thank you everybody for uh coming to our webinar today my name is Juan I'm going to be the host for the [Music] presentation uh some information before we actually start the all the technical aspects of the webinar in your in your chat window if you click on it there is a Q&A button please use it throughout the entire webinar do not hold on to your questions until the end if you have any just uh send it in the Q&A section we have a team of Specialists that are eager to receive your questions and if you use the Q&A section it's easier on our end to pick up a question and just submit an answer for you the chat option is also available but try to stick to the Q&A for the questions this is going to be the agenda for the presentation I'm going to do a quick introduction on secure access then uh we're going to look at the packages mainly the differences between those uh talk about where secure access fits in your network um a brief explanation of the difference between secure private access and secure internet access this webinar is focused on secure internet access so going forward we'll talk about that um uh feature only we'll talk about the secure internet access components how to create a rule all things you have to configure and then finally we'll have a demo at the end for you okay see Co um security service edge it's a key enabler of any organization's hybrid work strategy with the with the evolution especially post pandemic um everybody is working from home so it is crucial to have a security features you know in place to protect your traffic um whether the sessions involve applications in private data centers software as a service locations peer-to-peer connectivity internet as a service or internet sites security service edge acts as a security intermediary or a man in the middle we want to see your traffic whether it's public or private traffic we want to police it make sure it's safe and we're able to identify malicious activity that's how the solution basically Works uh when it comes to the packages the this this there is a web version for this um the the data sheet of the secure access will give you a complete uh chart with all the differences between the packages this uh picture that I have right here is just uh is outline the main differences between the packages the chart is actually bigger and uh we'll provide a link for you to visit the the data sheet and it has a complete list of all the features if you go for the secure access Advantage option you have a few Advanced features like layer 7 Cloud deliver firewall IPS protection DLP among other features so we'll make sure you get this link and we recommend you go visit and make sure you see the whole picture so where does this solution fit in your environment we are a security uh facilitator through the cloud this solution is cloud-based and we use a collection of Technologies um it aims to be seamless and transparent for the end user we want to run Security in the back end without um intervention for the end user uh the technologies that we use if you're familiar with umbrella uh we use S swg is very similar component we can use casby zero trust network access firewall Services also the ability to establish a Remote Access VPN session to the cloud and other Technologies the scope is to protect both your public traffic and your private traffic now I'll lay out the main differences between the secure private access and secure internet access the secure private access focuses on a zero trust principle we want to make sure that all the traffic that is uh attempting to go to your private resources is policed and is sanitized and is clear the secure internet access is similar to how umbrella works if you're familiar with umbrella is uh is very similar we place ourselves in the Middle with a crypt your traffic and we make sure when you send traffic to the internet that is safe and is sanitized and when the traffic comes back we also inspect it and make sure it is free of malware and other threats that's the main differences between the two flows or products this is a uh a diagram or a flow that will describe or that describes how the secure internet access works on the left hand side we have potential sources or where your traffic is basically coming from uh we can install the endpoint software on end devices the Roman security module again is the same as if you're familiar with umbrella is the same thing um with secure access we have the ability to establish a VPN session to the cloud using secure client any connect if you use a full tunnel mode we will see both your corporate and non corporate traffic and also if you if you wish not to install the client and you have a physical site and a an IQ it to capable device you can also configure an IP sectel to the cloud the big bubble in the middle this is where we sit after the traffic ingresses in our Cloud uh it under goes several security procedures like decryption the cloud firewall and then the set of policy rules DLP among others uh lastly when you go out to the internet we provide internet as a service or not as a service and then we let you go out to the internet makeing sure your traffic is sanitized and safe not all the traffic will have to go through hours solution and we have the ability to exclude traffic from the Roman security module or if you are using the a a layer 3 IP SEC device uh through pbrr or policy based routing that's also the method uh for doing exclusions when the Trophy goes to the cloud the next slide will have a layout of the secure private access flow although this webinar is focused in Secure internet access I'm going to give you snip of what the other part of the solution looks like uh soon we'll have webinars on these other part as well and we'll be a good to see you there if you're doing secure private access this is for corporate applications on the left hand side again we have the potential sources we have a new module for Cisco secure client that is called zitti or zero trust access it works similar to the umbrella module but it redirects production traffic private traffic uh we can also receive your traffic from remote access session from an end user Roman and U if you have an IPC device again uh you conf figure an IPC tunel connected to our cloud and all the devices or assets behind it will be routed through the tunnel and a new method also is to be able to expose corporate resources in a secure manner using a clientless access method this is called zero trust network access uh planless mode Insider Cloud the traffic under go several security procedures again we do decryption we have the firewall and the set of rules that will police your traffic Advanced features like posture and IPS and S reauthentication can also be enabled when you go out of the cloud we send your traffic to where your corporate resources are we have the option to send the traffic as it is on add it or also provide a source IP for specific scenarios such as the ZTA module client or client so this is the main differences between the flows the rest of the slides will be focused on secure internet access these are the components of a secure internet access rules these are basically the elements that will make a rule you have to have a rule name a rule priority which is similar to a sequence number on an access list um you have to choose where the traffic will come from or the sources and then your destinations where the traffic is going to you can figure on action you can either block or allow the traffic among a few other options and a new component that is uh the web profile this is where we configure uh specific security features such as decryption for example I'm going to guide you through uh we're going to break down a little bit more the rest of the components uh when we talk about sources again this is where the traffic could potentially come from this can be seen as where um yeah the traffic comes from you can use active directory groups and users or if you have configured an ipct tunnel you can call the ipct tunnel and the networks behind it as uh as the source of the traffic and also raming devices and or internal networks for destinations similar to Umbrella you can create a set of destination lists and not domains or IPS you can create a list of uh content categories and you can define a list of applications once you have these items or objects ready you can call them in your secure internet access rule as uh the destinations for the rule action the most common will be allow or block although the secure internet access rule works by default as a everything is allowed by default mode most of the rules that we recommend configuring will be uh blocked since everything again is allowed by default you also have the option to configure a warrant page this will still Grant access to the end user to a specific website you have the option to add a banner or something that have to acknowledge before getting to the Final Destination and the isolation is a way for us to render the web page in the cloud for you to make sure it's uh safe which're is going to give you a sanitized version of a website basically if you go with the isolation R and finally the web profile uh you can configure parameters such as assl decryption authentication the there is a collection of security settings that are enabled with the web profile uh like thread categories file inspection file block and save search the user notification is um what we call an umbrella the block page all those parameters can be configured in the web profile the secure internet access rules um the purpose is to police the traffic that is going to the internet the traffic to internet destinations is allowed Always by default uh so the best practice is to create rules focus on things that you want to restrict as another best practice you know plan your rules to get your expected results and once you start assembling your rules um you can recycle components you have already created the rules can be modified it can be rearranged um um you can just drag and drop the rules we we'll see that in the demo and this uh last few slides will give you your first um experience in what the dashboard looks like this is a new dashboard the left hand side is an interactive menu if you hover over you'll see a menu spanding items dynamically so to configure a secure access rule you hover over secure and then on policy click on secure on access policy and then uh you click on the add rule button here you can create a private access rule or an internet rule the rest of the slides will have pictures of what the internet access rule looks like during the creation of the rule we have a two steps um a two sections basically the top part is the summary of the rule this is always going to be present whether you're in the first part of the rule or in the second part of the rule in Step number one this is where you provide a rule name on the step number two this is a drop-down menu that will show you all your existing rules and it works for you to place this rule you're creating on a specific sequence number and list of rules on step number three this is the action of the rule the majority we recommend to create um selecting blockin because all this your internet access um Works under everything that's allowed by default uh optionally you can do war or isolate on step number four this is where you call your identities or your sources or where the traffic is going to come from Step number five you call all your destinations and when you're satisfied you click on next and we'll move to the second part of the creation of the rule the summary will always be visable at the top and the only settings you can configure on the second part of the rule is the the security settings okay here we are uh at the top we can still see the summary of the rule it gives us a summary of what the settings are uh in the rule that we're creating you can still modify the rule name and it sequence number in the list um at the bottom in this dropdown menu you can call your web profile you've created previously once you select it all this items at the bottom will it's it's going to give you a breakdown of everything that is configured inside your uh web profile the only option that is enabled here is decryption if you enable additional options in the web profile you'll see them here uh and these are all the items that you can configure thread categories file type blocking the end user notifications or the block page SLE settings among others once you're satisfied with the configuration of the rule you can click on Save and the screenshot at the bottom is what a rule is going to look like um we'll see in the demo what all your what the secure access policy looks like it's a collection of all your internet and your private rules um at the top of each rule there is a well a summary section and I talk about whether you're in the first part of the creation of the rule or the second one you always have the summary at the top and it gives you details of how the rule is uh is going with the current configuration if you edit the access rule after saving it you can change the action if you configure a rule to block the traffic um you can edit certain elements inside of it like select more uh destinations or sources but the action itself can not be changed you'll have to uh delete it and recuit a new rule and change the action the secure access policy displays various Columns of data um we'll say this in the demo the all the columns that you see here at the top like the rule name access section sources destinations this is all the details that you can see and the list of your rules and and um this is all for the presentation I think we're ready for the demo the Internet by using Cisco secure internet access it will be required to configure certain elements and components to create a secure internet access rule in your dashboard in this video I will cover the following topics will register an IP SE tunnel in your dashboard and then we will configure the I tunnel the device that I have ready is a virtual ASA after that we'll create an internal Network and we bind it to the IPC tunnel which is configure we will have to configure some policy components like content categories and destination lists we can configure security categories to block security threats the web profile is a very important piece of the configuration this is where we enable SSL decryption finally with all the components ready we will configure a secure internet access rule in the second part of the demo we're going to focus on protection for offprem devices or users I'll show you where to download Cisco secure client and also how to install it on your end devices we will enable the proxy or web security for Rin devices after that we will modify the rule that we created on the first part of the demo finally I'll show you how to review everything we've done in activity search by looking at the logs let's get started first thing you need to do is open your favorite browser and navigate to dashboard. s. cisco.com once you log in this is the landing page we need to create first a tunnel group this is where we tell the cloud where your IPC traffic is going to come from to do that we need to go over connect and then network connections here we need to go to the second tab Network tunnel groups at the bottom you're going to see your existing IPC tunnels if you have any on the right hand side click on the add blue button to add a new tunnel group you're going to be presented with a four steps Wizard and we need to start filling out the information that is necessary first let's just add a tunnel group name I want to go with this name under the region select the closest location to your IPC device want to go with Canada and under the third drop down menu these are the list of devices that are officially supported and devices we have documentation for if your device is not listed you can choose other and continue with the setup if you open the help page and on the left hand side navigate to supported IP SEC parameters you're going to see a chart of all the protocols that are supported by secure access all the settings that are in bold Font Are the recommended settings additionally on the left side if you expand the network tunnel configuration these are the devices that are listed in the dashboard you're going to have a step-by-step guide that is going to to help you configure in the tunnel in any of these devices let's go back to the dashboard for now I will use a virtual ASA so I'm going to choose the ASA clicking next to go to the next step here we configure the tunnel ID and the passphrase for the ik identity we support email address as well as the public IP address of your IP SE device I'm going to go with the email address the identity that I'm going to use for the email address is this and then copy my pre-share key and paste it in the middle and the bottom box the preure key should be between 16 and 64 characters long it must include an uppercase letter lowercase letter at least one number and it should not include any special characters once youly apply the required configuration clicking next routing in this box you need to add the IP addresses or networks that you want to route through the tunnel in my case my lab I just have the 182 1622 Network so that's what I'm going to add as you add more tunnels to your dashboard we are able to rout traffic between spokes the secure access cloud is going to act like a hub for all your sites we know how to route the traffic based on the networks you associate with every tal group or IPS device that's how we figure out the routing once you add the networks that are behind this particular tunnel click and save so we can go to the next step the last step is actually a a summary of all the configuration we've added we get the primary and secondary tunnel ID we get the primary and secondary IP addresses and then the pre-share key or the pass phase I'm going to save the configuration of the primary tunnel because that's the one I'm going to use you can also download this information in a CSV file so you can keep it handy somewhere if you are satisfied click on done to finish we go back to the list of tunnels and the newly created tunnel is at the bottom it's currently in disconnected State now now we're going to go ahead and configure the tunnel in my virtual ASA the topology that we are going to use for this demo is this one over here from top to bottom the cloud is uh connecting the entire topology to the internet the ISP router has the role of the ISP the ASA is my Edge device this is the device where the tunnel is going to be configured uh my corporate network is one to 168 22024 and this domain controller will be used to send web traffic so we can test the policy once everything is configured let's go ahead and add the tunnel or configure it in the ASA I already have a a script with all the commands that I'm going to need for the tunnel for Simplicity I'm just going to copy everything and paste it I'm going to begin with with the IP SEC configuration looks like the tunel group already existed that's fine next I'm going to add the vti or tunel interface okay this is all the IPA configuration that is necessary it is also required to send the traffic through the tunnel using a rout map or a policy based rout the 22 network is the only one that is going to Traverse the tunnel so I need to figure out a way to select that Network only and push it through the tunnel this is the access list has the source traffic my 22 Network and the destination is any because it's meant to grab all the traffic that is going to the internet the access list is named pbrr this line matches that access list it's called pbrr and the next hop IP is the adjacent IP address to my to interface I got the 99.1 local the adjacent is 99.2 the last step is place this route map inside my inside interface so I'm going to get there and then just call the route map and we are done with the tunnel config let's see if the tunnel is up okay the tunel is been it's up and active right now and it's been up for 59 seconds awesome we are done with the tunnel configuration I'm going to put this ASA aside and continue with the configuration on the dashboard the next step is to create configuration elements that are necessary to build a secure access rule I'm going to create an internal Network and bind it to the IP secton I just created in order to do that we go over resources and internal Network this is the list of your internal networks uh click on add on the right hand side in the popup just provide a name to your internal Network and in the ipv4 address box write down the IP address of your network drop down menu it's where you choose your subnet mask and click on the right side on the network tunnel group and this drop down menu is where you'll find the IP tunnel we just registered under tunnel Crypts now we can click on Save and this is an object that exists in the configuration now it can be used as an identity the next step is to configure destination elements for secure internet access rule to do that we go to resources and then under destination select internet and size resources here we can configure a destination lists application lists content category lists and tenant control options in order to add a destination list just click on add on the right side provide a name to your destination list and enter a few domains that you want to police with this secure internet access rule I'm going to add bit torrent and also the video game store steam this is enough for me I'm going to save the changes the next set of settings we're going to configure is the content categories here in this list you can see all the content categories you have configure if you have any in order to add one just click on add on the right hand side provide a name if you want to loone or create a new content based on existing content categories you can do that with this drop down menu otherwise this these are all the contents that we can add inside a Content category list I'm just going to add gambling give it simple and I'm going to save the changes next we're going to configure security settings now uh let's go to secure and the last column under settings select thread categories if you have any configure you'll see them on the list otherwise just click on add in the top right corner to configure a new one the first thing you need to do is add a name and this drop down menu allows you to create one based of an existing uh set of thread settings here I'm just going to select malware commanding control callbacks and fishing attacks and then save it the last element that we need is a web profile uh we go to secure in the middle column on the profiles select web profiles if you have any configure they'll show up here in the list you can add one by clicking add in the top right corner add a name to your new profile and save it oops okay now that it's saved I can start making changes the only setting we're going to configure is the decryption that is the first setting to right side click on edit you enable decryption at the Top If you want to exclude traffic from the decryption process you can exclude categories applications and all domains by creating a do not decrypt list I'm just going to enable decryption without any exceptions so I'm going to live it like that I'll show you where to create one of this list later save it the rest of the settings are outside of the scope of this demo here you can configure saml under security and acceptable use controls we can call the set of thread categories we've created here on the far right side on the first line click and edit we have a drop down menu at the top these are the settings I configured previously security settings I'm just calling malware commanding control callbacks fishing and crypt Mining and the last piece of the profile is the end user notification this is the block page this is what the end user is going to see when they hit a website you decide to block when you're done close in order to exempt traffic from the decryption process you need to configure a do not decrypt list you do that in security in the far right column there's an option that says do not decrypt list the process is similar to adding a destination list it's just that you have a few more elements like content categories applications and domains now we're done we have all the elements that we need to create a secure access policy let's go let's hover over secure and then go to access policy this is the list of all your policies if you have any configured some policies are for internet traffic some other are for private traffic spok to spoke Communication in this demo the private access rules are outside of the scope so we're going to focus on the creation of an internet access rule cing at Rule and then internet access rule this is a summary of how the rule is been configured so far we haven't added anything so it's all empty let's just first add a role name I'm going to call it J CEST secure internet access this drop down menu allows you to put the r in a specific sequence number in the list of rules I'm going to put it in the first sequence number under Act this is what the rule is going to do you can set it to allow traffic block traffic warrant or isolate I'm going to select block for now under the from box you select your sources you can click on this icon to get a Search Assistant you have a search bar at the top or you can browse through all the configuration elements at the bottom I'm going to use a keyword that is going to help me find the T I've created previously browse through the tunnels and I find the internal Network that I linked to the IP tunnel I'm going to use this as a source of the traffic the toolbx is for the destinations and it's the same principle you click on the box and you get this list of elements you can browse through to find your configuration components or you can click on the icon in the right side so you get the Search Assistant use any keyword to find your configuration elements I'm going to use that browse through destination list I should find my destination list here there it is and I'm going to go back and go to content categories now and find the set of content I created previously and click UND done in the summary you can see that it started to update information click on next the summary page tells me I'm in Step number two of two so I'm almost done with the config we have source and also the destinations all we're missing is security controls we scroll down we can rename the rule still if you want to on the right hand side expand the security settings this drop down menu can be used to call your web profile once you do that you can see all the elements inside the web profile the only setting we change was the decryption because this secure internet access rule is Block in the traffic some elements like thre categories file inspection and such do not apply for this type of rule you can enforce these only if you have an allow Rule and I'm done with the configuration click on save you go back to the list if you hover over these icons in the first rule you get information about the rule itself if you click on any of them you get this step on the right side that gives you a summary of everything you can also get it by clicking in the r name then you can open up the settings this is just to take a quick look look at what the configuration of the rule looks like there's an edit shortcut at the bottom in case you need to edit and also you can delete it from here Additionally the ellipses will give you a set of options that you can use okay we're ready to test traffic before we do that however it is crucial that all the devices that are going to be protected by secure access have the secure access root certificate installed you can get this certificate by going to secure go to the last column on the right side and then certificates just expand this bubble and here's the download link the certificate is used to perform decryption as well as deliver the block page to the users when necessary I'm going to bring the domain controller that is currently sitting behind the ASA so we can start testing traffic the first thing I'm going to do is make sure the root certificate is installed in this server and there it is perfect first I'm going to go to a website that can give me my public IP address if everything works I should get a secure access public IP address and that is indeed what's occuring that is a secure access public IP if I go to the pad log I can see the side it says verified by Cisco I'm going to click on more information and show you the certificate I Can See the s decryption kicked in because this is a Cisco secure access certificate excellent I'm going to test the websites that I decided to block I'm going to go to bit Toren first I should get the block page okay you can see this is the block page it says say secure access S is blocked next website is the steam store it is also blocked and I'm going to test a site that falls under the category of gambling tria.com okay here says that I'm been blocked due to content filtering excellent this is how you create a secure internet access rule with an IP SEC tunnel I hope you enjoyed this demo and we're going to transition to the second part which is the protection for offprem clients with the remote security module let's begin by opening your favorite browser and naviga into dashboard. ss. cisco.com after you log in this is the landing page we can get the client by going to connect and end user connectivity once we're here in the top right corner there is a button to download the client if you click there you're going to be presented with several options for different os's and there there's also the Json file at the bottom this Json file is also necessary to deploy the client you also need to download it I've already downloaded the client and transferred it to a testing computer I've extracted the zip file and I have all the content here first I need to make sure that the secure access root certificate is also installed in this testing computer here it is excellent and close this these are all the contents of the zip file that you can download from the dashboard you need to place the Jon file inside the profiles folder and then the umbrella folder if this file is here when you install the Roman security module the installation is going to pick up the Json file automatically going toall Cisco secure client any connect first whether you use any connect or another vendor for VPN this MSI has some dependencies that are necessary for the umbrella module to work let me make sure it is installed there it is and list of software and go back to my folder and now I'll install the Roman security module again this is going to pick up the Json file if you have this folder structure me refresh this page and I have both components let's go to the start menu and find the client there it is this is is the final result the green check mark indicates it's working properly we go to the gear and then the umbrella tab we can see in the first block of information the DNS protection is enabled also the Roman security module can see the computer name and your active directory account let's make sure the client name matches the computer name it does excellent the second block of information is the actual proxy for to secure a web Gateway right now it's disabled I have to go to the dashboard and configure it let's go ahead and do that the section of the dashboard where you can see your clients is under resources Roman devices this is the list of roaming computers and this G Freeman PC the computer I just installed if you click on the name you have some information about the client in this right side tab if you want to enable the web security protection you can do so by clicking on this ellipses and this option in the middle allows me to turn it on for this client optionally if you want to conduct a PC you can select multiple clients and in this web security button you can enable it for all the clients that are selected before I turn this on let me show you where the the global setting is you need to go to connect and user connectivity let's go to the internet and security tab scroll down and open up the innocent web security this togle enables a proxy and it only forwards or intercepts traffic and P top 80 and 443 all the traffic that is produced in this ports will be sent to the cloud for analysis the section right here internet and security bypass you can register domains here and any domain that you register here is not going to be policed by secure access I'm going to make sure this is bypass from the proxy and we'll test this later all the domains that are listed here under in Internet Security will be bypassed from secure access devices configure with pack files and also the any connect or Roman security module CLI there is a shortcut here to go back to the list of roaman computers I'm going to use it to continue with the demo I'm going to enable the proxy just for this one client using the elipses method it's already enabled what we need to do now is modify the rule that we've created previously and add this new identity as a source device let's go to secure and then access policy the rule with configure previously is number one so when I click on the ellipses and then edit scroll down to the sources just click ins size the box at the top you can also performance search uh using this bar at the top I'm going to try to find the computer here okay it finds two things with this name an active directory account this dashboard is AD integrated and also the Roman computer I just installed I don't need to modify the destinations so I'm going to click on next and then save my settings you can see that I have multiple sources I have Gordon Freeman account the network tied to the tunnel and also the roaming PC okay let's go back to the client and do some testing in the Roman security module we can to the proxy is is still disabled it will be enabled over time the next time the client syncs with the cloud in order to speed up the process I'm going to restart the service you shouldn't need to do this in production I'm going to do it just for the demo this is the process that we need to stop the first process any you connect VPN agent governs the other two process I'm going to quit the agent from the system tray let me maximize this okay right now processes are stopped if I start the first one the other two will also get started there you go s swg or the proxy is also enabled let me start a client again go back to the gear and then the umbrella tap under secure web Gateway we can see that the license is valid and now it says protected and under HTTP and https request you can see the counter going up it's actually tested I'm going to open Firefox let's go to the same website that tells me my public IP address and I should see a secure access IP address excellent verify the certificate if I show you the certificate is the same certificate we saw on the first part of the demo great let's try the website that should be bypassed from secure access rogers.com the way I know it's not going through the proxy is by looking at the certificate the digit certificate kicks in this is not been decrypted that's how you exclude traffic from secure access and let's check the websites that should be blocked okay bitor is blocked effectively let's see Steam this is also blocked great let's go back to the dashboard and see all the activity we done in the logs we go over Monitor and then activity search once it loads you can use this search bar at the top I'm going to call the Roman computer these are DNS records if you scroll to the right side you can see additional information you can filter out by traffic that is blocked only let's switch to web traffic because those were DNS queries nothing was found the computer got blocked at DNS so I didn't even get a chance to produce web traffic that's why we don't see anything under web if you click on the ellipses and any of these lines go to full details we see more granular information there are two potential identities to enforce a policy for this traffic we have the computer name and the active directory account the ad account is what was used to enforce the block we can also see the name of the rule that is police in this traffic and this is how you protect the traffic for devices that are offprint hope you like this demo found it entertaining thank you for coming in today see you next time okay thank you everybody that was the end of the demo it showcase how to configure a secure internet access rule to protect your traffic when going to the internet um resources for secure access we have our duck page dos. ss. cisco.com and the service status portal um this is where you can see if all our components are up and running or if we're experiencing you know any issues with any of our Solutions um the secure access data shet is the link in the middle and the release notes so your up to date with all the features that are released we can use this uh few minutes that we have left to continue to answer your questions so if you have any feel free to use the Q&A section thank you so much Juan for providing this great content for us we are so grateful for your time today with us and as mentioned this does conclude the webinar content itself however we do have a few minutes remaining together so please be sure to submit any final questions into the Q&A box and we will be happy to get those answered and if you don't have any questions please feel free to stay on and review any submitted questions as they could be of interest to yourself and as mentioned in the chat please be on the lookout for the webinar promotion for secure private access in the near future we hope to see you at that session as well and lastly as you exit today's session you will receive a survey we do request that you provide us your feedback it should take only a minute or so and we do welcome any and all feedback it helps us to continue to improve and receive the input from things that you would like to see in the future thank you again and as mentioned we will stay on for the next few moments together for review of any final questions that you may have thank you e e e e e e e e e e e thanks again for join joining us today we hope that you found this session informative and valuable again as mentioned please be sure to provide your feedback via survey upon exiting the session and if you do have a question that was unable to be addressed we will follow up with you directly via email to make sure that your question can be answered we hope to see you at a future session thank you for your time and have a fantastic rest of your Wednesday take care