Chapter 9: Enterprise Deployment: Architecture, Rollout, and Best Practices

Learning Objectives

Pre-Reading Check — Planning and Prerequisites

1. Cisco guidance says Secure Access policies should be built primarily around what?

Raw IP subnets and VLAN numbers Identity — users and groups Physical switch port assignments MAC address allow-lists

2. Which of the three connectivity mechanisms connects outbound over TLS from inside the private network and never exposes apps to the internet?

Cisco Secure Client Network Tunnel Group (IPsec IKEv2) Resource Connector PAC file

3. Why is validating identity attributes before writing policies so important?

It reduces the Secure Access subscription cost A prerequisite gap found mid-migration forces an emergency rollback It is required to enable the mermaid dashboard SAML cannot be configured after policies exist

4. What does "split-DNS" ensure in a Secure Access design?

Private FQDNs route through Secure Access/ZTNA while public FQDNs resolve normally All DNS queries are dropped until TLS decryption is enabled DNS is split evenly across two ISPs for load balancing Only IPv6 queries reach Cisco's resolvers

5. When upgrading from Umbrella, what mistake creates an unlinked org that breaks policy migration and logging?

Uploading the SAML metadata twice Choosing "Create New Instance" instead of an upgrade target Enabling SCIM selective sync Distributing the root certificate via Group Policy

1. Planning and Prerequisites

Before you touch any traffic, you have to get the foundations right. Rushing this stage is the number one cause of failed rollouts, because a missing identity attribute or an undersized firewall discovered mid-migration forces exactly the kind of emergency rollback you are trying to avoid.

Key Points

Discovery of users, sites, and apps

Discovery is an inventory exercise — you cannot design policies around users and applications you have not catalogued. Enumerate users and groups (department, role, device type, posture) because Cisco insists policies be identity-centric; map your sites and network topologies so the pilot represents your real mix of office LAN, home broadband, and 4G/5G; and catalogue internal applications by FQDN/internal IP and criticality, since low-risk widely-used apps become ZTNA pilot targets and business-critical apps come last. If migrating from Umbrella, discovery also includes a policy cleanup in the source system to reduce policy-translation errors.

Connectivity design (client, tunnels, connectors)

MechanismWhat it isBest forKey technical facts
Cisco Secure Client Unified endpoint agent with VPN + ZTNA/roaming modules Roaming laptops and managed endpoints needing internet + private-app access Version 5.1.17+ on Win/macOS/Linux; ZTA endpoints should have TPM 2.0; deployed at scale via SCCM/Intune/Jamf
Network Tunnel Groups (NTGs) IPsec IKEv2 site-to-site tunnels to Cisco's cloud Branch/site traffic and devices that can't run a client (IoT, legacy) Carry private-app/ZTNA, VPN, DNS, and inspection traffic; defined with endpoints, regions, auth, encryption, traffic selectors
Resource Connectors Small connector VMs/appliances deployed inside the private network Publishing internal apps (web, APIs, SSH/RDP) for ZTNA Connect outbound over TLS and proxy user traffic — apps are never exposed directly to the internet

Alongside these, plan your traffic steering for web traffic: the Secure Client roaming module, PAC files, proxy chaining, or network-based steering via SD-WAN/router tunnels (route-based VPN plus an extended ACL for DNS/web on TCP/UDP 53, 80, 443, driven by policy-based routing).

Animation 1 — Connectivity fan-in: three mechanisms converging on the Secure Access cloud
Secure Access DNS · SWG · FWaaS CASB/DLP · ZTNA Roaming laptop Secure Client (VPN+ZTNA) Branch / site IPsec IKEv2 tunnel (NTG) Resource Connector Outbound TLS (apps hidden)

Identity and certificate prerequisites

Confirm account-level prerequisites: an active subscription with portal + Security Cloud Control admin rights. If upgrading, verify Secure Access was created as an upgrade target, not a separate "Create New Instance" org.

Figure 9.1: Three connectivity mechanisms converging on the Secure Access cloud

flowchart LR subgraph Endpoints["Users & Devices"] LAP["Roaming laptop
(managed endpoint)"] BR["Branch / site
(IoT, legacy systems)"] end subgraph Cloud["Cisco Secure Access Cloud (SSE)"] SSE["DNS Defense · SWG · FWaaS
CASB/DLP · ZTNA"] end subgraph Private["Private Network"] RC["Resource Connector VM"] APP["Internal apps
(web, API, SSH/RDP)"] end LAP -->|"Cisco Secure Client
(VPN + ZTNA module)"| SSE BR -->|"IPsec IKEv2 tunnel
(Network Tunnel Group)"| SSE SSE -->|"Outbound TLS
(app never exposed)"| RC RC --> APP
Key Takeaway: Discovery and prerequisites are the load-bearing foundation. Inventory your users, sites, and apps; choose the right mix of client, tunnels, and connectors; and validate identity attributes and certificates before a single policy depends on them.
Post-Reading Check — Planning and Prerequisites

1. Cisco guidance says Secure Access policies should be built primarily around what?

Raw IP subnets and VLAN numbers Identity — users and groups Physical switch port assignments MAC address allow-lists

2. Which of the three connectivity mechanisms connects outbound over TLS from inside the private network and never exposes apps to the internet?

Cisco Secure Client Network Tunnel Group (IPsec IKEv2) Resource Connector PAC file

3. Why is validating identity attributes before writing policies so important?

It reduces the Secure Access subscription cost A prerequisite gap found mid-migration forces an emergency rollback It is required to enable the mermaid dashboard SAML cannot be configured after policies exist

4. What does "split-DNS" ensure in a Secure Access design?

Private FQDNs route through Secure Access/ZTNA while public FQDNs resolve normally All DNS queries are dropped until TLS decryption is enabled DNS is split evenly across two ISPs for load balancing Only IPv6 queries reach Cisco's resolvers

5. When upgrading from Umbrella, what mistake creates an unlinked org that breaks policy migration and logging?

Uploading the SAML metadata twice Choosing "Create New Instance" instead of an upgrade target Enabling SCIM selective sync Distributing the root certificate via Group Policy
Pre-Reading Check — Phased Rollout

1. What is the correct ordering of the phased rollout sequence?

VPN cutover → ZTNA → SIA → DNS → Prep Prep → DNS Defense → Secure Internet Access → ZTNA → VPN cutover DNS → VPN cutover → ZTNA → SIA → Prep Prep → ZTNA → VPN cutover → DNS → SIA

2. What pilot size does Cisco recommend, and what matters most about it?

10–20 users; they should all be IT admins 50–200 representative users spanning departments, OS versions, and network topologies 1,000+ users to get statistical significance A single power user who can self-troubleshoot

3. Why is DNS Defense the ideal "quick win" first phase?

It requires no identity integration at all It keeps the same traffic flow while adding protection, without redesigning the network It is the only phase that can be done big-bang safely It automatically retires the VPN

4. When the Umbrella Upgrade Manager shows "Upgrade Success," what has it actually confirmed?

That all production traffic is validated and safe to redirect Only that the policy copy completed — not that traffic is validated That the legacy VPN has been decommissioned That TLS decryption is now enforced

5. What pattern governs the final VPN-to-ZTNA cutover?

Big-bang cutover once ZTNA is configured Dual-run, then decommission — VPN kept as fallback until ZTNA is proven stable Decommission VPN first, then build ZTNA Run both indefinitely with no cutover

2. Phased Rollout

The heart of an enterprise deployment is a controlled, phased sequence. Cisco frames the journey as a four-to-five-phase model in which each phase is validated with pilots before the next begins. The unifying rule across every phase is the same: never do a "big-bang" cutover.

Key Points

PhaseNameGoalKey activities
Phase 0Preparation & migration planningGet foundations right before touching trafficValidate subscription/org linkage; clean up source policies; integrate/validate IdP+SCIM; define pilots and rollback
Phase 1DNS-layer security (DNS Defense)Block threats at the DNS layerPoint DNS to Secure Access resolvers; security-only rules; pilot-redirect DNS; validate attribution and logs
Phase 2Secure Internet Access (SWG + FWaaS)Deep inspection of web/cloud trafficSteer web traffic (client/PAC/SD-WAN); Internet Access Rules; monitor/log-only, then harden
Phase 3ZTNA (Secure Private Access)Per-app, identity-based private accessDeploy Resource Connectors; define internal destinations; write ZTA policies; pilot low-risk apps, VPN as fallback
Phase 4VPN cutoverRetire legacy VPNDual-run; expand ZTNA coverage; disable VPN per cohort after stable logs; decommission concentrators
Animation 2 — The five-phase rollout timeline advancing phase by phase
0Prepplan 1DNSquick win 2SIASWG+FW 3ZTNAprivate 4VPNcutover Each phase gated by a validated pilot — never big-bang

Pilot group and DNS-first quick win

Every phase starts with a pilot of 50–200 representative users — large enough to surface real problems, small enough to roll back cleanly — spanning departments, OS versions, office/remote mix, and network topologies. Every pilot needs an explicit rollback plan defined before you start: how to revert DNS, disable agents/tunnels, who approves rollback, and what logs to collect.

DNS Defense is the ideal first phase. It keeps the same traffic flow (DNS to cloud resolvers) while adding malware protection, DLP, and AI-assisted detection — without redesigning the network. Steps: (1) point DNS to Secure Access; (2) integrate identities so DNS policies are identity-aware; (3) pilot-redirect DNS for a small group and compare logs. Start conservative: security-only categories first, with separate stricter rules for guests, IoT, and unmanaged devices.

A critical migration nuance: DNS Defense migration from Umbrella is a guided migration via the Upgrade Manager, not a single cutover. "Upgrade Success" confirms only the policy copy, not that traffic is validated. Umbrella and Secure Access can run in parallel (dual-run), so you migrate at your own pace.

Layering SWG, firewall, and ZTNA

Phase 2 — Secure Internet Access. DNS blocks only at the domain level. SIA adds a Secure Web Gateway (URL filtering, TLS decryption, file inspection), a cloud firewall (L3/L4, geo), and CASB/DLP. Start with monitor/log-only policies, identify top cloud apps via reporting, then harden. Keep bypass lists ready for apps that break under TLS decryption.

Phase 3 — ZTNA. Users receive per-app, identity-based access instead of network-level VPN, reducing lateral movement. Steps: deploy Resource Connectors, add internal destinations (FQDNs/IPs), and write ZTA policies with device posture, location, and risk conditions. Pilot on low-risk widely-used apps and keep VPN as a fallback.

Figure 9.2: The five-phase rollout sequence, each gated by a validated pilot

flowchart LR P0["Phase 0
Preparation &
migration planning"] P1["Phase 1
DNS-layer security
(DNS Defense)"] P2["Phase 2
Secure Internet Access
(SWG + FWaaS)"] P3["Phase 3
ZTNA
(Secure Private Access)"] P4["Phase 4
VPN cutover"] P0 --> P1 --> P2 --> P3 --> P4 P1 -.->|"validate pilot
before expanding"| P1 P2 -.->|"monitor/log-only
then harden"| P2 P3 -.->|"keep VPN
as fallback"| P3 P4 -.->|"dual-run then
decommission"| P4

VPN-to-ZTNA cutover strategy

Only after DNS Defense, SIA, and SPA are all stable do you plan the VPN cutover, following a dual-run, then decommission pattern: (1) dual-run with legacy VPN as edge-case fallback; (2) progressively expand private apps, connectors, and ZTNA-only cohorts; (3) final cutover when ZTNA covers all critical apps and logs are stable — disable VPN per cohort, monitor, then decommission concentrators.

Animation 3 — VPN-to-ZTNA dual-run cutover with a rollback gate
Dual-run: VPN available while ZTNA pilots Progressive expansion: apps, connectors, cohorts Logs stable?all critical apps OK? Yes Disable VPN per cohort;decommission concentrators No Rollback gate:re-enable VPN fallback

Worked example — an 8-month enterprise rollout:

TimeframeActivity
Months 1–2Upgrade Umbrella to Secure Access DNS Defense for ~10% of users; validate identity, logging, policy behavior
Months 3–4Deploy SIA via SD-WAN tunnels for three pilot branches; run SWG in monitor mode, then enforce gradually
Months 5–6Deploy Resource Connectors in two data centers; publish key internal apps via SPA; pilot ZTNA for 100 users
Months 7–8Expand SPA coverage; gradually disable VPN for pilot cohorts; once stable, decommission legacy VPN concentrators

Figure 9.3: VPN-to-ZTNA dual-run-then-decommission cutover

flowchart TD A["Dual-run: legacy VPN available
while ZTNA reaches pilot groups"] --> B["Progressive expansion:
add private apps, extend Resource
Connectors, grow ZTNA-only cohorts"] B --> C{"ZTNA covers all critical apps
AND logs show stable,
error-free access?"} C -->|"No"| B C -->|"Yes"| D["Disable VPN for a pilot cohort;
monitor for defined period"] D --> E{"Stable across broader
segments?"} E -->|"No — issues found"| F["Re-enable VPN fallback;
execute rollback plan"] F --> B E -->|"Yes"| G["Repeat until VPN usage minimal;
decommission concentrators"]
Key Takeaway: Follow the sequence Prep → DNS → Secure Internet Access → ZTNA/Private Access → VPN cutover. Each phase reuses the same platform and identities, starts with a 50–200-user representative pilot and a rollback plan, and expands only after logs confirm correct behavior. Never do a big-bang cutover.
Post-Reading Check — Phased Rollout

1. What is the correct ordering of the phased rollout sequence?

VPN cutover → ZTNA → SIA → DNS → Prep Prep → DNS Defense → Secure Internet Access → ZTNA → VPN cutover DNS → VPN cutover → ZTNA → SIA → Prep Prep → ZTNA → VPN cutover → DNS → SIA

2. What pilot size does Cisco recommend, and what matters most about it?

10–20 users; they should all be IT admins 50–200 representative users spanning departments, OS versions, and network topologies 1,000+ users to get statistical significance A single power user who can self-troubleshoot

3. Why is DNS Defense the ideal "quick win" first phase?

It requires no identity integration at all It keeps the same traffic flow while adding protection, without redesigning the network It is the only phase that can be done big-bang safely It automatically retires the VPN

4. When the Umbrella Upgrade Manager shows "Upgrade Success," what has it actually confirmed?

That all production traffic is validated and safe to redirect Only that the policy copy completed — not that traffic is validated That the legacy VPN has been decommissioned That TLS decryption is now enforced

5. What pattern governs the final VPN-to-ZTNA cutover?

Big-bang cutover once ZTNA is configured Dual-run, then decommission — VPN kept as fallback until ZTNA is proven stable Decommission VPN first, then build ZTNA Run both indefinitely with no cutover
Pre-Reading Check — Operational Best Practices

1. In Cisco's layered policy model, what should the default rule for unknown/unauthenticated users be?

Allow all, then log for later review Block or highly restrict — never fall through to a permissive rule Grant the same access as authenticated developers Redirect them to a captive portal with full internet access

2. How should IoT and other devices that can't run the Secure Client be matched in policy?

By SAML assertion of the device's user By network identifiers — IP ranges, VLANs, or Security Group Tags — held to strict controls They cannot be governed by any policy By the endpoint's TPM 2.0 attestation only

3. What is the recommended change-management approach when enabling new enforcement?

Switch straight to block mode to save time Start in monitor/log-only mode, validate business impact, then harden Make config changes during the Upgrade Manager's active window Skip Help Desk preparation to reduce overhead

4. Since Cisco's SSE cloud scales elastically, what sizing responsibility remains with the customer?

None — Cisco sizes every component Edge devices and connectors — tunnel throughput, connector capacity, and redundancy for peak load Only the number of SAML assertions per second Only the DNS resolver cache size

5. An internal app becomes unreachable and some private names leak to public resolvers. Which pitfall is this?

TLS decryption breaking apps Broken split-DNS A disconnected org Overly strict firewall rules

3. Operational Best Practices

A good rollout plan gets you into production; disciplined operations keep you there. This section covers the policy, monitoring, and change-management practices that separate smooth deployments from ticket storms — and the pitfalls that cause most of them.

Key Points

Policy design and least privilege

Cisco recommends a layered policy model for Internet Access Rules: a global baseline (block malicious domains/IPs and high-risk categories for all users), role-based rules (Developers reach repos/cloud consoles; Finance reaches ERP/finance SaaS), and exception policies (narrow allow-rules built with objects/resource groups, not broad category exemptions). Two rules of thumb make this least-privilege by default: strong defaults (unknown/unauthenticated = block or highly restrict) and non-client traffic uses network identifiers (IP ranges, VLANs, or SGTs). Make policies context-aware by combining identity with device posture, OS, and location.

Analogy: Think of least-privilege policy as a building's keycard system. Everyone can enter the lobby (the global baseline lets safe traffic through), but a Finance keycard only opens Finance floors and a Developer keycard only opens the lab. A visitor with no recognized card gets the most restricted access of all — never the master key.

Monitoring and change management

Monitoring spans DNS, web, firewall, and private-app layers — feed these into your SIEM: DNS Defense logs (threat blocks, unexpected NXDOMAIN), SWG/firewall logs (blocked URLs, file types, malware, denied L3/L4), and SPA/ZTNA logs (access per destination and Resource Connector health/capacity).

Cisco's recurring change-management best practices: communicate and train pilot users; prepare the Help Desk with runbooks and TAC identifiers; start in monitor/log-only mode, then harden; freeze config during migration windows; and keep rollback ready — expand only after policies validate and metrics are stable.

Sizing and redundancy

Cisco's SSE cloud scales elastically, but your edge devices and connectors must be sized for peak load: tunnel capacity (IPsec encryption throughput and session counts), connector throughput (multiple connectors per critical site across availability zones), redundant NTGs (multiple tunnel groups to different regions with BGP/static priorities/HA pairs), and client-side redundancy (multiple gateways/regions for failover).

Common pitfalls and troubleshooting

PitfallSymptomRemedy
Big-bang cutoverWidespread outages, mass Help Desk ticketsNever redirect all users at once; validate with pilots and expand incrementally
Trusting "Upgrade Success"Rules appear copied, but traffic misbehavesThe message confirms policy copy only; validate behavior with a pilot first
Disconnected orgRules/traffic don't appear in the expected dashboardCreate Secure Access as an upgrade target, not a "New Instance"
TLS decryption breaks appsApp errors after enabling SWGAdd problematic apps to a bypass list
Overly strict firewall rulesLegitimate services blockedTune policy; use log-only rules first for visibility
Missing/incorrect identityDenied private access for valid usersCheck ZTA policies, group membership, directory sync, AD Connector status
Broken split-DNSInternal apps unreachable, or private names leakVerify private FQDNs route through Secure Access/ZTNA and public FQDNs resolve normally
Connector overload / SPOFLatency or outages on private-app accessSize and monitor connectors; deploy redundant connectors across zones

The general troubleshooting workflow is to validate configuration first, then behavior: confirm policies migrated, connectors/tunnels are healthy, and directory/SSO works — then confirm apps are reachable, bad destinations blocked, identity mapping correct, and performance acceptable. Do not advance to the next phase until behavior is validated.

Key Takeaway: Operate on least-privilege policy with strong defaults, monitor every layer into your SIEM, and treat change management as a discipline — communicate, prepare the Help Desk, start in log-only mode, freeze config during migration, and keep rollback ready. Most failures trace back to a short list of avoidable pitfalls.
Post-Reading Check — Operational Best Practices

1. In Cisco's layered policy model, what should the default rule for unknown/unauthenticated users be?

Allow all, then log for later review Block or highly restrict — never fall through to a permissive rule Grant the same access as authenticated developers Redirect them to a captive portal with full internet access

2. How should IoT and other devices that can't run the Secure Client be matched in policy?

By SAML assertion of the device's user By network identifiers — IP ranges, VLANs, or Security Group Tags — held to strict controls They cannot be governed by any policy By the endpoint's TPM 2.0 attestation only

3. What is the recommended change-management approach when enabling new enforcement?

Switch straight to block mode to save time Start in monitor/log-only mode, validate business impact, then harden Make config changes during the Upgrade Manager's active window Skip Help Desk preparation to reduce overhead

4. Since Cisco's SSE cloud scales elastically, what sizing responsibility remains with the customer?

None — Cisco sizes every component Edge devices and connectors — tunnel throughput, connector capacity, and redundancy for peak load Only the number of SAML assertions per second Only the DNS resolver cache size

5. An internal app becomes unreachable and some private names leak to public resolvers. Which pitfall is this?

TLS decryption breaking apps Broken split-DNS A disconnected org Overly strict firewall rules

Your Progress

Answer Explanations