Remote Access Deployment
Remote Access Setup
Before you begin, first, you'll need to integrate your Cisco Meraki and Cisco Umbrella accounts together for a seamless experience and meet the prerequisites of remote access deployment. For further instructions, please check article Cisco Secure Connect Onboarding and Cisco Secure Connect - Remote Access.
Getting Started with Configure remote access service
1. Get started with navigate to Secure Connect -> Identities & Connections -> Remote Access to begin the setup process.
2. Once you are in the Remote Access page, a service wizard will guide you through Configure regions and DNS Servers. You will need to complete these two minimum requirements to get your Remote Access journey starts.
3. Configure regions will allow you to choose your locations under Asia Pacific, Europe and North America regions.
Select the Secure Connect data center Location where your client VPN tunnels will terminate. You can choose single or multiple regions based on your own architecture design.
A Location is added by entering an private IP address range in the Assigned IP pool field. Display Name is optional, if you are willing to use the default name, leave the space blank and the grey-out default name will be automatically populated once you click Save button.
There are a few things to be aware when configuring Locations.
- A minimum of two locations must be added per region.
- The IP address ranges must be in the private address space defined in RFC1918 in CIDR format.
- The largest and smallest supported IP range is x.x.x.x/16 and x.x.x.x/28.
- The IP address ranges you choose for your remote client must not be overlapped with any other address ranges in your internal network.
- Changing the Display Name is an optional step.
- Leave the Location space blank if you do not want to use that location or if you are using Reserved IP already. To learn more about Reserved IP, please check this link.
4. Add the IP address(es) of the DNS Server(s). Secure Client will use these servers to resolve applications accessed through the tunnel.
Add a Default domain for DNS resolution and additional DNS Names (optional) in the respective fields and Click Save.
5. After complete and save your configurations. The new page will show you that your selected Remote Access locations has been successfully provisioned. To make any changes or verify configuration, select each tab or click Configure Regions to edit regions/locations head-end.
There are a few items to be noted:
- FQDN - The unique FQDN sitting on the top left corner is used for remote users connecting to remote access VPN through Cisco Secure Client, it will find the remote user's nearest geographical location from your provisioned list.
Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>.sc.ciscoplus.com.
Alternately, location-specific FQDNs are provided with the following format: <system generated id>.location.sc.ciscoplus.com. Using the above example, the 4 FQDNs generated could be:
123d.pao1.sc.ciscoplus.com
123d.nyc1.sc.ciscoplus.com
123d.lax1.sc.ciscoplus.com
123d.ash1.sc.ciscoplus.com
The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.
Remote Access users may choose to connect to the auto-selecting URL or a specific location via the Secure Client dropdown. Note the drop downs will populate after first connecting to the service.
This may take up to five minutes to complete. It is ok to start the next section while waiting.
- Secure Client - Click Downloads button under Secure Client, you can download the latest version of Secure Client software in Windows, MacOS and Linus operating systems. You can also download XML file for your MDM solution.
Remote Access end device requires Umbrella Module to be active for DNS policy to take effect. Please check Deploy Umbrella module for configuration and installation steps.
- Task Wizard (Tasks to enable Remote Access) - You will see a task checklist wizard on the top of the Remote Access page.
- By default, it is collapsed
- You can always expand it to check what tasks left to be completed. As each task is completed, the progress bar advances.
Configure identity provider to provision users
Once you completed Configure remote access service, to complete the whole experience of Remote Access. You need to configure your remote users, which means integrate your IdP solution to Secure Connect. Please check Configure and provision users to complete deployments.
After you complete configurations on IdP integration, you will need to assign users to Remote Access. Navigate to Secure Connect > Remote Access page, click on User and Group Assignment tab, you can choose either assign by User Groups or by Users. Or you can simply turn on Enable remote access for all user groups (users) button, which means all future added user groups (users) will be automatically enabled with Remote Access when this option is enabled.
If the IdP configuration (Meraki Cloud Auth) was configured prior to Remote Access, we would need to go to User and Group Assignment tab to add users to Remote Access.
In Secure Connect dashboard navigate to Secure Connect > Remote Access, click on User and Group Assignment tab.
Select users or AD groups that will be allowed to use remote VPN access to connect to the network. For Meraki Auth IdP make sure RemoteAccess group is selected.
Next Step
Now, you have finished the basic deployment of Remote Access. Please refer to below articles if you plan to deploy more granular enforcements: