Cisco Secure Access Playbook
This playbook is designed to provide you with use case education, customer requirements, and actions you'll need to take to help your customers navigate their Cisco product adoption.
You will be guided through the specific objectives of each stage of adoption and how they relate to the aligning automated digital experience.
As we learn more about what it takes for customers to be successful with their adoption, new resources and updated information can be added to this playbook, including if a customer becomes Stalled in Stage or requires additional troubleshooting aid.
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.
How to coach for success with Cisco Secure Access
Help your customers get started with initial Cisco Secure Access onboarding steps, then learn how to tap into advanced features to further configure, customize, and secure their network.
To help your customer activate their Cisco Secure Access subscription, guide them to sign into the Security Provisioning and Administration portal, select their region, and change the default enterprise name. Assist in creating a Cisco Security Cloud Sign On account, if they are not able to log in. Use the claim code from their welcome email to activate the subscription and help invite additional admins. Ensure the provisioning user receives the confirmation email and refer your customer to the user guide for detailed instructions.
To assist a customer with onboarding their Cisco Secure Access account, guide them to log into the Secure Access dashboard using Cisco Security Cloud Sign On. Assist in creating a user account with the appropriate access level. Help them access the ThousandEyes portal via the welcome email link and reset the password, if needed. Finally, aid in generating a token to integrate Experience Insights between Secure Access and ThousandEyes.
To assist a customer with Secure Internet Access, guide them through the initial configuration process, including installing the root certificate, registering their public IP address, and provisioning users and groups with Active Directory. Once they have set up these initial configurations, help them implement Secure Internet Access with their chosen implementation method, and then assist in setting up rules, policies, and ensure they have integrated ThousandEyes Experience Insights.
To assist a customer with Secure Private Access, guide them through the initial configuration process, including configuring private resources and groups, provisioning users and groups with Active Directory, and setting up SAML integrations. Once they have set up these initial configurations, help them implement Secure Private Access with their chosen implementation method, and then assist in setting up rules, policies, and ensure they have integrated ThousandEyes Experience Insights.
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.
Customers enter the Secure Access journey when they meet the following corresponding entry criteria:
This email is sent to greenfield customers who have not completed the provisioning process and whose language is EN-US, EN-UK, or EN.
This email is sent to customers who have an Organization ID and less than two non-Cisco admin users.
Customers enter the Secure Internet Access journey when they meet the following corresponding entry criteria:
Customers receive this email when they have at least two non-Cisco admin users, but do not have any DNS requests in the last 30 days and they have not provisioned any users or groups.
Customers receive this email when they have sent any DNS traffic requests in the last 30 days. These customers also have not completed one of the four Secure Internet Access implementation methods.
Customers receive this email when they have completed at least one of the four Secure Internet Access implementation methods (Roaming Clients, Remote Access VPN, IPsec Tunnels, Network Protection)
Customers enter the Secure Private Access journey when they meet the following corresponding entry criteria:
This email is sent to customers when they have an Organization ID and less than two non-Cisco admin users.
Customers receive this email when they have at least two non-Cisco admin users, but have not configured private resources or groups and have not provisioned any users or groups with Active Directory. These customers also have not completed one of the three Secure Private Access implementation methods.
Customers receive this email when they have completed at least one of the three Secure Private Access implementation methods (Remote Access VPN, ZTA, IPsec Tunnels)
Customers are eligible for these journeys when they have purchased:
| Eligibility Rule | Hierarchy Component | Rule Description |
|---|---|---|
| Rule 1 | License | Must have at least one license (SIA ADVANTAGE, SIA ESSENTIALS, SPA ADVANTAGE, SPA ESSENTIALS, User Protection Suite - Essential, User Protection Suite - Advantage) |
| Eligibility Scenarios |
|---|
| If Rule 1 is TRUE, then your customer is ELIGIBLE |
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.
Guidance on helping your customer adopt Cisco Secure Access
In this stage, the customer will:
- Sign into the Provisioning Administration Portal
- Claim the new subscription in the Portal, using the claim code provided in the Secure Access Welcome email
- Invite additional admins
The customer will exit this stage when they have:
- Created their Secure Access Organization ID
Tips for Partner
Ensure your customer is:
- Able to successfully log into the Security Provisioning and Administration portal. If they do not have a Cisco Security Cloud Sign On account, ensure they create one.
- Selecting the correct region and changing the default enterprise name when prompted
- Using their Secure Access service contract linked to their CCO ID (a prerequisite for submitting case for Secure Access such as provisioning issues)
Provisioning
Subject Line: Activate Cisco Secure Access to get started
Preheader: Take these steps today to maximize your investment
Trigger: Greenfield customers who have not created an organization ID
Goal: Walk customer through the provisioning process
Preheader: Take these steps today to maximize your investment
Trigger: Greenfield customers who have not created an organization ID
Goal: Walk customer through the provisioning process
Provisioning
In this stage, the customer will:
- Log into their Secure Access Dashboard
- Invite new users to create a new account
- Log into the ThousandEyes Portal
- Generate a token and start the Experience Insights Integration
The customer will exit this stage when they have:
- Created at least two non-Cisco admins
Tips for Partner
Ensure your customer is:
- Adding additional admins to prevent lockout
- Logging into their ThousandEyes portal
- If the ThousandEyes activation link has expired, complete a password reset.
- If they are not able to locate the welcome email, contact our TAC team. Note that the ticket tech must be selected as Secure Access with the subtech selected as Experience Insights.
- Logging into their Secure Access dashboard at least five times each month
- Subscribed to the Secure Access Status page
Login Configurations
Subject Line: Start your Cisco Secure Access Setup today!
Preheader: Follow these steps to configure your Secure Access solution seamlessly.
Trigger: Customer has an organization ID, but has not added at least two non-Cisco admins
Goal: Ensure customer has logged into their dashboard, added users, and started their ThousandEyes integration
Preheader: Follow these steps to configure your Secure Access solution seamlessly.
Trigger: Customer has an organization ID, but has not added at least two non-Cisco admins
Goal: Ensure customer has logged into their dashboard, added users, and started their ThousandEyes integration
Login Configurations
Guidance on helping your customer adopt Secure Internet Access
In this stage, the customer will:
- Download and install the Secure Access root certificate
- Register the public IP address and redirect DNS traffic to the public Secure Access DNS resolvers
The customer will exit this stage when they have:
- Sent DNS requests to Cisco Secure Access
Tips for Partner
Ensure your customer is:
- Visiting the official Secure Access test page. The page will load successfully if Secure Access is functioning and protecting the customer machine.
- Navigating to Activity Search in their dashboard to confirm test traffic is recorded and default policy applications are applied (i.e. Block)
Basic Configurations
Subject Line: Enhance your security with Cisco Secure Internet Access
Preheader: Follow these best practices to complete your Cisco Secure Access configuration
Trigger: Customer has added at least two non-Cisco admins, but has not started sending DNS requests
Goal: Guide active SIA customer through the initial configuration process, while additionally providing an activity report on their usage
Preheader: Follow these best practices to complete your Cisco Secure Access configuration
Trigger: Customer has added at least two non-Cisco admins, but has not started sending DNS requests
Goal: Guide active SIA customer through the initial configuration process, while additionally providing an activity report on their usage
Basic Configurations
In this stage, the customer will:
- Configure at least one of the following Secure Internet Access implementation methods (Roaming Clients, Remote Access VPN, IPsec Tunnels, Network Protection)
The customer will exit this stage when they have:
- Configured at least one of the four Secure Internet Access implementation methods
Tips for Partner
Roaming Clients and Network Protection implementation methods:
- Ensure customer has all local domains added to traffic steering list to bypass secure access before adding any clients or Virtual Appliances.
RAVPN implementation method:
- Ensure customer is using IkeV2 protocol and a split tunnel for optimal performance.
- Ensure the DART tool is installed to enable diagnostics and troubleshooting from TAC.
IPsec implementation method:
- To protect against a loss of connectivity, ensure the customer has set up redundant tunnel headends for a network tunnel group.
- Ensure customer has updated their local routing to send traffic to the secondary headend when the primary is unreachable.
Network Protection implementation method:
- Ensure customer deploys VAs on separate physical hypervisor hosts. Note that if a hypervisor hosting a VA becomes unavailable, the second VA will continue serving DNS requests without interruption.
Implementation Methods
Subject Line: Choose your ideal Cisco Secure Internet Access implementation
Preheader: Select the best implementation method to secure your inbound and outbound traffic
Trigger: Customer has started sending DNS requests and provisioned users or groups with Active Directory, but has not completed any of the Secure Internet Access implementation methods
Goal: Guide customer through the four Secure Internet Access implementation methods
Preheader: Select the best implementation method to secure your inbound and outbound traffic
Trigger: Customer has started sending DNS requests and provisioned users or groups with Active Directory, but has not completed any of the Secure Internet Access implementation methods
Goal: Guide customer through the four Secure Internet Access implementation methods
Implementation Methods
In this stage, the customer will:
- Set up their Secure Internet Access rules and web profile components
- Determine Secure Internet Access policy prioritization
- Connect their Identity Provider to Secure Access to provision users and groups
- Set up SAML integrations to improve user visibility
- Configure Cisco Experience Insights
The customer will exit this stage when they have:
- Successfully configured their ThousandEyes token integration
Tips for Partner:
- For baseline protection, policies work out-of-the-box
- Tenant controls are available only in allowed rules
- Geo-location destinations are only available in blocked rules
- Some security features are not applicable to blocked rules
- Ensure your customer is enabling SAML Authentication in the default rule applies only to IPsec Tunnel and PAC file traffic-forwarding methods
- Ensure your customer is checking the Experience Insights dashboard regularly is important for usage and performance insights
Rules and Policies
Subject Line: Customize your traffic management with Cisco Secure Internet Access
Preheader: Create and manage rules to allow access to your traffic securely.
Trigger: Customer has configured at least one of the four Secure Internet Access implementation methods
Goal: Ensure customer utilizes rules and policies to effectively manage traffic, configures SAML integrations for IPSec Tunnels and PAC file deployment user visibility, and successfully sets up the Experience Insights integration
Preheader: Create and manage rules to allow access to your traffic securely.
Trigger: Customer has configured at least one of the four Secure Internet Access implementation methods
Goal: Ensure customer utilizes rules and policies to effectively manage traffic, configures SAML integrations for IPSec Tunnels and PAC file deployment user visibility, and successfully sets up the Experience Insights integration
Rules and Policies
Guidance on helping your customer adopt Secure Private Access
In this stage, the customer will:
- Configure private resources individually or as groups
- Provision users and groups by connecting Active Directory to Secure Access
- Set up SAML integrations for ZTNA user enrollment
The customer will exit this stage when they have:
- Configured private resources or groups and have provisioned users with Active Directory
Tips for Partner:
- If the customer is going to specify resource addresses using domain names (FQDNs), ensure they have added at least one internal DNS server that can route traffic to their resource.
- Ensure your customer is identifying the Active Directory groups of interest with selective sync. Users and computers belonging to these groups synchronize to Cisco Secure Access.
Basic Configurations
Subject Line: Enhance your security with Cisco Secure Private Access
Preheader: Follow these best practices to complete your Cisco Secure Access configuration
Trigger: Customer has added at least two non-Cisco admins, but has not configured private resources nor provisioned users or groups with Active Directory
Goal: Guide active SPA customer through the initial configuration process, while additionally providing an activity report on their usage
Preheader: Follow these best practices to complete your Cisco Secure Access configuration
Trigger: Customer has added at least two non-Cisco admins, but has not configured private resources nor provisioned users or groups with Active Directory
Goal: Guide active SPA customer through the initial configuration process, while additionally providing an activity report on their usage
Basic Configurations
In this stage, the customer will:
- Connect private applications to Cisco Secure Access
- Select and configure the private application access method of their choosing (Remote Access VPN, ZTNA, IPsec Tunnels)
The customer will exit this stage when they have:
- Configured at least one of the three Secure Private Access implementation methods
Tips for Partner
RAVPN implementation method:
- Use IkeV2 protocol and a split tunnel for optimal performance.
- Make sure the DART tool is installed to enable diagnostics and troubleshooting from TAC.
ZTNA implementation method:
- For redundancy, i.e. to avoid service interruptions during connector upgrades, you should deploy at least two connectors in each group.
- There are certain applications that are not supported by ZTNA.
- Ensure users understand that application connectors only support ZTNA.
IPsec implementation method:
- To protect against a loss of connectivity, ensure the customer has set up redundant tunnel headends for a network tunnel group. They will need to update their local routing to send traffic to the secondary headend when the primary is unreachable.
Implementation Methods
Subject Line: Choose your ideal Cisco Secure Private Access implementation
Preheader: Select the best implementation method to secure your applications and network
Trigger: Customer has configured private resources or groups and has provisioned users with Active Directory
Goal: Ensure customer has successfully connected private applications to Cisco Secure Access and configured one of the three different Secure Private Access implementation methods
Preheader: Select the best implementation method to secure your applications and network
Trigger: Customer has configured private resources or groups and has provisioned users with Active Directory
Goal: Ensure customer has successfully connected private applications to Cisco Secure Access and configured one of the three different Secure Private Access implementation methods
Implementation Methods
In this stage, the customer will:
- Set up their Secure Private Access rules and web profile components
- Determine Secure Private Access policy prioritization
- Configure Cisco Experience Insights
The customer will exit this stage when they have:
- Successfully configured their ThousandEyes token integration
Tips for Partner:
- By default, all traffic is blocked. It is necessary to add an additional rule to allow traffic.
- Ensure customer is aware that they can test applications from the dashboard with Test Private Resource Reachability
- Check Experience Insights dashboard regularly for usage and performance insights
Rules and Policies
Subject Line: Customize your traffic management with Cisco Secure Private Access
Preheader: Create and manage rules to allow access to your private applications securely
Trigger: Customer has configured at least one of the three Secure Private Access implementation methods
Goal: Ensure customer utilizes rules and policies to effectively manage traffic and successfully sets up the Experience Insights integration
Preheader: Create and manage rules to allow access to your private applications securely
Trigger: Customer has configured at least one of the three Secure Private Access implementation methods
Goal: Ensure customer utilizes rules and policies to effectively manage traffic and successfully sets up the Experience Insights integration
Rules and Policies
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.
To further support your customers along their digital journey, you can provide them with key resources:
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.