Network Connectivity and Policies

After completing the Remote Access setup, the rest of checklist can be complete depending on your situation. 

4. Endpoint Compliance - 9.png

Deploying Cisco Secure Client

The final step is to download and deploy the Cisco Secure Client to endpoints.  There are two parts to the Cisco Secure Client download.  The first is the is the software itself.  The second is an XML file that contains the features and attribute values created during the setup process. 

Click Deploy Secure Client to Users, download the Secure Client via the provided link and click Close.

3. Configure Remote Access - 10.png

3. Configure Remote Access - 11.png

More information on deploying Cisco Secure Client can be found here.

Note: You will be unable to download the Cisco Secure Client software from Cisco Software Central. This is due to how Cisco+ Secure Connect license is setup.  If you need a difference version of the Cisco Secure Client that what is posted in the Cisco+ Secure Connect portal, then contact Meraki support through the Cisco+ Secure Connect dashboard.

  • Was this article helpful?