Skip to main content
Cisco Meraki Documentation

Remote Access Deployment

Remote Access Setup  

Before you begin, first, you'll need to integrate your Cisco Meraki and Cisco Umbrella accounts together for a seamless experience and meet the prerequisites of remote access deployment. For further instructions, please check article Cisco Secure Connect Onboarding and Cisco Secure Connect - Remote Access.

Getting Started with Configure remote access service

1. Get started with navigate to Secure Connect -> Identities & Connections -> Remote Access to begin the setup process.

1. Getting start navigation.png

2. Once you are in the Remote Access page, a service wizard will guide you through Configure regions and DNS Servers. You will need to complete these two minimum requirements to get your Remote Access journey starts.

2. Remote Access opening page.png

3. Configure regions will allow you to choose your locations under Asia PacificEurope and North America regions.

Select the Secure Connect data center Location where your client VPN tunnels will terminate. You can choose single or multiple regions based on your own architecture design.

A Location is added by entering an private IP address range in the Assigned IP pool field. Display Name is optional, if you are willing to use the default name, leave the space blank and the grey-out default name will be automatically populated once you click Save button.

There are a few things to be aware when configuring Locations.

  • A minimum of two locations must be added per region.   
  • The IP address ranges must be in the private address space defined in RFC1918 in CIDR format.
  • The largest and smallest supported IP range is x.x.x.x/16 and x.x.x.x/28.
  • The IP address ranges you choose for your remote client must not be overlapped with any other address ranges in your internal network. 
  • Changing the Display Name is an optional step.
  • Leave the Location space blank if you do not want to use that location or if you are using Reserved IP already. To learn more about Reserved IP, please check this link.

Asia DC.png

Europe DC.png

North America DC.png

4. Add the IP address(es) of the DNS Server(s)Secure Client will use these servers to resolve applications accessed through the tunnel.
Add a Default domain for DNS resolution and additional DNS Names (optional) in the respective fields and Click Save.

DNS Servers 1.png

5. After complete and save your configurations. The new page will show you that your selected Remote Access locations has been successfully provisioned. To make any changes or verify configuration, select each tab or click Configure Regions to edit regions/locations head-end.

RA landing page - Day N.png

There are a few items to be noted:

  • FQDN - The unique FQDN sitting on the top left corner is used for remote users connecting to remote access VPN through Cisco Secure Client, it will find the remote user's nearest geographical location from your provisioned list. 

5-1 FQDN.png

Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>

Alternately, location-specific FQDNs are provided with the following format: <system generated id>  Using the above example, the 4 FQDNs generated could be:

The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.  

Remote Access users may choose to connect to the auto-selecting URL or a specific location via the Secure Client dropdown. Note the drop downs will populate after first connecting to the service. 

This may take up to five minutes to complete. It is ok to start the next section while waiting. 

  • Secure Client - Click Downloads button under Secure Client, you can download the latest version of Secure Client software in Windows, MacOS and Linus operating systems. You can also download XML file for your MDM solution.

5-2 Secure Client.png

  • Task Wizard (Tasks to enable Remote Access) - You will see a task checklist wizard on the top of the Remote Access page.
    • By default, it is collapsed5-3 Checklist- collapse.png
    • You can always expand it to check what tasks left to be completed. As each task is completed, the progress bar advances. 5-3 Checklist- expanded required.png5-3 Checklist- expanded.png

Configure identity provider to provision users

Once you completed Configure remote access service, to complete the whole experience of Remote Access. You need to configure your remote users, please check Configure and provision users to complete deployments.

5-3 Checklist- expanded required.png

If the IdP configuration (Meraki Cloud Auth) was configured prior to Remote Access, we would need to go to Umbrella dashboard add users to Remote Access from the Settings page. 
In Umbrella dashboard navigate to Deployments > Remote Access, click on Settings at the top right corner of the page and navigate to Assign Users & Groups.
Select users or AD groups that will be allowed to use remote VPN access to connect to the network. For Meraki Auth IdP make sure RemoteAccess group is selected.
Umbrella IdP.png

Next Step

Now, you have finished the basic deployment of Remote Access. Please refer to below articles if you plan to deploy more granular enforcements: