Cisco Secure Client is a next-generation unified security agent.
Cisco Secure Client integrates the security modules of all Cisco Security solutions into a single client, making their deployment and administration easier with modern cloud management. It represents a new generation of endpoint security agent that integrates various security functions in one universal solution. As the successor to the successful AnyConnect client, Secure Client retains all the popular features and adds new integration options with other Cisco security technologies. The Secure Client itself is provided free of charge as a unified framework, with individual security modules activated based on purchased licenses for the relevant Cisco security technologies. This unification allows organizations to implement a comprehensive security approach while simplifying deployment and management, only paying for the modules that they actually need.
Licensing model and module access
The Cisco Secure Client itself is provided free of charge as a framework.
The modules are activated based on purchased licenses for the respective technologies:
- With an Umbrella license, you gain access to the Umbrella Roaming Security module
- With an AnyConnect license (now a term for VPN functionality), you gain a VPN module
- With a Secure Endpoint license, you gain access to the Secure Endpoint module
- With an ISE license, you gain access to the ISE Posture module
- Etc.
Two license levels are available for VPN functionality (AnyConnect):
- Advantage (Plus) – basic VPN functionality
- Premier (Apex) – extended functionality including NVM and advanced features
With all the modules acquired, you have access to a central cloud management solution for easy administration across all technologies.
Key features and functions
VPN functionality (requires AnyConnect license): Provides flexible options for securely connecting to your corporate network, including automatic connection, reconnection, and disconnection of VPN sessions. Supports various VPN technologies including SSL (AnyConnect) and IPsec with IKEv2.
Secure Endpoint module (requires a Secure Endpoint license): Full integration with Cisco Secure Endpoint (formerly AMP for Endpoints) provides advanced protection against malware, ransomware, and other threats. This module extends endpoint protection to VPN-connected devices.
Network Visibility Module (NVM) (part of AnyConnect Premier): A key module for Cisco XDR that provides the continuous collection of endpoint telemetry on network traffic, applications, and user behavior for on- and offsite devices. This unique “endpoint viewpoint” enables the XDR platform to detect sophisticated threats that would otherwise remain hidden, including communications on public networks outside the corporate perimeter. With NVM, XDR gains the comprehensive visibility that is necessary to effectively protect remote workers.
Zero Trust Access module (ZTA): Secure Client includes the Zero Trust Access module (available for Secure Client 5.1.3.62 and later), which is supported by Cisco Secure Access. The ZTA module significantly reduces the attack surface by “hiding” applications and expanding the possibilities of secure network access based on thorough user and device verification. Unlike traditional VPN access, ZTA does not consider any user or device trustworthy without authentication. Once verified, users are granted limited access and are subject to continuous re-evaluation.
Umbrella Roaming Security module (requires an Umbrella license): Provides DNS-layer protection even when the VPN is not active. With an Umbrella subscription, the module also provides an intelligent proxy for more comprehensive protection.
ISE Posture module (requires an ISE license): Allows assessing the status of an endpoint and verifying its compliance with the organization’s security requirements. Endpoints that do not meet the mandatory requirements are marked as non-compliant and may be denied access.
Network Access Manager: Client software that provides a secure Layer 2 network in accordance with set policies. Detects and selects the optimal Layer 2 access network and performs device authentication.
Secure Firewall Posture (formerly HostScan): Collects information about the endpoint (e.g., OS, antivirus, software) and uses policy evaluation to control which devices can establish remote connections.
ThousandEyes: As an optional component of the Secure Client (licensed separately), the ThousandEyes Endpoint Agent is used to collect network and application layer performance data when users access specific sites on monitored networks. Improves customers’ ability to gain a comprehensive view of the health of their applications, enabling them to make better-informed decisions and resolve issues faster.
Cloud Management module: XDR Client Management and standalone Cisco Secure Client Cloud Management enable administrators to create cloud-managed Cisco Secure Client deployments. This configuration offers the option to download a lightweight installer, containing only the information necessary to connect the endpoint to the cloud, or a full installer. In both cases, administrators distribute installation files to endpoints using their preferred software distribution method. Cloud Management provides a simple interface for customizing and generating a network installer, creating and managing custom profiles, and leveraging visibility into clients deployed over the cloud.
How Cisco Secure Client works
Cisco Secure Client works as a unified agent installed on the endpoint device. Depending on the licenses purchased, it activates the relevant modules and functionality:
- Secure network access: Authenticates user and device identity, ensures compliance with security requirements and provides secure VPN connection or wireless network access.
- Endpoint protection: Monitors and protects devices from malware and other threats through integration with Secure Endpoint.
- Network visibility and XDR integration: The NVM module collects and sends telemetry on network traffic, applications, and user behavior directly to the XDR platform for threat detection and security analysis, including from devices outside the corporate network.
- Roaming protection: Provides a continuous DNS layer of security even when the user is not connected to the corporate network.
Posture Assessment: Checks that the device meets the organization’s security requirements before it is allowed access to network resources.
Customer Benefits Implementing Cisco Secure Client brings a number of benefits to organisations
Lower total cost of ownership (TCO)
One client providing multiple security services reduces the cost of acquiring, deploying, and managing separate solutions.
Flexible "pay only for what you need" model
Organizations only buy licenses for the modules that they will actually use, while benefiting from a single centrally-managed agent.
Context-aware security
A comprehensive approach that takes into account user identity, device status, location, and other factors for optimal security decisions.
Better user experience
A single agent means fewer software components to install and manage, improving user satisfaction.
Advanced threat detection
By combining the NVM module with the XDR platform, it provides deep insight into network communications and enables the identification of sophisticated threats, especially to remote workers.
Central cloud management
Ability to centrally manage all the security modules from one console.
The road to Zero Network Access
Secure Client is an important element in the implementation of Zero Trust architecture, which requires continuous authentication and access management.
Technical aspects and implementation details
For VPN functionality (AnyConnect), the Cisco Secure Client is available at two main license levels:
Advantage (Plus): Basic license including VPN functionality for PC and mobile devices, basic endpoint context collection, IEEE 802.1X Windows supplicant, FIPS compliance, VPN compliance and Posture for Secure Firewall, and unified compliance and posture agent for ISE.
Premier (Apex): Extended license including all the Advantage features in addition to Suite B encryption (highly secure cryptographic algorithms for IKEv2 VPN clients), Network Visibility Module for XDR integration, ASA Multicontext-mode for remote access, SAML authentication, Management VPN Tunnel, and other premium features.
Cisco Secure Client supports a wide range of platforms and operating systems, including:
- Windows 11 (64-bit)
- Windows 10 (32-bit and 64-bit)
- Windows for ARM64 processors
- macOS 12, 11.2, 10.15, and 10.14 (all 64-bit)
- Linux distributions such as Red Hat, Ubuntu, and SUSE
- Mobile operating systems (iOS and Android)
Specific hardware is required for the Zero Trust Access Module, such as TPM 2.0 for Windows devices and Secure Enclave for macOS devices.
Cisco Secure Client
This represents a significant step forward in protecting endpoints and securing access to corporate resources. With our innovative approach where the basic framework is provided free of charge and individual modules are activated based on purchased licenses for the respective technologies, Secure Client offers maximum flexibility and efficiency. By consolidating multiple security technologies into a single agent with unified management, our solution enables organizations to simplify management, reduce costs, and strengthen their overall security posture. Through the integration of the Network Visibility Module with the Cisco XDR platform, it provides a unique view of endpoint network communications, which is critical for detecting and stopping advanced sophisticated threats, especially for remote workers. Cisco Secure Client is an ideal choice for organizations looking for a comprehensive, easy-to-manage, and cost-effective solution for endpoint protection and secure network access with customers only paying for the modules that they actually need.