# Getting Started with ThousandEyes and Cisco Secure Access This guide explains how to integrate ThousandEyes with Cisco Secure Access so you can monitor endpoint, application, and network performance in one workflow. ## Understanding the Integration Hybrid work requires a modern security model, and Security Service Edge (SSE) is a key part of that model. SSE brings together cloud-delivered security functions to protect critical resources and support employees, contractors, and partners working from any location. Cisco Secure Access is a cloud-delivered, zero-trust SSE solution that helps secure access to SaaS applications, private applications, and the internet across private data centers and cloud environments. This approach helps you improve user simplicity and IT efficiency while protecting users, devices, and data against sophisticated and evolving threats, including AI-driven attacks and identity-based attacks. Experience Insights in Cisco Secure Access uses ThousandEyes data to help your IT and security teams troubleshoot user experience issues faster. After onboarding is complete, your team can see endpoint visibility in Cisco Secure Access while continuing to use ThousandEyes for detailed test and agent workflows. ## Prerequisites Before you start: * Make sure you have an active ThousandEyes user with the **Organization Admin** role. For role details, see [Built-in Roles and Permissions](https://docs.thousandeyes.com/product-documentation/user-management/authorization/rb-access-control/built-in-roles-and-permissions). * ThousandEyes provides secure OAuth 2.0 integrations with Cisco Secure Access. For background information, see [OAuth Overview](https://docs.thousandeyes.com/product-documentation/user-management/authorization/oauth-overview). * Use a dedicated service account for this integration so onboarding is not tied to one person. * Verify the integration user belongs to the account group you plan to use. For account group details, see [What Is an Account Group?](https://docs.thousandeyes.com/product-documentation/user-management/authorization/account-groups/what-is-an-account-group). * Make sure you have an active Cisco Secure Access account with administrator permissions. ## Licensing and Onboarding Flows Cisco Secure Access includes an Embedded ThousandEyes Endpoint Agent license entitlement with: * One dynamic test per Endpoint Agent. * One scheduled test to monitor the connection path between the endpoint and Cisco Secure Access. * Four-day retention for telemetry collected by these tests. For complete license behavior and upgrade paths, see [Endpoint Agent Licensing](https://docs.thousandeyes.com/product-documentation/global-vantage-points/endpoint-agents/endpoint-agent-licensing). ### Onboarding Flow After you purchase Cisco Secure Access, provisioning for ThousandEyes starts automatically: * **New ThousandEyes organizations:** A new ThousandEyes organization is created and embedded licenses are provisioned. After the ThousandEyes organization has been provisioned, an email notification containing login instructions is sent to the designated organization administrator. By default, the ThousandEyes organization administrator is the same contact as the Cisco Secure Access administrator. * **Existing ThousandEyes organizations:** Embedded licenses are provisioned into your existing organization. By default, ThousandEyes organizations are provisioned in US regions. If your organization requires EU data residency, contact to request migration. ### Troubleshooting Provisioning After ThousandEyes provisions your organization, ThousandEyes sends an email with login instructions to your designated organization administrator. By default, the ThousandEyes organization administrator is the same contact as your Cisco Secure Access administrator. If that email does not arrive within 72 hours of Cisco Secure Access activation, or if embedded licenses do not appear in your ThousandEyes organization, open a case with Cisco TAC so the team can investigate and resolve the provisioning issue. ## Configuring the ThousandEyes Integration in Cisco Secure Access 1. In Cisco Secure Access, go to **Experience Insights** and select **Begin onboarding**. ![](/files/ZN9cPiDlny3zBtV3gQOo) 2. Select **Integrate** to launch the ThousandEyes authorization flow. 3. Sign in to the ThousandEyes platform with an **Organization Admin** account. 4. Approve the requested permissions for the integration. 5. Wait for the onboarding wizard to show a successful integration state, then select **Next**. 6. Choose your integration method: * **Default account group integration** creates two default tests within the default account group. Only Endpoint Agent data associated with this specific account group is imported and integrated with Cisco Secure Access. * **Multiple account groups integration** creates two default tests across all account groups. Endpoint Agent data from all account groups is imported and integrated with Cisco Secure Access. 7. Select the default test target that best matches your endpoint traffic model (for example, Zero Trust Access, RAVPN, or SWG Roaming Module). ![](/files/zrlCcFVfVh8uWEylrGSw) 8. Select your primary collaboration application (**Webex**, **Zoom**, **Microsoft Teams**, or **None**). ![](/files/OEPjpQzWWjJDpXDZAQCv) 9. Deploy Endpoint Agents in the selected account group so Experience Insights can ingest endpoint data. ## Installing and Registering the Endpoint Agent The ThousandEyes Endpoint Agent is delivered as a Cisco Secure Client module and is not installed by default. ### Installation For production rollouts, deploy the module through your endpoint management workflow (for example, Microsoft Intune) to keep configuration consistent across devices. If you use Cisco Secure Client Cloud Management, you can deploy the ThousandEyes module to registered endpoints by applying policy from Cloud Management. ### Activation When Cisco Secure Client starts an active ZTA, Roaming Module, or VPN session, the Endpoint Agent attempts to register automatically. If the first registration attempt fails, the agent retries every 10 minutes in this order: 1. ZTA 2. Roaming Module 3. VPN License consumption priority at initial registration is: 1. Advantage 2. Essentials 3. Embedded (included with Cisco Secure Access) You can manually reassign licenses after installation. For details, see [Managing Endpoint Agent Licenses](https://docs.thousandeyes.com/product-documentation/global-vantage-points/endpoint-agents/endpoint-agent-licensing#managing-endpoint-agent-licenses). ![](/files/ZI1bXwSzqK29VWpLM3d0) ## Managing Endpoint Agents After agents are deployed and registered, use status automation and tags to keep operations scalable. ### Status Management Use automatic status management settings in **Endpoint Experience > Agent Settings** to manage inactive endpoints and recover licenses. For details, see [Manage Endpoint Agent Settings](https://docs.thousandeyes.com/product-documentation/global-vantage-points/endpoint-agents/managing/manage-endpoint-agent-settings#auto-manage-the-status-for-endpoint-agents). ### Creating Tags You can organize agents using tags based on attributes such as location, department, or operating system. Tags also streamline agent selection for test assignments, simplifying filtering and reporting for large-scale deployments. For more information, see [Tags overview](https://docs.thousandeyes.com/product-documentation/tags/tags-overview). ## Viewing Test Data After integration and registration, Cisco Secure Access and ThousandEyes both provide views into endpoint performance. These two tests are automatically created in ThousandEyes based on the configuration performed in steps 7 and 8 of the onboarding process. In ThousandEyes, verify tests under **Endpoint Experience > Test Settings** and review results in: ![](/files/yOPSuRkXqhgHGLCC0e6u) * **Endpoint Experience > Agent Views** for endpoint-specific telemetry. ![](/files/pZwQXqwZmMh7wDnglsVO) * **Endpoint Experience > Views** for test-centric and path-centric analysis. ![](/files/SOLQYJGS6g5GQbbAdhiI) In addition to scheduled and dynamic tests, Endpoint Agents continuously collect local telemetry such as DNS latency, packet loss, gateway metrics, and wireless signal quality. For details, see: * [Endpoint Agent Views](https://docs.thousandeyes.com/product-documentation/end-user-monitoring/viewing-data/agent-views) * [Endpoint Agent Scheduled Tests View](https://docs.thousandeyes.com/product-documentation/end-user-monitoring/viewing-data/endpoint-agent-scheduled-tests-view) * [Data Collected by Endpoint Agent](https://docs.thousandeyes.com/product-documentation/global-vantage-points/endpoint-agents/data-collected-by-endpoint-agent) ## Building Dashboards Use dashboards to visualize health trends, isolate issues faster, and share operational visibility with other teams. ![](/files/qFtEl24dC3O4wgO6htkG) You can build dashboards manually or start from a template. For dashboard setup guidance, see [Getting Started with Dashboards](https://docs.thousandeyes.com/product-documentation/getting-started/getting-started-with-dashboards). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.thousandeyes.com/product-documentation/getting-started/getting-started-with-cisco-secure-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.