Meraki

ShawnHu · ‎Aug 20 2024

In addition to the the existing Remote Access and Browser-based ZTNA deployments(scenarios covered in Cisco Secure Connect Instant Demo), we are introducing the Client-based ZTNA to Meraki Launchpad🚀 for Cisco and partner sellers to demonstrate.

Feature Summary:

Zero Trust Network Access (ZTNA) is a turnkey-as-a-service solution that provides granular Zero Trust based access to network resources. Cisco Secure Client with the ZTA module or Cisco Zero Trust Access mobile apps (Apple iOS & Samsung Android 14+) enables endpoints for secure private access using Client-based ZTNA. More reading in Community post: Client-based ZTNA.

Demo Story:
Bill S. (bills@merakitraining.net) from the Finance department needs to access the internal private application with FQDN 'finance.merakitraing.net.' Instead of using a remote access VPN, Meraki Launchpad IT has decided to implement ZTNA, which offers more granular control over access to only the required network resources. The team opted for Client-based ZTNA, as it is well-suited for most modern, client-initiated applications. Bill's client device is not part of this demo, but as you can see below the device has been enrolled with Cisco Secure Client ZTA module and Bill's identity is associated.

Now, let's demonstrate how this Client-based ZTNA is implemented and managed.

Demo Flow (~15mins):

As Cisco employees or partners, access Meraki Launchpad🚀 demo org via https://cs.co/mlp.
Navigate to Secure Connect > Users page and verify Bill is part of the Finance Meraki Training group.
Review the Finance Home private application on Secure Connect > Resources and Applications page. Highlight that only Client-based is enabled under Access methods section for this application.
Review the Secure Connect > Zero Trust Access settings to confirm that the group Finance has the allow permission to access the appropriate resources and applications. Defining access policies by user group is a scalable way to manage your network. However, you can also configure policies at the individual user level.
Now, you might be interested in how Meraki Launchpad IT team gains the visibility into Bill's access? First, navigate to Secure Connect > Security Activity to access the Umbrella dashboard. Once there, continue by selecting Reporting > Core Reports > Activity Search on the Umbrella side.
Select Client-based ZTA to filter the activity logs, and you will find Bill accesses the application every few hours.

To conclude, with Cisco Secure Connect Client-based ZTNA, now Bill who is part of Finance group can efficiently access the internal finance application anytime from anywhere with their ZTNA trusted devices. Also, Meraki Launchpad IT team minimizes the attack surface by reducing unnecessary network access.

Resources:

Meraki Learning: Introducing Cisco Secure Connect

Meraki doc: Cisco Secure Connect - ZTNA Architecture Start

Meraki doc: Cisco Secure Connect - Client-based ZTNA

Meraki doc: Cisco Secure Connect - Zero Trust Access Policies

ShawnHu · ‎Aug 20 2024

Various users and clients are involved in different Secure Connect use cases, and we have automation in place to continuously generate these access activities. Here is a quick list.

Users	Group	Use Cases	UMB Reporting
upayup@merakitraining.net	Doctors	Browser-based ZTA	Activity Search
bills@merakitraining.net	Finance	Client-based ZTA	Activity Search
iheal@merakitraining.net	Doctors	Remote Access/VPN	Remote Access Logs
iheal@merakitraining.net	Doctors	Data Loss Prevention	Data Loss Prevention

PhilipDAth · ‎Aug 21 2024

Lets say you go into the office and now finance.merakitraining.net is internally accessible.

How does it decide when to proxy it through Umbrella versus letting it route normally?

Gary_Geihsler1 · ‎Aug 21 2024

Currently the client-based ZTNA will always intercept traffic for destinations identified as client-based ZTNA traffic. There is no concept of Trusted Network in client-ZTNA yet.