|Private DNS server IP addresses||Servers used to resolve private application names|
|Corporate domain name||Domains that must be resolved to access private applications|
|Client IP address pools||North America and Europe have 4 data centers each. Each region specified must have a complete set (4) contiguous private address pools. These pools cannot overlap with existing internal addresses/subnets in use on the internal customer network. One region is required, a second region is optional|
|Any subnets that require tunnel bypass||You may want to direct specific traffic, such as DNS, to bypass (route outside of) the tunnel|
|Datacenter gateway device||The physical or software device on the data center side of the VPN connection. Any IKEv2 compatible device is supported, however, configuration details will vary.|
|Customer-premises equipment (CPE) device Public IP*||The internet-routable IP address for the CPE external WAN interface|
|Tunnel IKEv2 pre-shared key||The PSK is needed configure the CPE device with the IPSec tunnel.|
*public IP only required for devices that do not support IKEv2 email identities.
In order to begin, you'll first need to tie Cisco Meraki and Cisco Umbrella management together for a seamless experience. For further instructions, see Cisco+ Secure Connect Onboarding
Remote Access Setup (Get Started)
- Get Started with Secure Connect from the main homepage and click - Set up Remote Access
Figure 1: Get Started with Secure Connect Pop-Up
Alternately, Navigate to Secure Connect -> Configure ->Remote Access Setup to begin the setup process
- This "checklist" guides you through the main remote access configuration tasks. As each task is completed, the progress bar advances. These tasks can be done in any order, however, the steps below begins at top of this checklist at Setup Remote Access Service
Figure 2: Remote Access Get Started Checklist
Purpose: Setup the network configuration, traffic steering, AnyConnect settings and, Datacenter regions.
- Click Set Up Remote Access Service. For further details see: Remote Access Service Setup
When you launch the Configure Remote Access Service wizard, it guides you through network, traffic steering, vpn client, and data center configuration.
The navigation menu at the top of each screen, indicates the step you are configuring. (see Figure 1)
Figure 1: Navigation menu for Remote Access Service configuration
Private Network Configuration
Figure 2: Network Configuration Details for Remote Access Service
- Add the IP addresse(s) of the DNS servers. AnyConnect clients will use these servers to resolve applications accessed through the tunnel.
- Add a default domain for DNS resolution and additional DNS names (optional) in the respective fields.
- Click Next
Traffic Selection (Optional)
Figure 3: Traffic Steering Configuration
When this feature, also known as split tunneling, is enabled you will be able to decide what traffic you want to encrypt and transit over the AnyConnect connection (inside the tunnel), and which traffic (if any), you want to go directly to internet resources (outside the tunnel). With split tunneling you are effectively configuring Access Control Lists, where the traffic for hosts or subnets are defined in these ACLs. For more details, see About Traffic Selection
Leave this feature disabled to direct ALL traffic through Secure Connect services. Users will not have access to local resources while connected.
- Select Enable Traffic Steering and configure the settings that follow per your deployment needs
a) (Optional) Check Designate Local LAN access outside secure tunnel if access to local resources, e.g. local printers, is required while connected
b) For Tunnel Mode, specify whether destination networks to follow should be directed inside (split include) or outside (split exclude) of the secure tunnel. Then click Add New to add the list of desired networks.
c) For DNS Mode, choose a mode
Default DNS- DNS resolution is subject to how the host Operating System handles DNS queries over multiple interfaces (e.g. physical interface and tunnel interface). For example, Windows 10 supports a feature called smart multi-home name resolution. The feature has the operating system send DNS request across all available adapters and users the fastest response.
Tunnel all DNS-ensuring all DNS is resolved over the encrypted AnyConnection connection only-if this fails to resolve, they remain unresolved
Split DNS- DNS names matching the configured "DNS Names" will be routed over the encrypted AnyConnect connection for resolution, any that do not match the configured "DNS Names" are routed via the local physical interface for the resolution
Split DNS mode is only available when "Steer traffic INSIDE the secure tunnel" is selected
- Click Next
Figure 4: VPN Client Configuration
- (Optional) Choose to enable Auto-Connect on Start
- Add a banner message that will be displayed to AnyConnect users upon connection
- Configure the session timeout
- (Optional) Configure settings to allow Remote Desktop Protocol (RDP) for Windows and Linux devices
- Click Next
Figure 6: Data Center Configuration
Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>.sc.ciscoplus.com.
Alternately, location-specific URLs are provided with the following format: <system generated id>.location.sc.ciscoplus.com. Using the above example, the 4 FQDNs generated could be:
The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.
Remote Access users may choose to connect to the auto-selecting URL or a specific location via the AnyConnect dropdown. Note the drop downs will populate after first connecting to the service.
Figure 7: AnyConnect connection selection options
- Select which regions to deploy the remote access service in and enter IP addresses ranges for each location
- Verify the IP address ranges are correct
- Click Provision to deploy and configure the cloud resources that will serve AnyConnect clients.
This may take up to five minutes to complete. It is ok to start the next section while waiting.
Remote Access Service Provisioning is complete!!!
- In the upper right-hand corner of the screen, click Return to Cisco Plus Secure Connect
Figure 8: Return To Secure Connect link
Tunnel, SAML & Users & Group Provisioning
After completing the remote access setup steps 2-4 may already be complete depending on your situation. Figure 8 shows steps 2-4 completed. If steps 2-4 are not complete reference the following reference docs.
Figure 8: Setup wizard step 4 Assign Users 7 Groups
Complete Steps 2-4
- Step 2: Setup a Secure Access Tunnel
- Be sure to select tunnel type of Private Access
- Add all internal networks (routes) behind the private tunnel as client prefixes to the tunnel
- Add routes to the IPSec termination device for all remote access client subnets provisioned previously
- Step 3: Configure SAML in Umbrella
- Step 4: Provision Users & Groups
Assign Users & Groups to Remote Access
- From the setup wizard click Assign Users & Groups to Remote Access Service. You will be launched to User & Group authorization page.
Figure 9: Assign & Users and Groups
- Select the required users and or groups and click save to save the setting.
- Return to Secure Connect in the upper right of the page.
- You will return to the Secure Connect dashboard that should be complete as show in the figure below.
Figure 10: Complete Remote Access Wizard
- If required you can download the Anyconnect client via the provided link and click done.