2.9 SASE Integration Design
| Field |
Value |
| Document Title |
SASE Integration Design |
| Section Number |
2.9 |
| Version |
1.0 |
| Last Updated |
December 30, 2025 |
| Author |
Network Architecture Team |
| Classification |
Internal Use |
2.9.1 SASE Architecture Overview
SASE Strategy
Secure Access Service Edge (SASE) converges network and security functions into a unified cloud-delivered service. Abhavtech.com's SASE strategy leverages Cisco's integrated approach combining SD-WAN with cloud-delivered security services.
SASE Component Stack
| Layer |
Component |
Provider |
Function |
| Identity |
Cisco Duo |
Cisco |
MFA, Zero Trust Access |
| Network |
SD-WAN |
Cisco |
Connectivity, Routing |
| Security |
Umbrella SIG |
Cisco |
Web Security, DNS Security |
| Access |
Cisco Secure Access |
Cisco |
ZTNA, VPN Replacement |
| Visibility |
ThousandEyes |
Cisco |
Digital Experience Monitoring |
SASE Architecture Diagram
SASE ARCHITECTURE - ABHAVTECH
+==============================================================================+
| |
| USERS SASE CLOUD |
| +--------+ +------------------+ |
| | Office |----------------------->| | |
| | Users | SD-WAN Tunnels | CISCO UMBRELLA | |
| +--------+ | Secure Internet | |
| | Gateway (SIG) | |
| +--------+ | | |
| | Remote |----------------------->| - DNS Security |----> INTERNET |
| | Users | ZTNA / SWG | - Web Security | |
| +--------+ | - CASB |----> SaaS APPS |
| | - DLP | |
| +--------+ | - Malware Prot. | |
| | Branch |----------------------->| |----> PRIVATE |
| | Sites | IPsec Tunnels +------------------+ APPS |
| +--------+ |
| |
| CONTROL PLANE |
| +------------------------------------------------------------------+ |
| | | |
| | +----------+ +----------+ +----------+ +----------+ | |
| | | SD-WAN | | Umbrella | | Duo | | Thousand | | |
| | | Manager | | Dashboard| | Admin | | Eyes | | |
| | +----------+ +----------+ +----------+ +----------+ | |
| | | |
| +------------------------------------------------------------------+ |
| |
+==============================================================================+
2.9.2 Cisco Umbrella SIG Integration
SIG Deployment Model
| Deployment Type |
Sites |
Use Case |
Tunnel Type |
| Full SIG |
Branches without UTD |
Complete web security |
IPsec |
| DNS Only |
All sites |
DNS-layer protection |
DNS redirect |
| Selective SIG |
High-risk users |
Additional inspection |
Per-user policy |
Umbrella Data Centers
| Region |
Data Center |
Sites Served |
Latency Target |
| India |
Mumbai |
Mumbai, Chennai, Bangalore, Delhi, Noida |
<20ms |
| EMEA |
London |
London |
<15ms |
| EMEA |
Frankfurt |
Frankfurt |
<15ms |
| Americas |
Ashburn |
New Jersey |
<15ms |
| Americas |
Dallas |
Dallas |
<20ms |
SIG Tunnel Configuration
!======================================================================
! UMBRELLA SIG TUNNEL CONFIGURATION - BRANCH SITES
!======================================================================
!
! IKEv2 Proposal
crypto ikev2 proposal UMBRELLA-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy UMBRELLA-POLICY
proposal UMBRELLA-PROPOSAL
!
! IKEv2 Profile
crypto ikev2 profile UMBRELLA-PROFILE
match identity remote fqdn domain umbrella.com
identity local fqdn bangalore.abhavtech.com
authentication remote pre-share key <umbrella-psk>
authentication local pre-share key <local-psk>
dpd 10 3 on-demand
!
! IPsec Transform Set
crypto ipsec transform-set UMBRELLA-TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
! IPsec Profile
crypto ipsec profile UMBRELLA-IPSEC
set transform-set UMBRELLA-TS
set ikev2-profile UMBRELLA-PROFILE
!
! SIG Tunnel Interface
interface Tunnel200
description UMBRELLA-SIG-PRIMARY
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination sig.umbrella.com
tunnel protection ipsec profile UMBRELLA-IPSEC
!
! Policy-Based Routing for SIG
ip access-list extended SIG-TRAFFIC
10 permit tcp any any eq 80
20 permit tcp any any eq 443
30 permit tcp any any eq 8080
!
route-map SIG-REDIRECT permit 10
match ip address SIG-TRAFFIC
set interface Tunnel200
!
interface GigabitEthernet0/0/1
ip policy route-map SIG-REDIRECT
Umbrella Policy Configuration
| Policy |
Scope |
Action |
Destinations |
| Block Malware |
All users |
Block |
Known malware domains |
| Block Phishing |
All users |
Block |
Phishing sites |
| Block Adult Content |
Guest VPN |
Block |
Adult categories |
| Allow Business Apps |
Corporate VPN |
Allow |
Whitelisted SaaS |
| Inspect SSL |
High-risk |
Decrypt |
Non-sensitive traffic |
| Log All |
All users |
Log |
All traffic |
2.9.3 Zero Trust Network Access (ZTNA)
ZTNA Architecture
ZTNA ARCHITECTURE
+==============================================================================+
| |
| REMOTE USER PRIVATE APPLICATIONS |
| +--------+ +------------------+ |
| | | | DC Applications | |
| | Laptop | | - SAP | |
| | + Duo | | - Oracle EBS | |
| | + AnyC | | - Internal Web | |
| +---+----+ +--------+---------+ |
| | ^ |
| | | |
| v | |
| +---+----+ +----------+ +----------+----------+ |
| | Duo |---->| Identity |---->| ZTNA | |
| | MFA | | Verify | | Connector | |
| +--------+ +----------+ | (On-Premises) | |
| | +--------------------+ |
| | |
| v |
| +--------+ +----------+ |
| | Secure |---->| App | ZTNA PRINCIPLES: |
| | Access | | Broker | - Never trust, always verify |
| | Cloud | | (Cloud) | - Least privilege access |
| +--------+ +----------+ - Continuous validation |
| - Application-level access |
| - No network-level access |
| |
+==============================================================================+
ZTNA Policy Matrix
| User Group |
Application |
Device Posture |
MFA Required |
Access Level |
| Employees |
Internal Apps |
Managed + Compliant |
Yes |
Full |
| Employees |
SaaS Apps |
Any |
Yes |
Full |
| Contractors |
Project Apps |
Managed |
Yes |
Limited |
| Contractors |
SaaS Apps |
Any |
Yes |
Read-only |
| Guests |
Guest Portal |
Any |
No |
Internet only |
| IT Admins |
All |
Managed + Compliant |
Yes + Hardware |
Full |
Duo Integration Configuration
!======================================================================
! DUO INTEGRATION FOR ZTNA
!======================================================================
!
! Duo Authentication Proxy Configuration (on-premises)
! /etc/duoauthproxy/authproxy.cfg
!
[main]
debug=false
log_dir=/var/log/duo
[ad_client]
host=dc1.abhavtech.com
service_account_username=duo_svc
service_account_password=<encrypted>
search_dn=DC=abhavtech,DC=com
[radius_server_auto]
ikey=<integration_key>
skey=<secret_key>
api_host=api-xxxxx.duosecurity.com
radius_ip_1=10.254.1.20
radius_secret_1=<radius_secret>
client=ad_client
port=1812
failmode=safe
2.9.4 CASB Integration
Cloud Access Security Broker
| Function |
Implementation |
Coverage |
| Visibility |
API integration |
M365, Salesforce, Box |
| Compliance |
DLP policies |
PCI, GDPR, HIPAA |
| Threat Protection |
Malware scanning |
File uploads |
| Data Security |
Encryption enforcement |
Sensitive data |
CASB Policy Examples
+==============================================================================+
| CASB POLICY CONFIGURATION |
+==============================================================================+
| |
| POLICY: Block External Sharing |
| +------------------------------------------------------------------+ |
| | Application: Microsoft 365, Box, Google Drive | |
| | Action: Block sharing with external domains | |
| | Exceptions: Approved partner domains | |
| | Alert: Yes, to Security team | |
| +------------------------------------------------------------------+ |
| |
| POLICY: DLP - Credit Card Detection |
| +------------------------------------------------------------------+ |
| | Pattern: Credit card numbers (Visa, MC, Amex) | |
| | Action: Block upload, quarantine file | |
| | Applications: All sanctioned SaaS | |
| | Alert: Yes, to Compliance team | |
| +------------------------------------------------------------------+ |
| |
| POLICY: Malware Prevention |
| +------------------------------------------------------------------+ |
| | Trigger: File upload/download | |
| | Action: Scan with AMP, block if malicious | |
| | Applications: Box, OneDrive, Dropbox | |
| +------------------------------------------------------------------+ |
| |
+==============================================================================+
2.9.5 Remote Access VPN Migration
VPN to ZTNA Migration Path
| Phase |
Timeline |
Users |
Access Method |
| Current |
Now |
2,500 |
AnyConnect VPN |
| Phase 1 |
Month 1-3 |
IT Staff (100) |
ZTNA Pilot |
| Phase 2 |
Month 4-6 |
Remote Workers (500) |
ZTNA + VPN |
| Phase 3 |
Month 7-12 |
All Users (2,500) |
ZTNA Primary |
| Final |
Month 12+ |
All Users |
ZTNA Only |
Migration Criteria
| Criterion |
VPN |
ZTNA |
Decision |
| Application Compatibility |
All |
Web/API apps |
App assessment |
| Legacy Apps |
Supported |
Requires connector |
Plan connector |
| Performance |
Variable |
Optimized |
ZTNA preferred |
| Security |
Network access |
App-level |
ZTNA preferred |
| User Experience |
Client required |
Browser-based |
ZTNA preferred |
2.9.6 Digital Experience Monitoring
ThousandEyes Integration
THOUSANDEYES INTEGRATION
+==============================================================================+
| |
| MONITORING POINTS |
| +------------------------------------------------------------------+ |
| | | |
| | ENTERPRISE AGENTS CLOUD AGENTS ENDPOINT AGENTS | |
| | (WAN Edge integrated) (ThousandEyes (User devices) | |
| | cloud) | |
| | - Mumbai DC - Global PoPs - Laptops | |
| | - Chennai DR - SaaS monitoring - Mobile | |
| | - London | |
| | - Frankfurt | |
| | - New Jersey | |
| | - Dallas | |
| | | |
| +------------------------------------------------------------------+ |
| |
| MONITORING TARGETS: |
| - SaaS Applications (M365, Salesforce, Zoom) |
| - Internal Applications (SAP, Oracle) |
| - Internet paths (hop-by-hop visibility) |
| - DNS resolution |
| - BGP routing |
| |
+==============================================================================+
ThousandEyes Test Configuration
| Test Type |
Target |
Frequency |
Alert Threshold |
| HTTP Server |
M365 |
2 min |
Latency >500ms |
| Network |
Salesforce |
2 min |
Loss >2% |
| DNS Server |
Internal DNS |
1 min |
Resolution >100ms |
| Voice |
Zoom |
1 min |
MOS <3.5 |
| Page Load |
SAP Fiori |
5 min |
Load >5s |
2.9.7 SASE Monitoring and Operations
Unified Dashboard
| Metric |
Source |
Threshold |
Action |
| SIG Tunnel Status |
Umbrella |
Down |
Auto-failover |
| DNS Block Rate |
Umbrella |
>10% |
Investigate |
| ZTNA Auth Failures |
Duo |
>5/min |
Alert Security |
| DEM Score |
ThousandEyes |
<7 |
Investigate path |
| Policy Violations |
CASB |
Any |
Alert + Log |
Operational Runbook
| Event |
Detection |
Response |
Escalation |
| SIG tunnel down |
vManage alert |
Failover to backup |
L2 if >15 min |
| High block rate |
Umbrella dashboard |
Review blocks |
Security team |
| ZTNA service degraded |
ThousandEyes |
Check connector |
L2 support |
| DLP violation |
CASB alert |
Quarantine + investigate |
Compliance |
Document Control
| Version |
Date |
Author |
Changes |
| 1.0 |
December 30, 2025 |
Network Architecture Team |
Initial release |
This document is part of the Abhavtech.com SD-WAN Documentation Suite
Confidential - Internal Use Only