Software Secure Access
Activity Manage

Procedure

To allow client-based Zero Trust Access to internet and SaaS destinations:

  1. Ensure that each destination site allows access from the egress IP addresses that your users' connections will use, as discussed in the Web Traffic and NATaaS section of Secure Access NAT as a Service.
  2. Add the applicable destinations to one or more destination lists. See Manage Destination Lists and subtopics. URLs are treated as domains. Do not include addresses that are not publicly routable.
  3. Install the latest version of Cisco Secure Client on user endpoint devices. Ensure that the client is enrolled in Zero Trust Access. See the applicable subtopics under Cisco Secure Client Overview. Windows, macOS, iOS, and Android clients support this feature.
  4. Navigate to Connect > End User Connectivity > Zero Trust Access. In the Default Profile section, click the Edit icon for the Default ZTA Profile. Go to the Internet and SaaS Destinations page of the wizard, and select one or more destination lists. Optionally, add any exceptions.
  5. Define internet access rules for the destinations. You can specify the same destination lists that are specified in the ZTA profile.

Keep the following points in mind:

  • URLs in destination lists are treated as domains for traffic steering purposes.
  • When you configure the traffic steering profile, you can specify destinations on the list that you do not want to be handled using Zero Trust Access. For example, if the destination list includes *.example.com, and you want to exclude ExcludedDestination.example.com, add that exclusion to the traffic steering rule.

    Enter destinations to exclude as a comma-separated list.

  • Removing a destination list from a Zero Trust Access profile does NOT remove the destination list from Secure Access.
  • Future deletions, changes, additions to selected destination lists will affect Zero Trust Access traffic steering to those destinations.
  • User authentication interval settings configured on the rule defaults page for access rules do NOT apply to internet traffic.
  • An FQDN-based steering rule can be configured to bypass Zero Trust Access proxy to a remote access VPN. CIDR block IPs and NetWitness IP ranges are supported.