https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436835#M67 <P>Lets say you go into the office and now finance.merakitraining.net is internally accessible.</P><P>How does it decide when to proxy it through Umbrella versus letting it route normally?</P> Wed, 21 Aug 2024 10:06:57 GMT Philip D'Ath 2024-08-21T10:06:57Z https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436833#M65 <P>In addition to the the existing Remote Access and Browser-based ZTNA deployments(scenarios covered in <A href="https://dcloud2-sjc.cisco.com/content/instantdemo/cisco-secure-connect-instant-demo-v2?returnPathTitleKey=content-view" target="_blank" rel="noopener nofollow noreferrer">Cisco Secure Connect Instant Demo</A>), we are introducing the <STRONG>Client-based ZTNA</STRONG> to <A href="https://cs.co/mlp" target="_blank" rel="noopener nofollow noreferrer">Meraki Launchpad<SPAN class="lia-unicode-emoji" title=":rocket:"><span class="lia-unicode-emoji" title=":rocket:">🚀</span></SPAN></A> for <U>Cisco and partner sellers</U> to demonstrate. </P><P><STRONG>Feature Summary:</STRONG></P><P>Zero Trust Network Access (ZTNA) is a turnkey-as-a-service solution that provides granular Zero Trust based access to network resources. Cisco Secure Client with the ZTA module or Cisco Zero Trust Access mobile apps (Apple iOS &amp; Samsung Android 14+) enables endpoints for secure private access using Client-based ZTNA. More reading in <A href="https://community.meraki.com/t5/Secure-Connect-Resource-Hub/Client-based-ZTNA/ta-p/243904" target="_blank">Community post: Client-based ZTNA</A>. </P><P><STRONG>Demo Story:</STRONG><BR />Bill S. (bills@merakitraining.net) from the Finance department needs to access the internal private application with FQDN 'finance.merakitraing.net.' Instead of using a remote access VPN, Meraki Launchpad IT has decided to implement ZTNA, which offers more granular control over access to only the required network resources. The team opted for Client-based ZTNA, as it is well-suited for most modern, client-initiated applications. Bill's client device is not part of this demo, but as you can see below the device has been enrolled with Cisco Secure Client ZTA module and Bill's identity is associated.</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="ZTNA-enroll-0.png" style="width: 400px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/266129i28C0CAE5B6DFF392/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN><SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ZTNA-enroll.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/266136i3B5F23AD37E0012D/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P><EM>Now, let's demonstrate how this Client-based ZTNA is implemented and managed.</EM></P><P><STRONG>Demo Flow (~15mins):</STRONG></P><OL><LI>As Cisco employees or partners, access <STRONG>Meraki Launchpad<SPAN class="lia-unicode-emoji" title=":rocket:"><span class="lia-unicode-emoji" title=":rocket:">🚀</span></SPAN></STRONG> demo org via <A href="https://cs.co/mlp" target="_blank" rel="noopener nofollow noreferrer">https://cs.co/mlp</A>.</LI><LI>Navigate to <A href="https://n398.meraki.com/o/d029Cc/manage/organization/secure_connect/directory_users?from=secure_connect+users" target="_blank" rel="noopener nofollow noreferrer"><STRONG>Secure Connect &gt; Users</STRONG></A> page and verify Bill is part of the <STRONG>Finance Meraki Training</STRONG> group.<SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShawnHu_1-1724284033399.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/266126iA10E17B0FEE3BC93/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></LI><LI>Review the <STRONG>Finance Home</STRONG> private application on <A href="https://n398.meraki.com/o/d029Cc/manage/organization/secure_connect/applications/private_resources?from=secure_connect+resources_applications" target="_blank" rel="noopener nofollow noreferrer">Secure Connect &gt; Resources and Applications</A> page. Highlight that only <STRONG>Client-based</STRONG> is enabled under <STRONG>Access methods</STRONG> section for this application. <SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShawnHu_2-1724284247997.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/266127iD6494259AA48B896/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN><SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShawnHu_4-1724284619759.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/266131iBD412137686EE5BE/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></LI><LI>Review the <A href="https://n398.meraki.com/o/d029Cc/manage/organization/secure_connect/browser_access_policy?from=secure_connect+zero_trust_access" target="_self" rel="nofollow noopener noreferrer">Secure Connect &gt; Zero Trust Access</A> settings to confirm that the group <STRONG>Finance</STRONG> has the allow permission to access the appropriate resources and applications. Defining access policies by user group is a scalable way to manage your network. However, you can also configure policies at the individual user level.<DIV class=""> </DIV><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ZTA-Policies.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/266133iA0219D393764C84E/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P></LI><LI>Now, you might be interested in how Meraki Launchpad IT team gains the visibility into Bill's access? First, navigate to <STRONG>Secure Connect &gt; Security Activity </STRONG>to access the Umbrella dashboard. Once there, continue by selecting <STRONG>Reporting &gt; Core Reports &gt; Activity Search</STRONG> on the Umbrella side.<SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShawnHu_5-1724285355020.png" style="width: 400px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/266130i38E1944791B125C9/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></LI><LI>Select <STRONG>Client-based ZTA</STRONG> to filter the activity logs, and you will find Bill accesses the application every few hours.<SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShawnHu_6-1724285452230.png" style="width: 999px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/266135iDFD48FB978EF2573/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></LI></OL><P>To conclude, with Cisco Secure Connect Client-based ZTNA, now Bill who is part of Finance group can efficiently access the internal finance application anytime from anywhere with their ZTNA trusted devices. Also, Meraki Launchpad IT team minimizes the attack surface by reducing unnecessary network access. </P><P><STRONG>Resources</STRONG>:</P><P><A href="https://learning.meraki.net/#/online-courses/90fdc9ab-061d-43bd-8deb-608646ac1734" target="_blank" rel="noopener nofollow noreferrer">Meraki Learning: Introducing Cisco Secure Connect</A></P><P><A href="https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco_Secure_Connect_-_ZTNA_Architecture_Start" target="_blank" rel="noopener nofollow noreferrer">Meraki doc: Cisco Secure Connect - ZTNA Architecture Start</A></P><P><A href="https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco_Secure_Connect_-_ZTNA_Architecture_Start/Cisco_Secure_Connect_-_Client-based_ZTNA" target="_blank" rel="noopener nofollow noreferrer">Meraki doc: Cisco Secure Connect - Client-based ZTNA</A></P><P><A href="https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco_Secure_Connect_-_ZTNA_Architecture_Start/Cisco_Secure_Connect_-_Zero_Trust_Access_Policies" target="_blank" rel="noopener nofollow noreferrer">Meraki doc: Cisco Secure Connect - Zero Trust Access Policies</A></P> Wed, 21 Aug 2024 04:01:45 GMT https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436833#M65 xiaoyhu 2024-08-21T04:01:45Z https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436834#M66 <P>Various users and clients are involved in different Secure Connect use cases, and we have automation in place to continuously generate these access activities. Here is a quick list. </P><TABLE border="1" width="64.94276677100144%"><TBODY><TR><TD width="25%" height="22px">Users</TD><TD width="25%" height="22px">Group</TD><TD width="12.5%" height="22px">Use Cases</TD><TD width="12.5%">UMB Reporting</TD></TR><TR><TD width="25%" height="42px"><SPAN>upayup@merakitraining.net</SPAN></TD><TD width="25%" height="42px">Doctors</TD><TD width="12.5%" height="42px">Browser-based ZTA</TD><TD width="12.5%">Activity Search</TD></TR><TR><TD width="25%" height="42px"><SPAN>bills@merakitraining.net<BR /></SPAN></TD><TD width="25%" height="42px">Finance</TD><TD width="12.5%" height="42px">Client-based ZTA</TD><TD width="12.5%">Activity Search</TD></TR><TR><TD width="25%" height="62px"><SPAN>iheal@merakitraining.net</SPAN></TD><TD width="25%" height="62px">Doctors</TD><TD width="12.5%" height="62px">Remote Access/VPN </TD><TD width="12.5%">Remote Access Logs</TD></TR><TR><TD><SPAN>iheal@merakitraining.net<BR /></SPAN></TD><TD>Doctors</TD><TD>Data Loss Prevention</TD><TD>Data Loss Prevention</TD></TR></TBODY></TABLE> Wed, 21 Aug 2024 04:38:31 GMT https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436834#M66 xiaoyhu 2024-08-21T04:38:31Z https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436835#M67 <P>Lets say you go into the office and now finance.merakitraining.net is internally accessible.</P><P>How does it decide when to proxy it through Umbrella versus letting it route normally?</P> Wed, 21 Aug 2024 10:06:57 GMT https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436835#M67 Philip D'Ath 2024-08-21T10:06:57Z https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436836#M68 <P>Currently the client-based ZTNA will always intercept traffic for destinations identified as client-based ZTNA traffic. There is no concept of Trusted Network in client-ZTNA yet. </P> Wed, 21 Aug 2024 13:34:15 GMT https://community.cisco.com/t5/networking-demo/cisco-secure-connect-client-based-ztna/m-p/5436836#M68 ggeihsle 2024-08-21T13:34:15Z