Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Manage Private Resources Add a Private Resource Endpoint Connection Methods Zero-Trust Connections

Last updated: Aug 20, 2025

Zero-Trust Connections

Select Zero-trust connections to allow connections from devices with and without the Secure Client installed. You can allow either or both of these options.

If you want devices that your organization does not manage (such as contractor, vendor, or Bring-Your-Own devices) to be able to connect to this resource, you must enable browser-based access. Browser-based (clientless) access offers fewer controls on device security than client-based access does.

  1. For Client-based connection, enter the address you want users to use in order to connect to this resource.

    • For best security (to keep the internal IP address of this resource private), you should provide a domain rather than an IP address. Your internal DNS server must be able to route traffic to this address. For example, you can enter mail.example.com.

    • Note: This address can be the same as the address you entered above for Secure Access to connect to the resource.

  2. For Browser-based connection, configure a public URL for this resource that you will give to users. You have the option to use either a Cisco domain or a custom domain.

    Both options allow end users to reach this resource from outside your network without exposing the actual address of the resource. Secure Access forwards authorized connections to the resource.

    Option 1: Use a URL in a Cisco domain.

    • Provide a URL prefix that uniquely identifies this resource. Secure Access will join the prefix to <your organization's tenant ID>-ztna.sse.cisco.io to form the public URL address. Secure Access will route traffic using this address to the resource.

    • If you don't provide a URL prefix, Secure Access adds one for you based on the resource name.

    Option 2: Use a URL in your domain.

    • In the previous step, Communication with Secure Access Cloud, the following configuration is required to use your own custom domain for a browser-based ZTA connection.

      • Internally reachable address must be either a single FQDN or one or more IP addresses.

      • Protocol must be TCP - (HTTP,HTTPS) only, TCP – SSH or TCP – RDP.

      • Port / Ranges must be a single port number.

    • Provide a full URL from your custom domain name. The URL field supports domains (e.g., example.com) and subdomains (e.g., subdomain.example.com).

    • Certificate-Key Pairs: Select an existing cryptographic certificate-key pair from the dropdown list or click +Add certificate and key to upload .pem files or paste new certificate and key data.

      • You may also browse to Secure > Certificates and click the Private resources tab to upload and manage certificates used by private resources with browser-based ZTA.

      • Cisco recommends using a certificate signed by a publicly recognized certificate authority (CA).

      • The DNS server for your domain requires an additional canonical name (CNAME) record that maps your custom URL to the Secure Access URL provided in the field Your DNS server must be able to route this traffic to this address. Format the CNAME records as follows:

      Record type @ Value
      CNAME subdomain.example.com [custom-prefix]-[org ID].ztna.sse.cisco.io

Custom Host Header is optional for both a Cisco domain and a custom domain.

  • Add a custom host header if your resource requires it to validate HTTP or HTTPS connections.

  • If Protocol is set to HTTP and the Custom host header field is left empty, the host header is the same as the Public URL for this resource.

  • If Protocol is set to HTTPS and both the Custom host header and Server Name Indication (SNI) fields are left empty, the host header is the same as the Public URL for this resource.

    • If the Server Name Indication (SNI) field has a value, the host header is the SNI value.

    • If end users typically use the fully qualified domain name (FQDN) to request the private resource, enter the FQDN for the private resource in the Server Name Indication (SNI) field.

  • SNI is the hostname that the browser connects with to start a TLS handshake. If this resource shares a single IP address with other resources that present different certificates, enter the SNI hostname to connect traffic to this resource.

  • Validate Application Certificate is enabled by default. If Decrypt Traffic is enabled in the step below, this certificate validation setting will be disabled.

Previous topic Endpoint Connection Methods Next topic VPN Connections