Guides
Secure Access Help Center

Virtual Appliance Introduction

Secure Access Virtual Appliances (VAs) are lightweight virtual machines that are compatible with VMWare ESX/ESXi, Windows Hyper-V, and KVM hypervisors and the Microsoft Azure, Google Cloud Platform, and Amazon Web Services cloud platforms. When utilized as conditional DNS forwarders on your network, Secure Access VAs record the internal IP address information of DNS requests for usage in reports, security enforcement, and category filtering policies. Additionally, VAs encrypt and authenticate DNS data for enhanced security.

VAs also enable Active Directory (AD) integration, which expands on the VAs’ functionality to include AD identity information in addition to internal IP address visibility and DNS encryption.

How Secure Access Virtual Appliances Work

VAs act as conditional DNS forwarders in your network, intelligently forwarding public DNS queries to Cisco Secure Access global network, and local DNS queries to your existing local DNS servers and forwarders. Every public DNS query sent to Secure Access is encrypted, authenticated, and includes the client's internal IP address.

VAs do not cache DNS records. Caching occurs on the Secure Access resolvers. When an Secure Access VA responds with records to an endpoint's DNS query, any Time-to-Live (TTL) values in the response are equal to the TTLs as set by the authoritative DNS nameserver minus any time a record set has been in the Secure Access resolver cache.

Benefits of Virtual Appliances

Granular Identity Information
If you’re already pointing DNS to Secure Access, or plan to, all the DNS traffic visible in your Secure Access reports come from a single Network identity. The VAs provide internal IP visibility, allowing you to track down malicious or inappropriate traffic within your network to a specific IP address.

Without Virtual Appliances
Security and DNS traffic-related investigations cannot be traced back to an individual computer or IP address.

890

With Virtual Appliances
VAs record the internal IP address of every DNS request. Security and DNS traffic-related investigations allow you to associate traffic to an individual, internal IP address.

890

With AD integration (added as a supplementary feature)
The VAs also record the AD user, group, or computer, depending on Secure Access's policies.

185

Granular Policy Management
Set different policies for "bring your own device" (BYOD) corporate networks, guest Wi-Fi, server-only networks, and more, by specifying the internal IP or IP range. Granular policy control makes it easy to filter unwanted content and malicious traffic on a per-network basis.

1090

No Endpoint Software
No client-side software required. No OS image to reconfigure.

Lightweight Footprint
A VA only requires a minimum of one virtual CPU core and 512MB to process millions of DNS queries per day.

Active Directory Integration
VAs enable AD integration, which provides user, group, or computer name granularity in both reports and policies. For more information, see Active Directory Integration with the Virtual Appliances.

Introduction > Prerequisites

Updated 7 months ago