{"pageModel":{"attributes":{"id":"","name":"119976.dita","viewName":"DitaDetail"},"elements":{"ditaContent":{"name":"DITAContent","value":"<article id=\"comparison-of-client-based-and-browser-based-zero-trust-access-connections\" class=\"topic concept\">\r\n<h1 class=\"title topictitle1\">Comparison of Client-Based and Browser-Based Zero Trust Access Connections</h1>\r\n<div class=\"body conbody\">\r\n<p class=\"p\">You can configure users to connect to private resources using Zero Trust Access.</p>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">About Client-Based Connections</h2>\r\n<ul class=\"ul\">\r\n<li class=\"li\">The Cisco Secure Client is installed on the end-user device.</li>\r\n<li class=\"li\">Users can access resources using any protocol.</li>\r\n<li class=\"li\">Users access using the internal resource address you specify in the Private Resource.</li>\r\n<li class=\"li\">The client-based posture profile offers more options for controlling endpoint (device) requirements than the browser-based posture profile offers.</li>\r\n<li class=\"li\">You can block access to specified subdomains when the resource address for client-based connections is configured as a wildcard FQDN. For more information, see  <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/120834.dita\" title=\"\">Using Wildcards to Configure Traffic Steering for Private Destinations</a>.</li>\r\n<li class=\"li\">If traffic is blocked, the user sees a Block page if all requirements are met. For more information, see  <a data-scope=\"local\" target=\"\" href=\"docs/csa/olh/118806\" title=\"\">Block pages for Private Resources</a>.</li>\r\n</ul>\r\n</section>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">About Browser-Based Connections</h2>\r\n<ul class=\"ul\">\r\n<li class=\"li\">Access does not require a client installed on the user endpoint device.</li>\r\n<li class=\"li\">Use this option to allow access from devices with an operating system that the client does not support.</li>\r\n<li class=\"li\">You can enable this option for private resources to allow connections from users who do not have managed devices, such as contractors, vendors, and others with bring-your-own (BYOD) devices, and from devices that do not have a client. You do not need to install anything on such devices.</li>\r\n<li class=\"li\">Access is solely from the browser.</li>\r\n<li class=\"li\">Users access private resources using a dummy URL that does not expose your actual resource address. Secure Access redirects browser-based traffic to the actual resource if access rules allow the traffic.</li>\r\n<li class=\"li\">You can specify endpoint (device) requirements for these connections, but fewer than in the client-based posture profile.</li>\r\n<li class=\"li\">If traffic is blocked, the user sees only a standard browser error. This prevents bad actors from obtaining information about your resources.</li>\r\n<li class=\"li\">Users who have the client installed can always access a resource using the clientless browser-based URL if your access rules allow them access.</li>\r\n<li class=\"li\">The Browser-Based Connection (BAP) session timer limits any BAP session to a maximum of thirty minutes.</li>\r\n</ul>\r\n</section>\r\n</div>\r\n</article>\r\n","ditaVal":"","format":"html"},"bookTitle":{"value":""},"shortDescription":{"value":""}}},"parameters":{"appId":"SecureAccess","topicAlias":"comparison-of-client-based-and-browser-based-zero-trust-connections"}}