Overview
 
   Cisco Secure Connect is a unified, turnkey solution with a blueprint for SASE made easy. It converges SD-WAN and SSE to enable operational consistency across premises to cloud in one powerful Meraki® dashboard, streamlining management across networking and security. Designed to be simple, complete, and unified, Secure Connect powers hybrid work across branch and remote, delivering greater network resiliency and seamless user experiences, everywhere.
 
    
    Q.  What is SASE? 
   
 
    
    A.  SASE (Secure Access Service Edge) is a key enabler of any organization’s hybrid work strategy. SASE combines networking and security functions in the cloud with campus, branch, remote worker, and contractor (B2B) connectivity to deliver a secure, seamless user experience anywhere users work. But deploying SASE can be complicated. Connecting existing branch SD-WAN appliances and the myriad of user endpoints to a secure cloud-based fabric requires planning, integration, and configuration. 
   
 
   
     Key components under SASE are SD-WAN, including routing, and Security Service Edge (SSE), including Zero-Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), Secure Web Gateway (SWG), and remote access as a service. 
   
 
    
    Q.  What is Zero Trust Access (ZTA)? 
   
 
    
    A.  Zero Trust Access (ZTA) Is a model that establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application. Secure Connect helps ensure that users are validated based on identity, posture, and context before they connect to corporate applications. Users will only have access to the applications specified as a requirement to do their job. 
   
 
    
    Q.  What is Cisco Secure Connect? 
   
 
    
    A.  Cisco Secure Connect is a unified, turnkey SASE solution that radically simplifies the way companies can securely access applications and resources hosted anywhere – across multiple public and private clouds – from any location at any time. Easy to deploy, use, and manage through a unified cloud dashboard, it significantly reduces organizations’ operational complexities to deliver greater agility, speed, and scalability. 
   
 
   
     Secure Connect securely connects users anywhere (in the branch or remote) to any application (in the private data center, public cloud, or SaaS) with a single subscription. The solution integrates client-based and browser-based remote worker access, native Cisco Meraki SD-WAN connectivity, and comprehensive cloud-based security capabilities with ZTA. 
   
 
   
     Secure Connect delivers these main components for a complete SASE solution: 
   
 
   ●      Remote worker connectivity with ZTA and endpoint posture verification as part of our Complete package.
 
   ●      Unified SASE dashboard for management, configuration, troubleshooting, and visibility into both the SD-WAN and SSE components of SASE.
 
   ●      Simple, seamless support for Meraki SD-WAN for secure branch connectivity.
 
   ●      Cisco’s best-in-class cloud-based security powered by Cisco Umbrella® and Cisco Secure Access, all configured and managed through a unified dashboard ‒ the most comprehensive, powerful, and yet simple unified SASE solution in the market.
 
    
    Q.  What is the difference between Secure Connect and other similar solutions in the market? 
   
 
    
    A.  Secure Connect offers customers a distinct advantage over other options in the market, due to these key differentiators: 
   
 
   ●      Secure Connect is a unified turnkey solution for internet access, private access, and secure SD-WAN connectivity for both branch and remote workers. It is managed from a unified dashboard and consumed as a single subscription.
 
   ●      Secure Connect is designed with modernized and future-ready architecture that unifies security and networking to enable a consistent experience across different technologies, with rich security, interconnectivity, and visibility.
 
   ●      Secure Connect is built on proven Cisco® components, with cloud security powered by Umbrella SIG. 
 
   ●      Secure Connect offers deep integrations with the Meraki SD-WAN, creating a unified SASE experience by extending the fabric all the way to the cloud with just a few clicks, providing high reliability and a next-generation policy engine to centralize management across the organization, and distributing security policy enforcement optimizing end-user experience.
 
   ●      Secure Connect provides flexibility with use-case packages that allow customers to digest two (2) unique use cases:
 
   ◦    The Foundation package includes Umbrella SIG capabilities that provide secure internet-access connectivity for branch and roaming users; Secure Connect Fabric Interconnect that provides private application access for branch users; a unified dashboard that provides streamlined operations management visibility and control for security and network policies; and unified support that provides seamless support for your SASE needs. The Foundation package also includes 10 free-trial (nonproduction) licenses for hosted remote access as a service, providing private application access for remote users. This package is designed for users who work only in an office setting.
 
   ◦    The Complete package includes everything in the Foundation package, but also includes production-level support, client-based remote-access (VPN) capabilities, and both Client-Based and Browser-Based Zero Trust Access capabilities, providing a zero-trust security model for users. This package is designed for hybrid users who not only work in the office but also work remotely.
 
    
    Q.  What problems and pain points does Secure Connect solve for our customers? 
   
 
    
    A.  Secure Connect helps: 
   
 
   ●      Customers who seek to unify the networking and security components of SASE into one solution for operational efficiency and better end-user experience.
 
   ●      Customers with a hybrid-work model where the same employee works both from home and in the office.
 
   ●      Customers with a network transformation project to improve the security of their branch users.
 
   ●      Lean IT customers who are challenged to minimize audits and risk across remote and corporate (site) users.
 
   ●      Customers who have a single network and security team or depend on network-led SASE decisions.
 
   ●      Customers looking to minimize capital and operation deployment time for remote access.
 
   ●      Customers who seek to improve their security posture with end-to-end control and visibility of their policy and security across SD-WAN and the cloud.
 
    
    Q.  What are the key differentiators between Secure Connect and competing SASE as-a-service offers? 
   
 
    
    A.  Our key differentiation is delivering a turnkey unified SASE solution inclusive of SD-WAN operations and security policies through a single management interface. Even companies that offer both SD-WAN and SSE solutions are struggling to deliver a unified platform that accelerates the time to value of SASE outcomes by creating a streamlined interface and a SASE fabric that automatically adds SASE value as new components are expanded. 
   
 
   
     Other key differentiators: 
   
 
   ●      Secure Connect is a unified offer for internet access, private access, and secure SD-WAN connectivity for both branch and remote workers managed from a unified dashboard and consumed as a single subscription.
 
   ●      Secure Connect’s modernized and future-ready architecture unifies security and networking to enable a consistent experience across different technologies, with rich security, interconnectivity, and visibility.
 
   ●      Secure Connect is built on proven Cisco components that secure 100 percent of the Fortune 100, and on Cisco’s global experience connecting and securing users around the world.
 
   Technical
 
   General
 
    
    Q.  In which regions does Secure Connect have data centers? What services are available where? 
   
 
    
    
    Q.  How many sites and users are supported through Secure Connect? 
   
 
    
    A.  Secure Connect can support 5000 sites and 50,000 users. For customers that have more than 500 sites and 10,000 users, please reach out to your Secure Connect product team for qualification: 
    
secure-connect-pm@cisco.com. 
   
  
    
    Q.  What is the difference between Secure Connect and the Cisco Umbrella Meraki SD-WAN Connector? 
   
 
    
    A.  The Cisco Umbrella Meraki SD-WAN Connector is for secure internet access from the branch site. It extends the Meraki SD-WAN fabric all the way to the Umbrella cloud. The connector can be enabled once a customer has Meraki SD-WAN and Umbrella SIG. There is a 250 Mbps limitation to each deployed connector, and a limitation to the number of connectors a customer can deploy. Outside of Secure Connect, the two solutions (Meraki SD-WAN and Umbrella SIG) are managed through two separate dashboards. 
   
 
   
     Secure Connect focuses on delivering a unified SASE experience that centralizes management of security and networking in the Meraki dashboard. It enables secure internet access with enhanced performance and additional use cases such as remote access; ZTNA; interconnections between users, sites, and applications; and unified technical support. 
   
 
   
     Customers can choose the SASE use cases they want to adopt through Secure Connect Complete, or can simply choose the secure internet access use case through Secure Connect Foundation. A unified SASE experience is gained in both cases. 
   
 
    
    Q.  What does the new Secure Connect Foundation package mean if we are an existing SIGraki/SD-WAN connector customer? 
   
 
    
    A.  Most customers using the existing integration between Meraki’s MX and Umbrella SIG will be able to get a no-cost upgrade to the new Foundation license. Any customer who purchased SIG not as part of an EA, and without any add-ons (Reserve IP, RBI, Multi-Org) should be able to enjoy the upgrade. Customers with add-ons and/or under an EA will be able to get the upgrade later. 
   
 
    
    Q.  What user device endpoints are required for remote users to connect (laptops, cellphones, etc.)? 
   
 
    
    A.  Endpoint software is available for Microsoft Windows 7, 8, 10, and 11; MacOS 10.8 and later; and Linux, as well as mobile versions for Apple iOS, Android, and Google Chrome OS. 
   
 
    
    Q.  We already have Cisco SD-WAN, powered by Meraki. How do we add Secure Connect? 
   
 
    
    A.  Deployment of Cisco SD-WAN powered by Meraki within Secure Connect is simple and quick. In fact, once you subscribe to this offer, connecting your existing SD-WAN to the Secure Connect fabric is just a few clicks away. 
   
 
   
     There are different types of connections available to Secure Connect, based on region. Learn more on how to connect sites to Secure Connect 
    
here. 
   
     Depending on the data center, some, or all, of Secure Connect’s capabilities are available. 
   
 
   
     You can learn more about the available capabilities per data center 
    
here. 
   
 
    Q.  Does Secure Connect support split tunneling / traffic steering? 
   
 
    
    A.  Yes, traffic steering is supported for both Meraki SD-WAN networks and remote workers. For remote access, traffic steering in Secure Connect behaves exactly as it does with remote access on adaptive security appliances (ASAs). Tunnel modes include tunnel all traffic, steer inside, and steer outside the tunnel. 
   
 
    
    Q.  Does Secure Connect have troubleshooting tools? 
   
 
    
    A.  Yes, the troubleshooting tools are Activity Search in the Umbrella dashboard and 
    
MX Live tools. 
     
   Zero-Trust Network Access (ZTNA)
 
    
    Q.  What ZTNA capabilities are included with Secure Connect? 
   
 
    
    A.  Secure Connect clientless ZTNA use cases include secure connectivity from unmanaged devices of remote workers or B2B contractors to private applications. End users can securely access applications using only their browser through clientless ZTNA, where Cisco supplies certificates and domain names for quick admin configs, making setup a snap. 
   
 
   
     Alternatively, IT administrators can get similar outcomes with a client (Cisco Secure Client, formerly Cisco AnyConnect 
    ®) installed on the users’ device, enabling granular access between users and applications with posture checks. 
   
 
   
     Secure Connect Client ZTNA offers a feature-rich solution powered by Cisco Secure Access, providing a seamless end-user experience that connects users to private applications using any port and any protocol. Client ZTNA has QUIC support with MASQUE proxy. Access is instant and “just works,” delivering better remote worker experiences and stronger security. Administrators can reduce the attack surface, enforce least privilege controls, enable posture validation, and eliminate security gaps in a distributed environment. 
   
 
    
    Q.  Which protocols are supported for clientless ZTNA? 
   
 
    
    A.  Currently, HTTP and HTTPS are supported for the clientless ZTNA solution. 
   
 
    
    Q.  Can we bring our own MFA for clientless ZTNA? 
   
 
    
    A.  The Secure Connect ZTNA capability supports all MFA solutions that are used as part of a customer’s SAML authentication. Customers can bring their own MFA. 
   
 
    
    Q.  What posture capabilities are supported by Secure Connect? 
   
 
    
    A.  For our client-based remote access as-a-service capabilities, the machine certificate, OS (operating system), firewall, disk encryption, and anti-malware for each endpoint are checked. The posture policy verdict is either “block” or “allow”; “quarantine” is not supported. 
   
 
   
     For our clientless ZTNA solution, the IT administrator can create posture profiles based on OS type and version, browser type and version, and geolocation. 
   
 
    
    Q.  Is it possible to do the posture through our own Cisco ISE infrastructure? If yes, how? 
   
 
    
    A.  Posture checking through Cisco ISE is not supported. 
   
 
   Cisco Catalyst SD-WAN integration
 
    
    Q.  What is the scope of the Cisco Catalyst 
    ® SD-WAN (Viptela 
    ®) integration? 
   
 
    
    A.  Cisco Catalyst SD-WAN customers will be able to enjoy the key use cases that Secure Connect offers as a turnkey SASE solution. This includes: 
   
 
   ●      Securing branches and corporate locations to public and private applications.
 
   ●      Securely connecting remote workers to private and public applications, including:
 
   ◦    Client connectivity with zero-trust outcomes, enabling identity-based policies to private applications.
 
   ◦    Clientless, browser-based connectivity.
 
   
     The first stage of the integration will focus on connectivity between Cisco Catalyst SD-WAN devices and Secure Connect. It will continue leveraging the automation in place between SIG and Cisco Catalyst SD-WAN, and will add private access to it, with dynamic routing for an easy set up. 
   
 
    
    Q.  How is this different from the existing integration between Cisco Umbrella SIG and Viptela? 
   
 
    
    A.  There are multiple differences between the Umbrella SIG/Catalyst SD-WAN integration and Secure Connect: 
   
 
   
     In terms of use cases, Cisco Umbrella SIG offers secure internet access to branch users and roaming (SWG) support for remote users. This use case is also a part of Secure Connect. Further, we add client-based remote access that enables identity-based access to private applications and secure internet access for all ports and protocols through Secure Connect, and clientless access to HTTP/HTTPS applications. 
   
 
   
     Secure Connect with Cisco Catalyst SD-WAN gives a unified management and policy control for integration of private applications or resources behind the Viptela service hub. Further, this enables interconnect capability where remote access users can securely access Cisco Catalyst SD-WAN resources integrating with Secure Connect. 
   
 
    
    Q.  Which dashboard is used for management for Cisco Catalyst SD-WAN (Viptela)? 
   
 
    
    A.  Secure Connect is managed through the Meraki dashboard, with some cross-launches into the Cisco Umbrella dashboard for specific tasks. The Meraki and Umbrella dashboards are tightly coupled, with single sign-on and RBAC synchronized between the two for a seamless experience. Any configuration for Cisco SD-WAN (Including tunnel setup, BGP configuration, etc.) is still being done through Cisco vManage. 
   
 
    
    Q.  Is the Cisco Catalyst SD-WAN integration supported by both Secure Connect Foundation package and Complete package? 
   
 
    
    A.  Yes, for a mixed organization; for example, if a customer has Cisco Meraki and Catalyst SD-WAN, or if a customer needs both secure internet access and secure private access. 
   
 
   
     If the use case is only Cisco Catalyst SD-WAN for secure internet access, leveraging the SIG integration might provide a better experience to customers. 
   
 
   Support
 
    
    Q.  What is the Secure Connect trouble-shooting support model? 
   
 
    
    
    Q.  How does Secure Connect support onboarding services? 
   
 
    
    A.  Enhanced and premium support SKUs are available for seamless onboarding services. Please contact your Cisco sales representative if you are interested. 
   
 
   Pricing and packaging
 
    
    Q.  What package options are available for Secure Connect? 
   
 
    
    A.  Secure Connect is offered in two packages that make it easy for customers to choose the right level of protection and coverage for their organizational needs: Secure Connect Foundation and Secure Connect Complete. 
   
 
    
    Secure Connect Foundation package 
   
 
   
     The Secure Connect Foundation package includes Umbrella SIG capabilities, which provide secure internet access connectivity for branch and roaming users; Secure Connect fabric interconnect, which provide private application access for branch users; a unified dashboard, which provides streamlined operations management visibility and control for security and network policies; and unified support, provides seamless support for your SASE needs. The Foundation package also includes ten free-trial (nonproduction) licenses for hosted remote access as a service, which provides private application access for remote users. 
   
 
   Table 1.        Secure Connect Foundation package
 
    
     
      
       
       | Functionality | Secure Connect Foundation package  | 
 
       
       | Essentials  | Advantage  | 
 
      
      
       
       | Security | 
 
       
       | Secure web gateway  | ✓ | ✓ | 
 
       
       | URL filtering  | ✓ | ✓ | 
 
       
       | Secure malware analytics  | ✓ | ✓ | 
 
       
       | Sandbox submissions  | 500  | Unlimited  | 
 
       
       | Cloud-access security broker  | ✓ | ✓ | 
 
       
       | Cloud malware detection  | For up to 2 applications  | Unlimited  | 
 
       
       | DNS-layer security  | ✓ | ✓ | 
 
       
       | L3 cloud-delivered firewall  | ✓ | ✓ | 
 
       
       | L4 cloud-delivered firewall  | ✓ | ✓ | 
 
       
       | L7 cloud-delivered firewall  |   | ✓ | 
 
       
       | IPS firewall  |   | ✓ | 
 
       
       | Unified SASE  | 
 
       
       | Unified security policy  | ✓ | ✓ | 
 
       
       | 24x7 unified support  | ✓ | ✓ | 
 
       
       | Unified dashboard  | ✓ | ✓ | 
 
       
       | Turnkey experience  | ✓ | ✓ | 
 
       
       | Fabric interconnect (CNHE: cloud native head end)  | ✓ | ✓ | 
 
       
       | Remote access  | 
 
       
       | VPN access  | 10 free users* | 10 free users* | 
 
       
       | Client-based Zero Trust Access |   |   | 
 
       
       | Browser-based Zero Trust Access |  |  | 
 
       
       | Granular user, application-based access policy  | 
          * 
         | 
          * 
         | 
 
       
       | SAML authentication  | 
          * 
         | 
          * 
         | 
 
       
       | Posture and contextual access control  | 
          * 
         | 
          * 
         | 
 
       
       | Reporting  | 
          * 
         | 
          * 
         | 
 
      
    
 
     
    
    * Six-month trial-only nonproduction licenses 
   
 
    
    Secure Connect Complete package 
   
 
   
     The Secure Connect Complete package includes production-level support, client-based remote-access-as-a-service capabilities, and clientless/client ZTNA capabilities, which provide a zero-trust security model for users. 
   
 
   Table 2.        Secure Connect Complete package
 
    
     
      
       
       | Functionality  | Secure Connect Complete package  | 
 
       
       | Essentials  | Advantage  | 
 
      
      
       
       | Security | 
 
       
       | Secure web gateway  | ✓ | ✓ | 
 
       
       | URL filtering  | ✓ | ✓ | 
 
       
       | Secure malware analytics  | ✓ | ✓ | 
 
       
       | Sandbox submissions  | 500 | Unlimited | 
 
       
       | Cloud-access security broker  | ✓ | ✓ | 
 
       
       | Cloud malware detection  | For up to 2 applications  | Unlimited | 
 
       
       | DNS-layer security  | ✓ | ✓ | 
 
       
       | L3 cloud-delivered firewall  | ✓ | ✓ | 
 
       
       | L4 cloud-delivered firewall  | ✓ | ✓ | 
 
       
       | L7 cloud-delivered firewall  |  | ✓ | 
 
       
       | IPS firewall  |  | ✓ | 
 
       
       | Unified SASE | 
 
       
       | Unified security policy  | ✓ | ✓ | 
 
       
       | 24x7 unified support  | ✓ | ✓ | 
 
       
       | Unified dashboard  | ✓ | ✓ | 
 
       
       | Turnkey experience  | ✓ | ✓ | 
 
       
       | Fabric interconnect(CNHE: cloud native head end)
 | ✓ | ✓ | 
 
       
       | Remote access  | 
 
       
       | VPN access  | ✓ | ✓ | 
 
       
       | Client-Based Zero Trust Access | For up to 10 applications | ✓ | 
 
       
       | Browser-Based Zero Trust Access | For up to 10 applications  | ✓ | 
 
       
       | Granular user, application-based access policy  | ✓ | ✓ | 
 
       
       | SAML authentication  | ✓ | ✓ | 
 
       
       | Posture and contextual access control  | ✓ | ✓ | 
 
       
       | Reporting  | ✓ | ✓ | 
 
      
    
 
     
    
    Q.  Where is Secure Connect currently available? 
   
 
    
    A.  This offer is available in certain geographic regions, depending on the package offering. 
   
 
   
     The 
    Foundation package is globally available, with the following exceptions: China, Cuba, Iran, North Korea, Russia, Sudan, and Syria. 
   
 
   
     The 
    Complete package is globally available, with the following exceptions: China, Cuba, Iran, North Korea, Russia, Sudan, and Syria. 
   
 
   
     For more details, please refer to this 
    
doc. 
   
 
    Q.  How do I purchase Secure Connect? 
   
 
    
    A.  To purchase a Secure Connect subscription, contact your Cisco account manager or a Cisco partner. 
   
 
    
    Q.  What is the pricing structure for Secure Connect? 
   
 
    
    A.  Secure Connect is licensed on a subscription basis with two use-case packages, each package having two tiers: 
   
 
    
    Foundation package – Focused on Secure Internet Access for branch and roaming users 
   
 
   ●      Essentials tier –  Secure connectivity 
 
   ●      Advantage tier – Data protection and advanced security
 
    
    Complete package – Focused on hybrid users who need Secure Internet Access, Zero Trust Access, and Remote Access (VPN) 
   
 
   ●    Essentials tier – Secure connectivity 
 
   ●    Advantage tier – Data protection and advanced security
 
   
     Subscriptions are available for standard term lengths of 12, 36, and 60 months. Secure Connect is licensed per seat. A seat is defined as an internet-connected user who may have access to the service. Seat counts are independent of the number of devices or endpoints protected. Contact your Cisco account manager or a Cisco partner for pricing. 
   
 
    
    Q.  Is Remote Browser Isolation (RBI) included in Secure Connect? How can we add on RBI? 
   
 
    
    A.  Remote Browser Isolation (RBI) is not currently available in Secure Connect, nor can it be purchased a la carte for use with Secure Connect at this time. The following current Cisco Umbrella packages are not eligible to be replaced through a modified subscription with Secure Connect: Cisco Umbrella RBI, Cisco Umbrella through any Enterprise Agreement (EA), or Cisco Umbrella Premium support, or if there are more than 36 months remaining on an existing Cisco Umbrella subscription. 
   
 
    
    Q.  Is reserved IP included in Secure Connect? How can we add reserved IP? 
   
 
    
    A.  Reserved IP is available as an add-on service for Secure Connect Complete and Foundation. 
   
 
    
    Q.  Why are data-center pairs important? 
   
 
    
    A.  Data-center pairs for IPsec tunnels provide backup, or failover service, if one data center is unavailable. Customers can use data centers that are not paired but will have to manage failover manually. 
   
 
    
    Q.  Which data centers support reserved IP? 
   
 
    
    
    Q.  Does Reserved IP have Anycast support? 
   
 
    
    A.  Devices that use the Umbrella Roaming Client module will connect to the nearest Data Centers. However, this can be problematic if the nearest Data Center does not have a Reserved IP address assigned to it. In mid-2024, Reserved IP introduced a feature called Ingress Control, which redirects clients to data centers where the customer has a reserved IP assigned to them. Ingress Control is not enabled by default but can be enabled upon request. If you have any questions or need assistance, please reach out to your Cisco partner or account manager. 
   
 
    
    Q.  Are customers allowed to upgrade/move from the Secure Connect Foundation package to the Secure Connect Complete package? 
   
 
    
    A.  Secure Connect Foundation Essentials customers can upgrade to a Complete Essentials or Advantage package. Secure Connect Foundation Advantage customers can only migrate to a Complete Advantage package.