Skip to main content

 

Cisco Meraki Documentation

Meraki Secure SD-WAN Microsoft SSE Configuration Guide

Microsoft’s SSE Meraki SD-WAN Configuration Guide 

The integration of Cisco Meraki Secure SD-WAN with Microsoft's SSE solution facilitates inspection of north-south traffic originating from SD-WAN branches destined for the internet or Software-as-a-Service (SaaS) applications routed through Microsoft's SSE solution.

This guide details the process of securing Microsoft's SSE solution with Cisco Meraki Secure SD-WAN networks, specifically for internet and SaaS applications. The integration has undergone extensive testing and validation for deployment on Cisco Meraki version… in conjunction with the Microsoft's SSE solution cloud dashboard.  

Microsoft Entra Internet Access traffic, alongside Microsoft Entra Access, are integral components of Microsoft's SSE solution: Global Secure Access. Microsoft Entra Internet Access ensures secure access to internet and SaaS apps, providing robust protection for users, devices, and data against internet-borne threats. This document focuses on the Internet Access use case. 

There are multiple ways to connect remote networks to Global Secure Access. In a nutshell, you're creating an Internet Protocol Security (IPSec) tunnel between a core router, known as the customer premises equipment (CPE), at your remote network and the nearest Global Secure Access endpoint. All internet-bound traffic is routed through the core router of the remote network for security policy evaluation in the cloud. A key customer benefit is the seamless deployment of a comprehensive end-to-end SD-WAN and security solution where the installation of a client isn't required on individual devices. In addition, customer also benefit from enhanced security capabilities such as universal tenant restrictions, compliant network check and source IP restoration

Prerequisites 

  • Microsoft’s SSE solution account  

  • Meraki MX/Z device (running MX19.1+ firmware) 

  • BGP routing over IPsec (IKEv2 required) 

  • BGP port TCP 179 is permitted on your VPN Firewall 
     

Caveats 

  • This integration only applies to tunneling Microsoft 365 traffic 

  • Only NULL encryption is supported for Phase 2 IPsec encryption settings 

  • Configuration templates are not supported with this integration 

  • User FQDN is not supported on Microsoft’s SSE solution 

  • Zone Redundancy configuration via Microsoft’s SSE solution is not supported. To achieve Zone redundancy, see Redundant tunnel section 

  • eBGP routes are redistributed into iBGP by default, this could lead to sub optimal routing for a remote AutoVPN peer. 
     

Configuration of Microsoft’s SSE solution 

How to create remote networks - Global Secure Access | Microsoft Learn 

  1. Navigate to entra.microsoft.com and login with your credentials  
     

  1. On the left pane, navigate to Global Secure Access > Connect > Remote Networks

     
     

  1. On the top left, click + Create remote Network 

     
     

  1. Under Basics tab, configure a remote network Name and select a Region. Select a region closest to your remote network. Then click next: Connectivity


     

  1. Under Connectivity tab, click + Add a link  

5a. Under General - configure the following 

  • Name – Name of your Branch Site 
     

  • Device Type – Cisco Meraki 
     

  • IP address – Public IP of your Meraki SD-WAN device 
     

  • Local BGP Address – Microsoft BGP IP address (for eBGP peering, Meraki SD-WAN requires the local and peer BGP addreSSEs to be within the same /30 subnet) 
     

  • Peer BGP Address – Meraki SD-WAN BGP IP address (for eBGP peering, Meraki SD-WAN requires the local and peer BGP addreSSEs to be within the same /30 subnet) 
     
    For this example the 10.0.0.0/30 IPsec subnet was chosen with 10.0.0.1 as   my  Meraki BGP peering IP and 10.0.0.2 as my Microsoft Entra BGP peering IP 

 

  • Link ASN - Meraki SD-WAN AS number (this can be found on the routing page of your Meraki Network 
     

  • Redundancy – Not Applicable 
     

  • Bandwidth Capacity – Choose based on your branch device/needs 

5b. Under Details - Configure the following 
 

  • Protocol – IKEv2 

  • IPsec/IKE policy – Custom 
     

Phase 1 settings  

  • Encryption – SHA 256 

  • IKEv2 Integrity – SHA 256 

  • DH group – DH 14 
     

Phase 2 Settings 

  • IPsec encryption – NULL  

  • IPsec Integrity – SHA 256 

  • PFS group - Off 

  • Lifetime - 300 

5c. Under Security - configure the following 

  • Pre-shared key – configure a shared secret 

 

5d. Save your configuration 

5e. After your configuration has been saved, the created link will be listed under connectivity as seen below: 

 


 
Click Next: Traffic profiles 

 

 
 
6. Under the Traffic profiles tab,  

Select the checkbox for Microsoft 365 traffic profile, and click Next: Review + create  


 

7. Under the Review + create tab 

Review your settings and click Create remote network