Cisco Secure Connect - Client-based ZTNA

ShawnHu
Meraki Employee
Meraki Employee

Cisco Secure Connect - Client-based ZTNA

In addition to the the existing Remote Access and Browser-based ZTNA deployments(scenarios covered in Cisco Secure Connect Instant Demo), we are introducing the Client-based ZTNA to Meraki Launchpad🚀 for Cisco and partner sellers to demonstrate. 

 

Feature Summary:

Zero Trust Network Access (ZTNA) is a turnkey-as-a-service solution that provides granular Zero Trust based access to network resources. Cisco Secure Client with the ZTA module or Cisco Zero Trust Access mobile apps (Apple iOS & Samsung Android 14+) enables endpoints for secure private access using Client-based ZTNA. More reading in Community post: Client-based ZTNA

 

Demo Story:
Bill S. (bills@merakitraining.net) from the Finance department needs to access the internal private application with FQDN 'finance.merakitraing.net.' Instead of using a remote access VPN, Meraki Launchpad IT has decided to implement ZTNA, which offers more granular control over access to only the required network resources. The team opted for Client-based ZTNA, as it is well-suited for most modern, client-initiated applications. Bill's client device is not part of this demo, but as you can see below the device has been enrolled with Cisco Secure Client ZTA module and Bill's identity is associated.

 

ZTNA-enroll-0.pngZTNA-enroll.png

 

Now, let's demonstrate how this Client-based ZTNA is implemented and managed.

 

Demo Flow (~15mins):

  1. As Cisco employees or partners, access Meraki Launchpad🚀 demo org via https://cs.co/mlp.
  2. Navigate to Secure Connect > Users page and verify Bill is part of the Finance Meraki Training group.ShawnHu_1-1724284033399.png

     

  3. Review the Finance Home private application on Secure Connect > Resources and Applications page. Highlight that only Client-based is enabled under Access methods section for this application. ShawnHu_2-1724284247997.pngShawnHu_4-1724284619759.png

     

  4. Review the Secure Connect > Zero Trust Access settings to confirm that the group Finance has the allow permission to access the appropriate resources and applications. Defining access policies by user group is a scalable way to manage your network. However, you can also configure policies at the individual user level.
     

    ZTA-Policies.png

  5. Now, you might be interested in how Meraki Launchpad IT team gains the visibility into Bill's access? First, navigate to Secure Connect > Security Activity to access the Umbrella dashboard. Once there, continue by selecting Reporting > Core Reports > Activity Search on the Umbrella side.ShawnHu_5-1724285355020.png

     

  6. Select Client-based ZTA to filter the activity logs, and you will find Bill accesses the application every few hours.ShawnHu_6-1724285452230.png

     

To conclude, with Cisco Secure Connect Client-based ZTNA, now Bill who is part of Finance group can efficiently access the internal finance application anytime from anywhere with their ZTNA trusted devices. Also, Meraki Launchpad IT team minimizes the attack surface by reducing unnecessary network access. 

 

Resources:

Meraki Learning: Introducing Cisco Secure Connect

Meraki doc: Cisco Secure Connect - ZTNA Architecture Start

Meraki doc: Cisco Secure Connect - Client-based ZTNA

Meraki doc: Cisco Secure Connect - Zero Trust Access Policies

 

 

3 Replies 3
ShawnHu
Meraki Employee
Meraki Employee

Various users and clients are involved in different Secure Connect use cases, and we have automation in place to continuously generate these access activities. Here is a quick list. 

 

UsersGroupUse CasesUMB Reporting
upayup@merakitraining.netDoctorsBrowser-based ZTAActivity Search
bills@merakitraining.net
FinanceClient-based ZTAActivity Search
iheal@merakitraining.netDoctorsRemote Access/VPN Remote Access Logs
iheal@merakitraining.net
DoctorsData Loss PreventionData Loss Prevention

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Lets say you go into the office and now finance.merakitraining.net is internally accessible.

 

How does it decide when to proxy it through Umbrella versus letting it route normally?

Currently the client-based ZTNA will always intercept traffic for destinations identified as client-based ZTNA traffic. There is no concept of Trusted Network in client-ZTNA yet. 

Get notified when there are additional replies to this discussion.