Cisco Security

Login

Cisco Secure Access for Government Help

Cisco Secure Access for Government Help
- Welcome to Cisco Secure Access for Government
  - Sign into Secure Access with Security Cloud Sign On
  - Find Your Organization ID
  - Determine Your Current Package
  - Contact Cisco Secure Access Support
- Secure Access Single Sign-On Authentication
  - Configure Single Sign-On Authentication
  - Troubleshoot Single Sign On Authentication
- Get Started
  - Begin Secure Access Onboarding Workflow
  - Step 1 – Configure Network Connections
  - Step 2 – Configure Access to Resources
  - Step 3 - Configure End User Connectivity
  - Step 4 – Configure Endpoints and Network Sources
  - Secure Access Overview Dashboard
    - Get Started Workflow
    - Connectivity
    - Data Transfer
    - Security
    - Users and Groups
    - Private Resources
- Quickstarts
  - Quickstart – Cisco Secure Client with Zero Trust Access
  - Quickstart – Cisco Secure Client with Virtual Private Network
  - Quickstart – Cisco Secure Client with Internet Security
  - Quickstart – Browser with SAML Authentication
  - Quickstart – Bring Your Own Device with Zero Trust
- Secure Access Integration with Protective DNS
  - Procedure for Integrating Secure Access with Protective DNS
- Limitations and Range Limits
- Network Requirements for Secure Access
  - Secure Access DNS Resolvers
    - Best Practices
    - Cisco Secure Client
    - Cisco Secure Client and External DNS Resolution
  - Secure Access Encrypted DNS Queries
  - Secure Access DNS, Web, and Block Pages
  - Secure Access DNS and Web – Client Configuration Services
    - Windows Only
  - Secure Access DNS and Web – Client Sync Services
  - Secure Access DNS and Web – Client Certificate Revocation Services
  - Cisco Secure Client and Captive Portal Detection
  - Cisco Secure Client and Device Hostnames
  - Transport Layer Security Protocol Requirements
  - Secure Access Secure Web Gateway Services
    - Ingress IP Addresses for the Secure Web Gateway
  - Secure Access SaaS Tenants
  - Secure Access SAML Gateway Services
  - Secure Access SAML Identity Provider Domains
  - Secure Access SAML Gateway Client Certificate Revocation Services
  - Secure Access VPN Services
  - Secure Access VPN Client Certificate Revocation Services
  - Secure Access Zero Trust Client-Based Enrollment Services
  - Secure Access Zero Trust Client-Based Proxy Services
  - Secure Access Zero Trust Client-Based Proxy – Client Certificate Revocation Services
  - Secure Access Zero Trust Proxy Services – Unmanaged Devices
- Manage Network Connections
  - IPsec Network Tunnels
  - Network Connection Method
    - Network Tunnels (Deployed in Network Tunnel Groups)
- Manage Network Tunnel Groups
  - Device Compatibility and Network Tunnels
    - IPsec Tunnel Requirements
    - Supported Devices for Setting Up IPsec Tunnels
  - Add a Network Tunnel Group
    - Guidelines for Network Tunnel Groups
    - Procedure
      - Configure Tunnel on Network Device
      - Verify Tunnel Traffic in Secure Access
  - Delete a Network Tunnel Group
    - Procedure
  - Edit a Network Tunnel Group
    - Procedure
  - View Network Tunnel Group Details
    - Prerequisites
    - Procedure
  - Supported IPsec Parameters
- Network Tunnel Configuration
  - Establish a Tunnel
    - Maximum Transmission Unit (MTU) Size
    - Tunnel Size
    - Client Reachable Prefixes
    - Throughput and Multiple Tunnels
  - Configure Tunnels with Cisco ISR
    - Licensing and Hardware
    - Network Access
    - Configure Tunnels in Secure Access
    - Configure ISR (G2, 4K) or CSR
  - Test Your Configuration
  - Manually Trigger the Tunnel
  - Verify Tunnel Status
  - Configure Tunnels with Cisco Secure Firewall
    - Configure Firepower Policy-based VPN
      - Configure Tunnels in Secure Access
      - Add Network Object
      - Add Traffic Selector ACL
      - Configure Site-to-Site VPN
      - Configure NAT Policy
      - Configure Access Policy
    - Configure Firepower VTI, PBR, and Per Tunnel Identity
      - Configure Tunnels in Secure Access
      - Configure Site-to-Site VPN
      - Configure Policy-based Routing
      - Configure Access Policy
    - Troubleshooting
      - Enable Logging for Debugging
  - Configure Tunnels with Meraki MX
    - Caveats and Considerations
    - Supported Use Cases and Requirements
      - Remote Access VPN and ZTA
      - Branch-to-Branch through Secure Access
      - Secure Internet Access with Non-Meraki VPN
    - Step 1: Add a Network Tunnel Group in Secure Access
    - Step 2: Configure a Tunnel in Meraki MX
    - Verification and Troubleshooting
    - Optional Configurations
  - Configure Tunnels with Cisco Adaptive Security Appliance
    - Licensing and Hardware
    - Network Access
    - Configure Tunnels in Secure Access
    - Configure ASA
    - Test and Verify
  - Configure Tunnels with Catalyst SD-WAN cEdge and vEdge
    - Configure Tunnel in Secure Access
    - Configure Cisco Catalyst SD-WAN Templates
      - Define the Feature Template
      - Add the IPsec Interface Template
    - Configure Static Routes
    - Verify Tunnel Status
- Secure Access Regions
- Provision Users and Groups from Active Directory
  - Prerequisites for AD Connectors
  - Connect Multiple Active Directory Domains
  - Change the Connector Account Password
  - Manage AD Components
    - Add AD Components in Secure Access
      - Verify Auditing of Logon Events on Domain Controllers
      - Download the Windows Configuration Script for Domain Controllers
      - Run the Windows Configuration Script for the Domain Controllers
      - Add a Domain Controller in Secure Access
      - Add a Domain in Secure Access
    - Manage Sites for AD Components
    - View AD Components in Secure Access
    - Delete AD Components
      - Delete an AD Component
      - Remove All AD Components
  - Manage AD Connectors
    - Configure Authentication for AD Connectors and VAs
      - How to Set Up Your API Credentials
        
        Step 1 – Create the Key Admin API Key Credentials
        
        Step 2 – Add the Key Admin API Key Credentials
      - Refresh Client API Key and Secret
      - Reset Client API Key
    - Configure Updates on AD Connectors
    - Connect Active Directory to Secure Access
      - Step 1 – Download the Active Directory Connector
      - Step 2 - Install the Active Directory Connector
    - (Optional) Specify AD Groups in Selective Sync File
      - Rename Selective Sync File After Upgrading to AD Connector v1.14.4
      - Create AD Groups in a Selective Sync File
    - Deploy LDIF Files for AD Connector
      - Step 1 – Download the Active Directory Connector
      - Step 2 – Install the Cisco AD Connector
      - Step 3 – Deploy the LDIF Source Files
      - Troubleshooting
    - Change the Connector Account Password
  - AD Connector Communication Flow and Troubleshooting
    - Communication Flow
    - Troubleshooting
  - Connect Active Directory to Secure Access
    - Step 1 – Choose a Provisioning Method
    - Step 2 – Register a Domain Controller or Domain in Secure Access
      - Register a Domain Controller
      - Register a Domain
    - Step 3 – Download the Cisco AD Connector from Secure Access
    - Step 4 - Install the Cisco AD Connector
    - Best Practices for Synchronizing Active Directory Groups and Organizational Units
  - AD Integration with Virtual Appliances
    - Prerequisites for AD Connectors and VAs
    - Prepare Your AD Environment
      - About the AD Connector and Logon Events
      - Prerequisites
      - Integrate AD with Domain Controllers
        
        Support for Multiple AD Domains and AD Forests
        
        Verify Auditing of Logon Events on Domain Controllers
        
        Download the Windows Configuration Script for Domain Controllers
        
        Run the Windows Configuration Script for the Domain Controllers
        
        Add a Domain Controller in Secure Access
        
        View the Registered AD Components in Secure Access
    - Connect Active Directory to VAs
      - How to Configure the Setup of the AD Connector
      - (Optional) Specify AD Groups in Selective Sync File
      - Procedure
      - Step 2 – Download the Active Directory Connector
      - Step 3 - Install the Active Directory Connector
      - Change Connector Account Password
      - Configure Updates to AD Connectors
    - Multiple AD Domains with Secure Access Sites
      - Active Directory Sites and Secure Access Sites
      - Use Secure Access Sites
- Manage End-User Connectivity
  - DNS Servers
  - Traffic Steering for Cisco Secure Client Connections
  - Virtual Private Networks Settings and Profiles
  - Internet Security
- Manage Users, Groups, and Endpoint Devices
  - View User Details
    - User Details
  - View Group Details
    - Group Details
  - View Organizational Units
  - Provision Token for Identity Provider
    - Procedure
    - Configure Identity Providers
  - Unenroll Devices for Client-Based Zero Trust Access
    - Reenroll the User Device on the Secure Client
    - Procedure
  - Disconnect Remote Access VPN Sessions
  - Import Users and Groups from CSV File
    - Prerequisites
    - Procedure
    - View Provisioned Users and Groups in Secure Access
  - Provision Users and Groups from Okta
    - Prerequisites
    - Limitations
    - Supported Features
    - Import the ObjectGUID Attribute from Okta to Secure Access
    - Configure the Cisco Secure Access App
      - Step 1 – Add the App to Okta
      - Step 2 – Add the Secure Access SCIM Token to the App
      - Step 3 – Configure the Required User Options
      - Step 4 – (Optional) Add a New Attribute and Create the User Profile Mapping
      - Step 5 – Assign Users and Groups in the App
      - Step 6 – View Logs in the App
    - View Provisioned Users and Groups in Secure Access
    - Refresh SCIM Token
  - Provision Users and Groups from Azure
    - Prerequisites
    - Limitations
    - Configure the Cisco User Management for Secure Access App
    - View Provisioned Users and Groups in Secure Access
    - Refresh SCIM Token
- Configure Integrations with SAML Identity Providers
  - Use Cases
    - Secure Internet Access—Networks and Network Tunnels
    - Zero Trust Access with the Cisco Secure Client
    - Zero Trust Access with an Unmanaged Device
  - Configure Identity Providers for SAML Authentication
  - Prerequisites for SAML Authentication
    - Secure Access Service Provider Metadata
    - Requirements
      - Enable SAML and HTTPS Inspection in the Security Profile
  - Configure Okta for SAML
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Configure the Identity Provider's SAML Metadata
      - Step 3a – Download the Secure Access Service Provider XML File
      - Step 3b – Add Secure Access Service Provider Metadata to Okta
      - Step 3c – Add the Okta SAML Metadata to Secure Access
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure AD FS for SAML
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Upload the Identity Provider's SAML Metadata XML File
      - Step 3b – Add the Identity Provider's SAML Metadata
      - Configure Active Directory Federation Services
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure Duo Security for SAML
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Upload the Identity Provider's SAML Metadata XML File
      - Step 3b – Add the Identity Provider's SAML Metadata
      - Configure the Duo Security Single Sign-On Application
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure Ping Identity for SAML
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Upload the Identity Provider's SAML Metadata XML File
      - Step 3b – Add the Identity Provider's SAML Metadata
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure OpenAM for SAML
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Upload the Identity Provider's SAML Metadata XML File
      - Step 3b – Add the Identity Provider's SAML Metadata
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure Microsoft Entra ID for SAML
    - Bypass Domains from SSL Decryption
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider XML File
      - Step 3b – Add Secure Access Service Provider Metadata to Microsoft Entra ID
      - Step 3c – Add the Azure SAML Metadata to Secure Access
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - SAML Certificate Renewal Options
    - Known Limitations
    - Automatic Configuration Through the Fixed Metadata URL
    - Manual Import of the Secure Access Signing Certificate
  - Test SAML Identity Provider Integration
    - Procedure
  - Delete SAML Identity Provider Integration
    - Procedure
- Manage Virtual Private Networks
  - Add an IP Pool
    - Add an IP Pool
    - Add a RADIUS Group (optional)
  - Manage VPN Profiles
  - Add VPN Profiles
    - Step 1 – General Settings
    - Step 2 – Authentication, Authorization, and Accounting
      - SAML
        
        SAML Metadata XML Configuration
        
        Manual Configuration
      - RADIUS
      - Certificate
    - Step 3 – Traffic Steering (Split Tunnel)
    - Step 4 – Cisco Secure Client Configuration
  - Add a RADIUS Group
  - Manage IP Pools
- Traffic Steering for Zero Trust Access Client-Based Connections
  - Best Practices
  - Using Wildcards to Configure Traffic Steering for Private Destinations
- Manage Internet Security
  - Manage Internet Security Bypass
    - Steer Traffic to Secure Access or Bypass Domains
  - Manage Cisco Secure Client Settings
    - Configure DNS and Web Security
    - Configure Advanced Cisco Secure Client Settings
      - User Identities
      - Do Not Forward DNS Traffic to Secure Access
      - Do Not Forward Web Traffic to Secure Access
      - Third Party VPN Compatibility
- Manage PAC Files
  - What is a PAC file?
  - Deploy the Secure Access PAC File for Windows
    - Procedure
      - Copy the Secure Access PAC File URL
      - Deploy the Secure Access PAC File URL for Chrome and Edge Browsers
      - Deploy the Secure Access PAC File URL for Firefox
  - Deploy the Secure Access PAC File for macOS
    - Procedure
      - Copy the Secure Access PAC File URL
      - Deploy the Secure Access PAC File URL to Chrome
      - Deploy the Secure Access PAC File URL to Firefox
      - Deploy the Secure Access PAC File URL to Safari
  - Customize the Secure Access PAC File
    - Procedure
      - Copy the Secure Access PAC File
      - Download the Secure Access PAC File
      - Edit the PAC File
- Manage Registered Networks
  - Add Network Resources
    - Prerequisites
    - Procedure
      - Step 1 – Select the Network
      - Step 2 – Configure the Network Resource
      - Step 3 – Change the DNS Settings on Your Relevant Network Device
      - Step 4 – Apply a Policy Rule to the Network Resource
      - Step 5 – Test Your Network
  - Point Your DNS to Cisco Secure Access
    - Cisco Secure Access DNS Resolvers – IP addresses
    - Procedure
      - Step 1 – Identify Where Your Public DNS Server Addresses are Configured
      - Step 2 – Log Into the Server or Router Where DNS is Configured
      - Step 3 – Change Your DNS Server Addresses
      - Step 4 – Test Your New DNS Settings
  - Clear Your DNS Cache
    - Clear Your DNS Cache on Computers and Servers
      - Windows 7 and Earlier
      - Windows 8 and Newer
      - OS X 10.4 TIGER
      - OS X 10.5 and 10.6 LEOPARD
      - OS X 10.7 and 10.8 Lion
      - OS X 10.9 and 10.10
      - Linux
      - Ubuntu Linux
    - Clear Your DNS Cache on Browsers
      - Internet Explorer 8 and Newer – Windows
      - Mozilla Firefox – Windows
      - Apple Safari – macOS
      - Apple Safari – macOS
      - Google Chrome – Windows
      - Google Chrome – macOS
  - Update a Network Resource
  - Delete a Network Resource
- Manage Internal Networks
  - Add Internal Network Resources
  - Update an Internal Network Resource
  - Delete an Internal Network Resource
- Manage Destination Lists
  - Add a Destination List
  - Upload Destinations From a File
  - Edit a Destination List
  - Download Destinations to a CSV File
  - Control Access to Custom URLs
    - Block a URL
      - URL Normalization
      - URL Normalization for Destination Lists
      - Troubleshooting Unblocked URLs
      - Reporting for Blocked URLs
    - Examples
    - Troubleshooting
  - Wildcards in Destination Lists
  - Add Punycode Domain Name to Destination List
- Manage AAA Servers
- Manage Application Lists
  - Add an Application List
  - Application Categories
  - Delete an Application List
    - Procedure
- Manage Content Category Lists
  - Available Content Categories
  - Add a Content Category List
  - Request a Category for an Uncategorized Destination
  - Dispute a Content Category
    - Procedure
  - View Content Categories in Reports
    - View Content Categories in Activity Search Report
    - View Content Categories in Top Threats Report
    - View Content Categories in Total Requests Report
    - View Content Categories in Activity Volume Report
    - View Content Categories in Top Destinations Report
    - View Content Categories in Top Categories Report
- Manage Tenant Control Profiles
  - Add a Tenant Controls Profile
  - Control Cloud Access to Microsoft 365
  - Control Cloud Access to Google G Suite
  - Control Cloud Access to Slack
    - Procedure
  - Control Cloud Access to Dropbox
  - Use Tenant Controls in Access Rules
  - Review Tenant Controls Through Reports
- Manage Roaming Devices
  - View Internet Security Settings for Roaming Devices
    - Procedure
      - Host Information
      - Security Information – IPv4
  - Edit Internet Security Settings for Roaming Devices
    - Procedure
      - Edit the Auto-Delete Interval for Roaming Devices
      - Disable the Internet Security Settings
      - Enable the Internet Security Settings
      - Remove the Internet Security Override on Roaming Devices
  - Delete a Roaming Device
- Manage Private Resources
  - Step 1 – Configure Private Resources
    - Optional Configuration for Private Resources
  - Step 2 — Set Up Network Connections, VPN Profiles, and Certificates
  - Step 3 — Add Private Resources in Private Access Rules
  - Step 4 — Set Up the Cisco Secure Client and Distribute URLs
  - Add a Private Resource
  - Add a Private Resource Group
- Manage Connections to Private Destinations
  - Comparison of Zero Trust Access and VPN
  - Comparison of Client-Based and Browser-Based Zero Trust Access Connections
  - Network Authentication for Zero Trust Access
  - Manage Branch Connections
    - Endpoint Connection Methods
    - Branch Networks in Private Access Rules
      - Users and Groups Connections to Private Resources
      - Sources for Branch Network Connections
      - Destinations for Branch Network Connections
      - Source Connections to Destinations
    - Add an IPS Profile on Private Access Rules
    - Log Connections From Branch Networks to Private Resources
- Manage the Access Policy
  - About the Access Policy
    - Best Practices
    - Default Rule Data
  - Show Additional Data on Your Access Rules
  - Edit the Order of the Rules in Your Access Policy
  - Rule Defaults: Default Settings for Access Rules
    - Zero Trust Access: Endpoint Posture Profiles
    - Zero Trust Access: User Authentication Interval
    - Intrusion Prevention (IPS)
    - Security Profile
    - Tenant Control Profile
  - Global Settings for Access Rules
    - Global Settings for Access Rules
    - Microsoft 365 Compatibility
      - Limitations
    - Decryption
    - Decryption Logging
    - Certificate Pinning
  - Edit Rule Defaults and Global Settings
  - Edit the Default Access Rules
    - To View or Edit Default Access Rules
- Get Started With Internet Access Rules
  - Components for Internet Access Rules
    - Sources
    - Destinations
    - Security Controls
      - Intrusion Prevention (IPS)
        
        Set Up Certificates for Decrypting Internet Traffic
        
        Configure Intrusion Prevention (IPS) Profiles
        
        Configure the Do Not Decrypt List for IPS
      - Web Security
        
        Configure Threat Category Settings
        
        Configure SAML Authentication
        
        Set Up Certificates for Decrypting Internet Traffic
        
        Configure Do Not Decrypt Lists for Web Security
        
        (Optional) Configure Custom End-User Block and Warn Notifications
        
        Configure Security Profiles
      - Tenant Controls
  - Default Settings for Internet Access Rules
  - Add an Internet Access Rule
    - Prerequisites
    - Procedure
    - Access Options
      - Disable or Enable the rule
      - Logging settings
      - Summary
      - Rule name
      - Rule order
      - Rule action
      - Sources
      - Destinations
      - Advanced Application Controls
    - Security Control Options
      - Intrusion Prevention (IPS)
      - Security Profile
      - Tenant Control Profile
      - Advanced Security Controls
      - Next Steps
  - About Configuring Destinations in Internet Access Rules
    - Destination Components for Internet Access Rules
    - Destinations Created Directly in an Internet Access Rule
      - IP Addresses and CIDR Blocks
      - Ports
      - Protocols
    - Combining Multiple Destinations in a Rule (Boolean Logic)
    - Number of Destinations in a Rule
  - Advanced Application Controls
    - Applications with Advanced Controls
      - Cloud Storage
      - Collaboration
      - Content Management
      - Media
      - Office Productivity
      - P2P
      - Social Networking
    - Procedure
    - Troubleshooting
  - About Configuring Sources in Internet Access Rules
    - Source Components for Internet Access Rules
    - Sources Added Directly in an Internet Access Rule
    - Combining Multiple Sources in a Rule (Boolean logic)
  - Global Settings for Internet Access Rules
  - About Isolated Destinations
    - Prerequisites
    - Secure Access Package Support for RBI and Isolation Rules
    - Limitations of Isolation
  - Troubleshoot Internet Access Rules
    - Problems while creating the rule
    - Problems after creating a rule
      - Internet traffic is unexpectedly blocked
      - Internet traffic is unexpectedly allowed
      - Internet Access rule is not matching traffic as expected
- Get Started With Private Access Rules
  - Components for Private Access Rules
    - Sources
    - Destinations
      - Private Resources
      - Private Resource Groups
    - Endpoint Posture Profiles (for Endpoint Requirements)
    - Security Controls
  - Default Settings for Private Access Rules
  - Add a Private Access Rule
    - Prerequisites
    - Set Up the Private Access Rule
      - Enable the Rule and Edit Your Logging Settings
      - Add a Rule Name
      - Choose a Rule Order
    - Step 1 — Specify Access Options
      - Rule Action
      - Sources
      - Destinations
      - Endpoint Requirements
      - User Authentication Requirements
    - Step 2 — Configure Security Control Options
    - Summary
  - About Configuring Sources in Private Access Rules
    - Source components
    - Sources created directly in a private access rule
    - If there are multiple sources in a rule (Boolean logic)
  - About Configuring Destinations in Private Access Rules
    - Destination components for private access rules
    - Destinations created directly in a private access rule
    - If there are multiple destinations in a rule (Boolean logic)
  - About Endpoint Requirements in Access Rules
  - Allowing Traffic from Users and Devices on the Network
  - Global Settings for Private Access Rules
  - Troubleshoot Private Access Rules
    - General Troubleshooting Tips
    - Problems While Creating a Rule
    - Problems After Creating a Rule
      - Traffic is unexpectedly blocked
      - Traffic is unexpectedly allowed
      - Rule does not match traffic as expected
- Manage Endpoint Security
  - About Endpoint Posture
  - About Posture Profiles
  - Endpoint Posture Assessment
  - Endpoint Attributes
- Manage Zero Trust Access Posture Profiles
  - Zero Trust Access Posture Attributes
  - Add a Client-Based Zero Trust Access Posture Profile
  - Add a Browser-Based Zero Trust Access Posture Profile
- Manage VPN Connection Posture Profiles
  - VPN Posture Attributes
  - Add a VPN Connection Posture Profile
- Manage IPS Profiles
  - How IPS Works
  - Decryption is Required for Effective Intrusion Prevention
  - Exceptions for Traffic That Should Not be Decrypted
  - IPS is Used in Both Types of Access Rules
  - Add a Custom IPS Signature List
    - Procedure
    - Reset a Signature's Action
- Manage Security Profiles
  - Security Profiles for Internet Access
    - Functionality Included in a Security Profile for Internet Access
    - Decryption
    - SSO Authentication
    - Security and Acceptable Use Controls
    - End-User Notifications
    - Get Started: Security Profiles for Internet Access
  - Add a Security Profile for Internet Access
    - Add a Security Profile
    - Enable or Disable Decryption
    - SSO Authentication
    - Security and Acceptable Use Controls
      - Threat Categories
      - File Inspection
      - File Type Blocking
      - SafeSearch
    - Configure End-User Notifications
    - View Security Profiles
    - Configure Additional Security Options
    - Add a Security Profile on Internet Access Rules
    - Edit a Security Profile
    - Delete a Security Profile
  - Enable SafeSearch
    - Confirm That SafeSearch is Working
      - Google
      - YouTube
      - Yahoo
      - Bing
  - Security Profiles for Private Access
  - Add a Security Profile for Private Access
- Manage Threat Categories
  - Threat Category Descriptions
  - Add a Threat Category List
  - Dispute a Threat Categorization
- Manage File Inspection and File Analysis
  - Overview of Configuring File Inspection and Analysis
  - File Inspection Details
  - Enable File Inspection
  - Enable File Analysis by Cisco Secure Malware Analytics
  - Test File Inspection
    - Procedure
      - Block Page Diagnostic Information
  - Monitor File Inspection and Analysis Activity
  - Troubleshoot and Monitor File Inspection and Analysis
- Manage File Type Controls
  - Enable File Type Controls
    - About File Type Controls for Internet Access
    - About File Type Controls for Private Access
    - Procedure
    - Enable File Type Blocking for Internet Access
    - Enable File Type Blocking for Private Access
  - File Types to Block
  - Review File Type Controls Through Reports
- Manage Notification Pages
  - Preview Notification Pages
  - Create Custom Block and Warn Pages
    - Link a Custom Notification Page Appearance to a Security Profile
  - Allow Users to Contact an Administrator
- Manage Traffic Decryption
  - Internet Access Features Requiring Decryption
  - Internet Traffic That Should Not Be Decrypted
  - Decryption in Private Access Rules
  - Decryption Settings
  - Decryption Requires Certificates
  - Decryption Logging
  - Troubleshooting Decryption
  - Important Information About Do Not Decrypt Lists
    - Do Not Decrypt List for IPS
    - Do Not Decrypt Lists for Web
    - Differences Between IPS and Web Destination Types
    - The System-Provided Do Not Decrypt List
    - Limitation: Do Not Decrypt Based on Content Category
  - Add a Do Not Decrypt List for Security Profiles
- Manage Certificates
  - Certificates for Internet Decryption
    - Option 1: Distribute Self-Signed Certificates to End-User Devices
    - Option 2: Use a Signed Certificate for Decrypting Internet Traffic
  - Install the Cisco Secure Access Root Certificate
    - Download the Cisco Secure Access Root Certificate
    - Automatically Install the Cisco Secure Access Root Certificate (For an Active Directory Network)
      - Install the Cisco Secure Access Root Certificate with Group Policy Using the Microsoft Management Console (MMC)
      - Install the Cisco Secure Access Root Certificate with Group Policy Using the Group Policy Management Console (GPMC)
    - Install the Cisco Secure Access Root Certificate in Firefox Using Group Policy
    - Install the Cisco Secure Access Root Certificate on Chromebooks Using the Google Admin Console
    - Manually Install the Cisco Secure Access Root Certificate (Single Computer)
      - Install the Cisco Secure Access Root Certificate in Edge or Chrome on Windows
      - Install the Cisco Secure Access Root Certificate in Firefox on Windows
      - Install the Cisco Secure Access Root Certificate in All Browsers on Mac OS X
      - Install the Cisco Secure Access Root Certificate on Mac OS X Through the Command Line
      - Install the Cisco Secure Access Root Certificate in Chromium or Chrome on Linux
  - Add Customer CA Signed Root Certificate
    - Certificate Requirements
    - Install Root Certificate in Browsers
    - Procedure
  - Manage Certificates for Private Resource Decryption
    - Install a Certificate Authority Certificate on a Private Resource
    - View Notifications About Expired Private Resource Certificates
    - Upload Private Resource Certificates
    - Option 2: Upload a certificate and key to the Certificates page
  - View the Cisco Trusted Root Store
    - Download the Cisco Trusted Union Root Bundle
    - Extract the Certificates
      - Step 1: Extract the Signing Certificate
      - Step 2: Extract Certificate Bundle as Message
      - Step 3: Extract PEM-Formatted Certificates From Bundle
      - Step 4: Generate Individual Certificate Files
    - View an Individual Certificate File
  - Manage SAML Certificates for Identity Providers
    - Procedure
      - View Notifications About Expired Identity Provider Certificates
      - Manage Web Security and Zero Trust Identity Provider Certificates
      - Manage Virtual Private Network Identity Provider Certificates
  - Certificates for Private Resource Decryption
  - Certificates for SAML Authentication
  - Manage SAML Certificates for Service Providers
    - Procedure
      - View Notifications About Expired Service Provider Certificates
      - Download Web Security and Zero Trust Service Provider Certificates
      - Download Virtual Private Network Service Provider Certificates
  - VPN Certificates for User and Device Authentication
  - Manage CA Certificates for VPN Connections
    - Install an Identity Certificate on User Devices
    - View Notifications About Expired CA Certificates for Client Authentication
    - Upload Certificate Authority (CA) Certificates for client authentication
    - View Uploaded CA Certificates
    - Manage Certificate Revocation Settings
    - View CA Certificate Details
    - Delete a Client Authentication CA Certificate
    - Expired Certificates
- Manage the Data Loss Prevention Policy
  - Add a Real Time Rule to the Data Loss Prevention Policy
  - Understand Exclusions in a Real Time Rule
  - Supported Applications
  - Add a SaaS API Rule to the Data Loss Prevention Policy
  - Discovery Scan
    - Prerequisites
    - Initiate a Discovery Scan
    - Cancel a Discovery Scan
  - Edit a Data Loss Prevention Rule
    - Procedure
  - Delete a Data Loss Prevention Rule
    - Procedure
  - Enable or Disable a Data Loss Prevention Rule
    - Disable a Rule
    - Enable a Rule
  - Supported File and Form Types
  - Best Practices for the Data Loss Protection Policy
- Manage Data Classifications
  - Create a Data Classification
    - Procedure
  - Copy and Customize a Data Identifier
    - Procedure
  - Delete or Edit a Classification
    - Delete a Classification
    - Edit a Classification
  - Create an Exact Data Match Identifier
    - Procedure
  - Index Data for an EDM
    - Run the DLP Indexer to Create an EDM Identifier
    - Update the Indexed Data Set Periodically
    - Troubleshooting
  - Create an Indexed Document Match Identifier
    - Limitations
    - Create an Indexed Document Match Identifier
    - Monitor the Indexed Data Set and Re-Index as Needed
    - Troubleshooting
  - Built-In Data Classifications
  - Exact Data Match Field Types
    - Supported EDM Types
- Built-in Data Identifiers
  - Tolerances
  - Copy and Customize a Built-In Data Classification
    - Procedure
  - Create a Custom Identifier
    - Procedure
  - Custom Regular Expression Patterns
    - Limitations
      - General
      - Regex Syntax
      - Regex Breadth
      - Word Boundary
  - Individual Data Identifiers
    - Drug Name
    - Health Condition
    - ICD-10 Code
    - US Person Name
- Manage SaaS API Data Loss Prevention
  - Enable SaaS API Data Loss Protection for Box Tenants
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Protection for Dropbox Tenants
    - Limitation
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Protection for Google Drive Tenants
    - Validation
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Protection for Microsoft 365 Tenants
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Protection for Webex Teams
    - Authorize a Tenant
    - Revoke Authorization
- Manage Cloud Malware Protection
  - Enable Cloud Malware Protection
  - Revoke Authorization for a Platform
  - Enable Cloud Malware Protection for Box Tenants
    - Verify Box Application Settings
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Dropbox Tenants
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Google Drive
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Microsoft 365 Tenants
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Webex Teams
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
- Manage Logging
  - Enable Logging
  - Enable Logging to Your Own S3 Bucket
    - Prerequisites
      - JSON Bucket Policy
    - Procedure
    - S3 Bucket Data Path
    - Download Files From the S3 Bucket Locally
  - Stop Logging
  - Log Formats and Versioning
    - Log File Name Formats
      - Subfolders
      - Find Your Log Schema Version
        
        Log Schema Versions
        
        View Your Log Schema Version and Last Sync Time
      - Log File Fields
      - Estimate the Size of a Log
      - Estimate the Size of an Exported Report
    - Reports and CSV Formats
      - Activity Search Report
        
        Zero Trust Access Activity Search Fields
      - Top Categories Report
      - Top Destinations Report
      - Top Resources Report
    - Admin Audit Log Formats
    - Cloud Firewall Log Formats
    - Data Loss Prevention (DLP) Log Formats
    - DNS Log Formats
    - IPS Log Formats
    - Remote Access VPN Log Formats
    - Web Log Formats
    - Zero Trust Access Log Formats
- Manage API Keys
  - Add Secure Access API Keys
    - Add API Key
    - Refresh API Key
    - Update API Key
    - Delete API Key
  - Add KeyAdmin API Keys
    - Use Cases
    - Add KeyAdmin API Key
    - Refresh KeyAdmin API Key
    - Update KeyAdmin API Key
    - Delete KeyAdmin API Key
- Manage Accounts
  - Add a New Account
    - Procedure
  - Edit Account Settings
    - Procedure
  - Delete an Account
    - Procedure
  - Hide Sources with De-identification
    - Source Types
    - Enable De-identification
    - Disable De-identification
    - Limitations
- Manage Domains
  - Add Internal Domains
    - Procedure
- Manage Resources
  - Resource menu items that can be used as sources in access rules:
  - Resource menu items that can be used as destinations in internet access rules:
  - Resource menu items that can be used as destinations in private access rules:
  - Additional resources
- Manage DNS Servers
  - Procedure
Cisco Secure Client
- Get Started with Cisco Secure Client
  - Download Cisco Secure Client
    - Procedure
  - Install the Root Certificate for All Browsers
    - Inspect and Decrypt HTTPS Traffic
    - Render Block and Warn Pages
  - Install the Cisco Secure Client
    - Procedure
- Manage Client-based Zero Trust Access from Mobile Devices
  - Set up the Zero Trust Access App for iOS Devices
    - System Requirements
    - Guidelines and Limitations
    - Configure Settings in Cisco Secure Access
    - Install the App
    - Have End Users Enroll in Zero Trust Access
    - Notes for administrators
  - Set up the Zero Trust Access App for Android on Samsung Devices
    - Configure Cisco Secure Access
    - Install the App
    - (Optional) Set up the Android device for Zero Trust Access using MDM
      - Add the app to MDM
      - Set up the App on the Samsung Device
    - Enroll the Device in Zero Trust Access
    - Notes for administrators
  - Monitor and Troubleshoot Zero Trust Access from Mobile Devices
    - Monitor Activity
    - General Troubleshooting
    - Troubleshoot iOS Devices
    - Troubleshoot Samsung Devices Running Android OS
- Manage Zero Trust Access on Cisco Secure Client
  - Requirements for Secure Client with Zero Trust Access
  - Invite Users to Enroll in Zero Trust Access for Secure Client
    - Recommended: Use MFA Authentication and Biometric Identity
    - Procedure
  - Troubleshoot Client-Based Zero Trust Access
    - Pre-Enrollment Errors
    - Enrollment Errors
    - Post-Enrollment Errors
    - Requests to Reauthenticate
  - Unenroll a Device from Zero Trust Access
- Manage Virtual Private Networks on Cisco Secure Client
  - Download the Virtual Private Network XML Profile
  - CA Certificates for VPN Connections
- Manage Internet Security on Cisco Secure Client
  - Umbrella Roaming Security Module Requirements
    - System Requirements
    - Network Requirements
    - Roaming Security DNS Requirements
    - Internal Domains
  - Domain Management
    - Internal Domains List
    - DNS Suffixes
    - Operational Flow
    - Advanced Topics
  - DNS Protection Status
    - DNS and IP Layer State Descriptions
  - Interpret Internet Security Diagnostics
    - Procedure
      - Generate the Diagnostic Report from the Cisco Secure Client
      - Generate the Diagnostic Report on the Command Line
  - Download the OrgInfo.json File
  - Customize Windows Installation of Cisco Secure Client
    - Requirements
    - Procedure
      - Deploy the Cisco Secure Client VPN Module
      - Deploy the Cisco Secure Client Umbrella Roaming Security Module
      - (Optional) Deploy the Cisco Secure Client DART Module
      - Hide Cisco Secure Client from Add/Remove Programs List
    - Optional OrgInfo.json Configurations
  - Customize macOS Installation of Cisco Secure Client
    - Requirements
    - Procedure
    - Step 1 – Make the DMG Package Writeable
    - Step 2 – Generate the Module Installation Configuration File
    - Step 3 – Copy OrgInfo.json to Cisco Secure Client Installation Directory
    - Step 4 – (Optional) Hide the VPN Module
    - Step 5 – Customize the Cisco Secure Client Installation Modules
      - Example – Customize Cisco Secure Client Modules
    - Step 6 – Set Up the Correct Extension Permission Settings
    - Step 7 – Install Cisco Secure Client with Selected Modules
DNS Forwarders
- Get Started with Virtual Appliances
  - How Secure Access Virtual Appliances Work
  - Virtual Appliances and Granular Identity Information
  - Active Directory Integration
  - Configure Granular Rules
  - Prerequisites for Virtual Appliances
    - Endpoint Software
    - Virtual Appliance Requirements
    - Networking Requirements
      - Allow Connections to Various Domains and Services
      - Network Time Protocol Servers
      - Intrusion Protection Systems (IPS) and Deep Packet Inspection (DPI)
      - Network Address Translation (NAT)
    - Encrypting Traffic with DNSCrypt
  - Virtual Appliance Deployment Guidelines
    - Deploy Virtual Appliances in Pairs
    - Multiple DNS Egresses
    - Single DNS Egress
    - Double NAT
  - Virtual Appliance Sizing Guide
    - High-Traffic Sites and Virtual Appliances
    - AD Connector Sizing Guidelines
    - Deployment Considerations
      - Overall Latency
      - Number of Secure Access Sites
      - Number of Users for a VA
- Manage VAs in Secure Access
  - Configure Authentication for Virtual Appliances
    - How to Set Up Your API Credentials
    - Procedure
      - Step 1 – Create the Key Admin API Key Credentials
      - Step 2 – Add the Key Admin API Key Credentials
    - Refresh Client API Key and Secret
    - Reset Client API Key
  - Manage DNS Forwarders
    - Procedure
      - View the DNS Forwarders
      - Sync the Configuration Settings to Deployed VAs
      - Edit a Site
      - Upgrade a Virtual Appliance
      - Reset Password
      - Delete a Virtual Appliance
  - Manage Site for Virtual Appliance
    - Procedure
      - Add a Site
      - Select a Site
      - Rename a Site
      - Delete a Site
  - Configure Updates for Virtual Appliances
    - How Secure Access Updates Your Virtual Appliance
    - Procedure
      - Configure Automatic Updates of Virtual Appliances
      - Manually Configure Update of a Virtual Appliance
      - Postpone Updates to Virtual Appliances
- Deploy Virtual Appliances
  - Guidelines
  - Deploy the Secure Access Virtual Appliances
  - Deploy VAs in Hyper-V for Windows 2012 or Higher
    - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Download and Extract the Hyper-V Installer
      - Step 2 – Import the Virtual Appliance
      - Step 3 – Copy and Rename Image Files
      - Step 4 – Select Network Adapter
      - Step 5 – Select Hard Drive
      - Step 6 – Power on the Virtual Machine
      - Step 7 – Repeat for the Second Virtual Appliance
  - Deploy VAs in VMware
    - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Download OVF Template
      - Step 2 – Deploy OVF Template
      - Step 3 – Deploy a Second Virtual Appliance
      - Step 4 – Power on the Virtual Machines
- Configure Virtual Appliances
  - Enter Configuration Mode on a VA Deployed on VMware and Hyper-V
  - Configure the VA Through Configuration Mode
  - Configure a Second VA
  - Configure Settings on VAs
    - Configure Rate Limiting
      - Enable Rate Limits on a VA
      - Disable Rate Limiting
      - Check Status and Packet Drops
    - Configure NTP Servers
      - Add NTP Servers to the VA
      - Remove NTP Servers
      - View the VA's Current NTP Servers
    - Configure Secure Access Resolvers
      - Use the IPv4 Secure Access DNS Resolvers
      - Use the Alternate Secure Access DNS Resolvers
      - Use the US-Only IPv4 Secure Access DNS Resolvers
      - Use the Saudi Arabia-Only IPv4 Secure Access DNS Resolvers
    - Configure DNSSEC Support
      - Configure VA to Preserve the DO Bit
      - Turn Off the DO Bit
    - Configure Logging to Remote Syslog Server
      - Configure the Destination of the Remote Syslog Server
      - Configure Log Export Internal DNS
      - Configure Log Export Enable Health
      - Configure Log Export Enable Admin
      - Configure Log Export Enable All
      - Configure Log Export Status
      - Turn Off Logging
    - Configure Dual-NIC Support on the VA
      - Configure an Existing VA to Support Dual-NIC
      - Deploy a New VA to Support Dual-NIC DMZ Mode
    - Configure Anycast
      - Configure Anycast over BGP on the VA
      - Configure Load Balancing
        
        Add a Load Balancer
        
        Remove a Load Balancer
      - Configure Identity Association Timeouts
      - Configure API Key Credentials for Authentication
        
        Configure the Client ID and Client Secret
- Local DNS Forwarding
  - Manage Domains in the VA
    - Which domains should be added?
    - (Optional) Add A & PTR Records for the VAs
  - Configure Local DNS Servers on the VA
    - Examples
- Test Virtual Appliance Deployments
  - Resolve Public and Local DNS Queries
    - nslookup opendns.com <VA IP Address>
      - nslookup dc01.localdomain.corp. <VA IP Address>
      - Test with Endpoints
      - Transition Production Traffic
- SNMP Monitoring for Virtual Appliances
  - Enable SNMP Monitoring
    - SNMPv2.x
    - SNMPv3
    - Privacy Password
    - Configure SNMP in Secure Access Virtual Appliance
    - SNMP Command Syntax
  - About SNMP Monitoring
  - Standard OIDs Supported by the Virtual Appliance
  - Extended OIDs Supported by the Virtual Appliance
- Troubleshoot Virtual Appliances
  - Reset a Virtual Appliance's Password
  - Use Configuration Mode to Troubleshoot
  - Troubleshoot Intermittent DNS Resolution Failures on a VA Deployed on Azure
  - Troubleshoot DNS Resolution in Configuration Mode
  - Troubleshoot DNS Resolution Failures Behind a Firewall
- PIV-CAC Support
Reports
- Monitor Secure Access with Reports
  - Export Report Data to CSV
  - Bookmark and Share Reports
    - Procedure
  - Report Scheduling
  - Schedule a Report
    - Procedure
      - Check Your Spam Folder
      - Unsubscribe From a Report
  - Update a Scheduled Report
    - Procedure
  - Report Retention
    - Admin Audit Log Retention
- Remote Access Log Report
  - Connection Events – Failed
- Activity Search Report
  - View Activity Search Report Actions
    - See Full Details
    - Filter Views
  - Schedule an Activity Search Report
  - Use Search and Advanced Search
    - Search
    - Wildcards
      - Domains
      - URLs
      - File Names
    - Advanced Search
  - View the Activity Search Report
    - View the Activity Search Report
      - Configure Columns to Display
    - View Actions
      - View Full Details
      - Filter Views
    - Schedule an Activity Search Report
- Security Activity Report
  - View Activity and Details by Filters
    - Procedure
  - View Activity and Details by Event Type or Security Category
    - Procedure
      - Group Security Categories
  - View an Event's Details
    - Procedure
  - Search for Security Activity
    - Procedure
      - Advanced Search
- Total Requests Report
  - View Trends in the Total Requests Report
- Activity Volume Report
  - View Requests by Volume of Activity
  - View Activity Volume by Threat Categories
    - Prevent
    - Contain
  - View Activity Volume by Policy Traffic
  - View Trends
- App Discovery Report
  - View the App Discovery Report
    - View the App Discovery Report
  - View the Highest Risk Apps
    - Procedure
  - Review Apps in the Apps Grid
    - Procedure
    - Configure Columns to Display
    - Change the Label of an App
  - View App Details
    - Procedure
  - Change App Details
    - Change the Risk Score for an App
    - Change the Label of an App
  - Control Apps
    - Procedure
    - Control Application Lists
  - Control Advanced Apps
    - Procedure
  - View Traffic Data Through SWG Service
    - View Traffic
    - View Traffic in the Apps Grid
    - View Traffic in the App Details
- Top Destinations Report
  - View the Top Destinations Report
  - View Further Details
  - Destination Details
    - View the Destination Details
    - View the Request Traffic
      - View Requests by Blocked or Allowed
      - View Requests Through Global Traffic %
    - View the Access and Policy Details
    - View Recent Activity
    - View the Most Visited URL Paths
- Top Categories Report
  - View the Top Categories Report
    - Report Fields
    - Sort by Traffic
    - Ascending or Descending Order
  - Top Categories Quick View
  - View Category in Other Reports
  - Category Details
    - View a Category's Details Overview
    - View a Category's Traffic
      - View the Activity Breakdown
      - View the Traffic Bandwidth
    - View a Category's Identities
    - View the Category's Top Domains
- Cloud Malware Report
  - View the Cloud Malware Report
  - Use the Cloud Malware Report
    - Quarantine a Malicious File
    - Restore a Quarantined File
    - Delete a Malicious File
    - Dismiss an Item from the Report
    - Export a Cloud Malware Report
- Data Loss Prevention Report
  - View Events
    - View Details
    - Delete File
    - Quarantine File
    - Restore File from Quarantine
    - Use Advanced Search
  - View a Discovery Scan
- Admin Audit Log Report
  - Generate Admin Audit Log Report
  - Export Admin Audit Log Report to an S3 Bucket
    - Procedure

Cisco Secure Access for Government Help Manage Cloud Malware Protection Enable Cloud Malware Protection for Microsoft 365 Tenants Authorize a Tenant

Last updated: Dec 09, 2025

Previous topic Enable Cloud Malware Protection for Microsoft 365 Tenants Next topic Edit a Tenant