Overview
Leading the way in simplicity, Cisco+ Secure Connect is a unified, turnkey solution with a blueprint for SASE made easy that helps build greater network resiliency and secure hybrid work; delivers a seamless, unified experience; and provides a simple path to SASE. Cisco+ Secure Connect delivers seamless, secure connectivity with a consistent operating model extending across premises to the cloud, to make management easy in a single dashboard and provide greater visibility and control. Converged on one powerful platform, Cisco+ Secure Connect harmonizes networking and security in concert to unify experiences, remove complexity around SASE, and help customers achieve network peace of mind.
Q. What is SASE?
A. SASE (secure access service edge) is a key enabler of any organization’s hybrid work strategy. SASE combines networking and security functions in the cloud with campus, branch, remote worker, and contractor (B2B) connectivity to deliver a secure, seamless user experience anywhere users work. But deploying SASE can be complicated. Connecting existing branch SD-WAN appliances and the myriad of user endpoints to a secure cloud-based fabric requires planning, integration, and configuration.
Key components under SASE include SD-WAN inclusive of routing, and Security Service Edge (SSE) inclusive of Zero-Trust Network Access (ZTNA), Cloud-Access Security Broker (CASB), Firewall as a Service (FWaaS), Secure Web Gateway (SWG), and remote access as a service.
Q. What is zero-trust network access (ZTNA)?
A. Zero-Trust Network Access (ZTNA) is a model that establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application. Cisco+ Secure Connect ensures that users are validated based on identity, posture, and context before they connect to corporate applications. Users will only have access to the applications specified as a requirement to do their job.
Q. What is Cisco+ Secure Connect?
A. Cisco+ Secure Connect is a unified, turnkey SASE solution that radically simplifies the way companies can securely access applications and resources hosted anywhere – across multiple public and private clouds – from any location at any time. Easy to deploy, use, and manage through a unified cloud dashboard, it significantly reduces organizations’ operational complexities to deliver greater agility, speed, and scalability.
Cisco+ Secure Connect securely connects users anywhere (in the branch or remote), to any application (in the private data center, public cloud, or SaaS) with a single subscription. The solution integrates client-based and clientless remote worker access, native Cisco Meraki
® SD-WAN connectivity, and comprehensive cloud-based security capabilities with Zero-Trust Network Access (ZTNA).
Cisco+ Secure Connect delivers these main components for a complete SASE solution:
● Remote worker connectivity with ZTNA and endpoint posture verification as part of our complete package.
● Unified SASE dashboard for management, configuration, troubleshooting, and visibility into both the SD-WAN and SSE components of SASE.
● Simple, seamless support for Meraki SD-WAN for secure branch connectivity.
● Cisco’s best-in-class, cloud-based security powered by Cisco Umbrella® and, in the future, Cisco® Secure Access, all configured and managed through a unified dashboard – the most comprehensive, powerful, and yet simple unified SASE solution in the market.
Q. What is the difference between Cisco+ Secure Connect and other similar solutions in the market?
A. Cisco+ Secure Connect offers customers a distinct advantage over other options in the market, due to these key differentiators:
● Cisco+ Secure Connect is a unified, turnkey solution for internet access, private access, and secure SD-WAN connectivity for both branch and remote workers. It is managed from a unified dashboard and consumed as a single subscription.
● Cisco+ Secure Connect is designed with modernized and future-ready architecture that unifies security and networking to enable a consistent experience across different technologies, with rich security, interconnectivity, and visibility.
● Cisco+ Secure Connect is built on proven Cisco®components, with cloud security powered by Umbrella SIG.
● Cisco+ Secure Connect offers deep integrations with the Meraki SD-WAN, creating a unified SASE experience by extending the fabric to the cloud with just a few clicks, providing high reliability and a next-generation policy engine to centralize management across the organization, and distributing security policy enforcement optimizing the end-user experience.
● Cisco+ Secure Connect provides flexibility with use-case packages that allow customers to digest two unique use cases:
◦ The Foundation package includes Umbrella SIG capabilities, providing secure internet access connectivity for branch and roaming users; Cisco+ Secure Connect fabric interconnects, providing private application access for branch users; a unified dashboard, providing streamlined operations management visibility and control for security and network policies; and unified support, providing seamless support for your SASE needs. The Foundation package also includes ten free-trial (nonproduction) licenses for hosted remote access as a service, which provides private application access for remote users. This package is designed for users who only work in an office setting.
◦ The Complete package includes production-level support client-based remote access as a service capabilities and clientless ZTNA capabilities providing a zero-trust security model for users. This package is designed for hybrid users who not only work in the office but also work remotely.
Q. What problems and pain points does Cisco+ Secure Connect solve for our customers?
A. Cisco+ Secure Connect helps customers who want to:
● Unify the networking and security components of SASE into one solution for simplified, operational efficiency and better end-user experience.
● Adopt a hybrid work model where the same employee works both from home and in the office.
● Implement a network transformation project to secure branch users optimally.
● Support lean IT and who are challenged to minimize audits and risk across remote and corporate (site) users.
● Increase the efficiency of a single network and security team, leaning on network-led SASE decisions.
● Minimize capital and operation deployment time in delivering remote access to users.
● Improve the network’s security posture and resiliency with end-to-end control and visibility for policy and security across SD-WAN and the cloud.
Q. What are the key differentiators between Cisco+ Secure Connect and competing SASE aaS offers?
A. Our key differentiation is delivering a turnkey, unified SASE solution inclusive of SD-WAN operations and security policies through a single interface that converges and streamlines the management of networking and security on one platform. Other vendors in the market that offer both SD-WAN and SSE solutions are struggling to deliver a unified platform that accelerates the time to value of SASE outcomes by creating a streamlined interface and a SASE fabric that automatically adds SASE value as new components are expanded.
Other key differentiators:
● This is a unified solution for internet access, private access, and secure SD-WAN connectivity for both branch and remote workers managed from a unified dashboard and consumed as a single subscription.
● The solution provides a modernized and future-ready architecture that unifies security and networking to enable a consistent experience across different technologies, with rich security, interconnectivity, and visibility.
● The solution is built on proven, industry- leading Cisco components that secure 100 percent of the Fortune 100, and on our global experience connecting and securing users around the world.
Technical
Q. In which regions does Cisco+ Secure Connect have data centers? What services are available where?
Q. How many sites and users are supported through Cisco+ Secure Connect?
A. Cisco+ Secure Connect can support up to 5000 sites and 50,000 users.
Q. What is the difference between Cisco+ Secure Connect and the Cisco Umbrella Meraki SD-WAN Connector?
A. The Cisco Umbrella Meraki SD-WAN Connector is for secure internet access from the branch site. It extends the Meraki SD-WAN fabric all the way to the Umbrella cloud. The connector can be enabled once a customer has Meraki SD-WAN and Umbrella SIG. There is a 250 Mbps limitation to each deployed connector, and a limitation to the number of connectors a customer can deploy. Outside of Cisco+ Secure Connect, the two solutions (Meraki SD-WAN and Umbrella SIG) are managed through two separate dashboards.
Cisco+ Secure Connect focuses on delivering a unified SASE experience that centralizes management of security and networking in the Meraki dashboard. It enables secure internet access with enhanced performance and additional use cases such as remote access; ZTNA; interconnections between users, sites, and applications; and unified technical support.
Customers can choose the SASE use cases they want to adopt through Cisco+ Secure Connect Complete, or can simply choose the secure internet access use case through Cisco+ Secure Connect Foundation. A unified SASE experience is gained in both cases.
Q. What does the new Cisco+ Secure Connect Foundation package mean for existing Cisco SIG/Meraki/ SD-WAN connector customers?
A. Most customers using the existing integration between Meraki’s MX and Umbrella SIG will be able to get a no-cost upgrade to the new Foundation license. Any customer who purchased SIG not as part of an Enterprise Agreement (EA), and without any add-ons (reserve IP, RBI, or multi-organization), should be able to have the upgrade. Customers with add-ons and/or under an EA will be able to get the upgrade in future. If you are interested in upgrading your solution, please contact your Cisco sales representative.
Q. What user device endpoints are required for remote users to connect (laptops, cellphones, etc.)?
A. Endpoint software is available for Microsoft Windows 7, 8, 10, and 11, MacOS 10.8 and later, and Linux, as well as mobile versions for Apple iOS, Android, and Google Chrome OS.
Q. We already have Cisco SD-WAN, powered by Meraki. How do we add Cisco+ Secure Connect?
A. Deployment of Cisco SD-WAN powered by Meraki within Cisco+ Secure Connect is simple and quick. In fact, once you subscribe to this offer, connecting your existing SD-WAN to the Cisco+ Secure Connect fabric is just a few clicks away.
Q. Does Cisco+ Secure Connect support split tunneling/traffic steering?
A. Yes, traffic steering is supported for both Meraki SD-WAN networks and remote workers. For remote access, traffic steering in Cisco+ Secure Connect behaves exactly as it does with remote access on Adaptive Security Appliances (ASAs). Tunnel modes include tunnel all traffic, steer inside, and steer outside the tunnel.
Q. Does Cisco+ Secure Connect integrate and work with Cisco SecureX? If so, how?
A. Cisco+ Secure Connect integrates with Cisco SecureX for security monitoring and controls. Proxy and DNS events are recorded and discoverable, giving users insights into events ranging from malicious file analysis to blocked malicious domains, as well as into the traffic allowed to benign destinations.
Zero-Trust Network Access (ZTNA)
Q. What Zero-Trust Network Access (ZTNA) capabilities are included with Cisco+ Secure Connect?
A. ZTNA use cases include secure connectivity from unmanaged devices of remote workers or B2B contractors, to private applications. End users can securely access applications using only their browser through clientless ZTNA, where Cisco supplies certificates and domain names for quick admin configs, making setup a snap.
Alternatively, IT administrators can get similar outcomes with a client (Cisco Secure Client, formerly Cisco AnyConnect
®) installed on the users’ device, enabling granular access between users and applications with posture checks.
Q. Which protocols are supported for clientless ZTNA?
A. Currently HTTP and HTTPS are supported for the clientless ZTNA solution.
Q. Can we bring our own MFA for clientless ZTNA?
A. The Cisco+ Secure Connect ZTNA capability supports all MFA solutions that are used as part of a customer’s SAML authentication. Customers can bring their own MFA.
Q. What posture capabilities are supported by Cisco+ Secure Connect?
A. For our client-based remote access as a service capabilities, the machine certificate, OS (operating system), firewall, disk encryption, and anti-malware for each endpoint are checked. The posture policy verdict is either “block” or “allow”; “quarantine” is not supported. For our clientless ZTNA solution, the IT administrator can create posture profiles based on OS type and version, browser type and version, and geolocation.
Q. Is it possible to do the posture through our own Cisco ISE infrastructure? If yes, how?
A. Posture checking through Cisco ISE is not supported.
Cisco Catalyst SD-WAN integration
Q. What is the scope of the Cisco Catalyst
® SD-WAN (Viptela
®) integration?
A. Cisco Catalyst SD-WAN customers will be able to enjoy the key use cases that Cisco+ Secure Connect offers as a turnkey SASE solution. This includes:
● Securing branches and corporate locations to public and private applications.
● Securely connecting remote workers to private and public applications, including
◦ Client connectivity with zero trust outcomes, enabling identity-based policies to private applications.
◦ Clientless, browser-based connectivity.
The first stage of the integration will focus on connectivity between Cisco Catalyst SD-WAN devices and Cisco+ Secure Connect. It will continue leveraging the automation in place between SIG and Cisco Catalyst SD-WAN, and will add private access to it, with dynamic routing for an easy set up.
Q. How is this different from the existing integration between Cisco Umbrella SIG and Viptela?
A. There are multiple differences between the Umbrella SIG/Catalyst SD-WAN integration and Cisco+ Secure Connect:
● In terms of use cases, Cisco Umbrella SIG offers secure internet access to branch users and roaming (SWG) support for remote users. This use case is also a part of Cisco+ Secure Connect. Further, we add client-based remote access that enables identity-based access to private applications and secure internet access for all ports and protocols through Cisco+ Secure Connect, and clientless access to HTTP/HTTPS applications.
● Cisco+ Secure Connect with Cisco Catalyst SD-WAN gives a unified management and policy control for integration of private applications or resources behind the Viptela service hub. Further, this enables interconnect capability where remote access users can securely access Cisco Catalyst SD-WAN resources integrating with Cisco+ Secure Connect.
Q. Which dashboard is used for management for Cisco Catalyst SD-WAN (Viptela)?
A. Cisco+ Secure Connect is managed through the Meraki dashboard, with some cross- launches into the Cisco Umbrella dashboard for specific tasks. The Meraki and Umbrella dashboards are tightly coupled, with single sign-on and RBAC synchronized between the two for a seamless experience. Any configuration for Cisco SD-WAN (Including tunnel setup, BGP configuration, etc.) is still being done through Cisco vManage.
Q. Is the Cisco Catalyst SD-WAN integration supported by both Cisco+ Secure Connect Foundation package and Complete package?
A. Yes, for a mixed organization; for example, if a customer has Cisco Meraki and Catalyst SD-WAN, or if a customer needs both secure internet access and secure private access.
If the use case is only Cisco Catalyst SD-WAN for secure internet access, leveraging the SIG integration might provide a better experience to customers.
Support
Q. What is the Cisco+ Secure Connect trouble-shooting support model?
Q. How does Cisco+ Secure Connect support onboarding services?
A. We understand that Cisco+ Secure is a new product and customers are looking for confidence in using the solution. We will provide free onboarding support in FY23 for all customers regardless of size. Starting in FY24, however, we will roll out enhanced and premium support SKUs to replace the free onboarding that is available today. The new SKUs will be introduced in Q1 of FY24.
Pricing and packaging
Q. What package options are available for Cisco+ Secure Connect?
A. Cisco+ Secure Connect is offered in two packages that make it easy for customers to choose the right level of protection and coverage for their organizational needs: Cisco+ Secure Connect Foundation and Cisco+ Secure Connect Complete.
Cisco+ Secure Connect Foundation package
The Cisco+ Secure Connect Foundation package includes Umbrella SIG capabilities, which provide secure internet access connectivity for branch and roaming users; Cisco+ Secure Connect fabric interconnects, which provide private application access for branch users; a unified dashboard, which provides streamlined operations management visibility and control for security and network policies; and unified support, provides seamless support for your SASE needs. The Foundation package also includes ten free-trial (nonproduction) licenses for hosted remote access as a service, which provides private application access for remote users.
Table 1. Cisco+ Secure Connect Foundation package
| Functionality |
Cisco+ Secure Connect Foundation package |
| Essentials |
Advantage |
| Security |
| Secure web gateway |
✓ |
✓ |
| URL filtering |
✓ |
✓ |
| Secure malware analytics: |
✓ |
✓ |
| Sandbox submissions |
500 |
Unlimited |
| Cloud-access security broker |
✓ |
✓ |
| Cloud malware detection |
For up to 2 applications |
Unlimited |
| DNS-layer security |
✓ |
✓ |
| L3 cloud-delivered firewall |
✓ |
✓ |
| L4 cloud-delivered firewall |
✓ |
✓ |
| L7 cloud-delivered firewall |
|
✓ |
| IPS firewall |
|
✓ |
| Unified SASE |
| Unified security policy |
✓ |
✓ |
| White-glove onboarding (ending in FY24) |
✓ |
✓ |
| 24x7 unified support |
✓ |
✓ |
| Unified dashboard |
✓ |
✓ |
| Turnkey experience |
✓ |
✓ |
| Fabric interconnect (CNHE: cloud native head end) |
✓ |
✓ |
| Remote access |
| Client-based access |
10 free users* |
10 free users* |
| Clientless browser-based access |
|
|
| Granular user, application-based access policy |
* |
* |
| SAML authentication |
* |
* |
| Built-in IdP |
* |
* |
| Posture and contextual access control |
* |
* |
| Reporting |
* |
* |
* Six-month trial-only nonproduction licenses
Cisco+ Secure Connect Complete package
The Cisco+ Secure Connect Complete packages includes production-level support client-based remote access as a service capabilities and clientless ZTNA capabilities, which provide a zero-trust security model for users.
Table 2. Cisco+ Secure Connect Complete package
| Functionality |
Cisco+ Secure Connect Complete package |
| Essentials |
Advantage |
| Security |
| Secure web gateway |
✓ |
✓ |
| URL filtering |
✓ |
✓ |
| Secure malware analytics: |
✓ |
✓ |
| Sandbox submissions |
500 |
Unlimited |
| Cloud-access security broker |
✓ |
✓ |
| Cloud malware detection |
For up to 2 applications |
Unlimited |
| DNS-layer security |
✓ |
✓ |
| L3 cloud-delivered firewall |
✓ |
✓ |
| L4 cloud-delivered firewall |
✓ |
✓ |
| L7 cloud-delivered firewall |
|
✓ |
| IPS firewall |
|
✓ |
| Unified SASE |
| Unified security policy |
✓ |
✓ |
| White-glove onboarding (ending in FY24) |
✓ |
✓ |
| 24x7 unified support |
✓ |
✓ |
| Unified dashboard |
✓ |
✓ |
| Turnkey experience |
✓ |
✓ |
| Fabric interconnect
(CNHE: cloud native head end) |
✓ |
✓ |
| Remote access |
| Client-based access |
✓ |
✓ |
| Clientless browser-based access |
For up to 10 applications |
Unlimited |
| Granular user, application-based access policy |
✓ |
✓ |
| SAML authentication |
✓ |
✓ |
| Built-in IdP |
✓ |
✓ |
|
| Posture and contextual access control |
✓ |
✓ |
|
| Reporting |
✓ |
✓ |
|
Q. Where is Cisco+ Secure Connect currently available?
A. This offer is available in certain geographic regions depending on the package offering, as follows:
● The Foundation package is offered in all countries except for: China, Cuba, Iran, North Korea, Russia, Sudan, and Syria.
● The Complete package is currently available in: AUSTRIA, BELGIUM, BULGARIA, CROATIA, CZECH REPUBLIC, CYPRUS, DENMARK, ESTONIA, FINLAND, FRANCE, GERMANY, GREECE, HUNGARY, IRELAND, ITALY, LATVIA, LITHUANIA, LUXEMBOURG, MALTA, NETHERLANDS, NORWAY, POLAND, PORTUGAL, ROMANIA, SLOVAKIA, SLOVENIA, SPAIN, SWEDEN, SWITZERLAND, UNITED KINGDOM, UNITED STATES.
Q. How do I purchase Cisco+ Secure Connect?
A. To purchase a Cisco+ Secure Connect subscription, contact your Cisco account manager or a Cisco+ partner.
Q. What is the pricing structure for Cisco+ Secure Connect?
A. Cisco+ Secure Connect is licensed on a subscription basis with two packages, each having two tiers, Essentials and Advantage:
Cisco+ Secure Connect Foundation package – focused on secure internet access for branch and roaming users.
● Essentials – secure connectivity
● Advantage – data protection and advanced security
Cisco+ Secure Connect Complete package – focused on hybrid users that need secure Internet access, ZTNA, and remote access as a service
● Essentials – secure connectivity
● Advantage – data protection and advanced security
Subscriptions are available for standard-term lengths of 12, 36, and 60 months. Cisco+ Secure Connect is licensed per seat. A seat is defined as an internet-connected user who may have access to the service. Seat counts are independent of the number of devices or endpoints protected. Contact your Cisco account manager or a Cisco+ partner for pricing.
Q. Is Remote Browser Isolation (RBI) included in Cisco+ Secure Connect? How can we add on RBI?
A. Remote Browser Isolation (RBI) is not currently available in Cisco+ Secure Connect, nor can it be purchased a la carte for use with Cisco+ Secure Connect at this time. The following current Cisco Umbrella packages are not eligible to be replaced through a modified subscription with Cisco+ Secure Connect: Cisco Umbrella RBI, Cisco Umbrella through any Enterprise Agreement (EA), or Cisco Umbrella Premium support, or if there are more than 36 months remaining on an existing Cisco Umbrella subscription.
Q. Is reserved IP included in Cisco+ Secure Connect? How can we add reserved IP?
A. Reserved IP is an add-on package that is not available in Cisco+ Secure Connect at this time. However, it is planned for introduction in Q1 of FY24.
Q. Are customers allowed to upgrade/move from the Cisco+ Secure Connect Foundation package to the Cisco+ Secure Connect Complete package?
A. Cisco+ Secure Connect Foundation Essentials customers can upgrade to a Complete Essentials or Advantage package. Cisco+ Secure Connect Foundation Advantage customers can only migrate to a Complete Advantage package.