Meraki Secure SD-WAN Microsoft SSE Configuration Guide
Microsoft’s SSE Meraki SD-WAN Configuration Guide
The integration of Cisco Meraki Secure SD-WAN with Microsoft's SSE solution facilitates inspection of north-south traffic originating from SD-WAN branches destined for the internet or Software-as-a-Service (SaaS) applications routed through Microsoft's SSE solution.
This guide details the process of securing Microsoft's SSE solution with Cisco Meraki Secure SD-WAN networks, specifically for internet and SaaS applications. The integration has undergone extensive testing and validation for deployment on Cisco Meraki version… in conjunction with the Microsoft's SSE solution cloud dashboard.
Microsoft Entra Internet Access traffic, alongside Microsoft Entra Access, are integral components of Microsoft's SSE solution: Global Secure Access. Microsoft Entra Internet Access ensures secure access to internet and SaaS apps, providing robust protection for users, devices, and data against internet-borne threats. This document focuses on the Internet Access use case.
There are multiple ways to connect remote networks to Global Secure Access. In a nutshell, you're creating an Internet Protocol Security (IPSec) tunnel between a core router, known as the customer premises equipment (CPE), at your remote network and the nearest Global Secure Access endpoint. All internet-bound traffic is routed through the core router of the remote network for security policy evaluation in the cloud. A key customer benefit is the seamless deployment of a comprehensive end-to-end SD-WAN and security solution where the installation of a client isn't required on individual devices. In addition, customer also benefit from enhanced security capabilities such as universal tenant restrictions, compliant network check and source IP restoration.
Prerequisites
-
Microsoft’s SSE solution account
-
Meraki MX/Z device (running MX19.1+ firmware)
-
BGP routing over IPsec (IKEv2 required)
-
BGP port TCP 179 is permitted on your VPN Firewall
Caveats
-
This integration only applies to tunneling Microsoft 365 traffic
-
Only NULL encryption is supported for Phase 2 IPsec encryption settings
-
Configuration templates are not supported with this integration
-
User FQDN is not supported on Microsoft’s SSE solution
-
Zone Redundancy configuration via Microsoft’s SSE solution is not supported. To achieve Zone redundancy, see Redundant tunnel section
-
eBGP routes are redistributed into iBGP by default, this could lead to sub optimal routing for a remote AutoVPN peer.
Configuration of Microsoft’s SSE solution
How to create remote networks - Global Secure Access | Microsoft Learn
-
Navigate to entra.microsoft.com and login with your credentials
-
On the left pane, navigate to Global Secure Access > Connect > Remote Networks
-
On the top left, click + Create remote Network
-
Under Basics tab, configure a remote network Name and select a Region. Select a region closest to your remote network. Then click next: Connectivity.
-
Under Connectivity tab, click + Add a link
5a. Under General - configure the following
|
|
5b. Under Details - Configure the following
Phase 1 settings
Phase 2 Settings
|
|
5c. Under Security - configure the following
5d. Save your configuration |
5e. After your configuration has been saved, the created link will be listed under connectivity as seen below:
Click Next: Traffic profiles
6. Under the Traffic profiles tab,
Select the checkbox for Microsoft 365 traffic profile, and click Next: Review + create
7. Under the Review + create tab
Review your settings and click Create remote network