Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Traffic Steering for Zero Trust Access Client-Based Connections Traffic Steering for ZTA Connections to Internet and SaaS Destinations

Last updated: Aug 07, 2025

Traffic Steering for ZTA Connections to Internet and SaaS Destinations

Some internet and SaaS destinations outside your organization's network, such as YourCompany.OtherCompany.com, allow access only to traffic that originates from IP addresses that are within your organization's IP address space. Users who are in the office or using VPN will have the required IP address. Remote users who are not using VPN, including mobile devices and users who are on another company's VPN (for example a partner's or client's VPN), would not have access to the internet resource.


 

  • To utilize this feature, Secure Access organizations (orgs) must be properly configured to handle internet-bound traffic. To request configuration, contact Cisco Support with your organization's details and specify at least two preferred ingress regions for internet-bound traffic in your request. For a list of supported ingress regions, see Secure Access Regions.

  • To ensure seamless access when Remote Browser Isolation (RBI) is enabled, administrators must add menlosecurity.comto the steering lists.

  • The Zero Trust Application (ZTA) client module is compatible with the AnyConnect Virtual Private Network (VPN), Umbrella Domain Name System (DNS), and Umbrella Secure Web Gateway (SWG) client modules. This compatibility applies to private destinations and specific internet destinations. When destinations overlap between these compatible modules, the ZTA module will intercept and steer the traffic first.

To allow these users to access the resource, use the solution described on this page to ensure that the egress IP address associated with their devices is within your organization's IP address space.

There are two ways to do this:

  • Option 1: Use the method described in this topic to allow Zero Trust Access connections to internet and SaaS destinations you specify.
  • Option 2: Configure these internet destinations as private resources and follow additional instructions in Zero Trust Access for Internet Destinations.

Either method is seamless for your users. All users and devices that are properly configured for Zero Trust Access will automatically use the method you configure to connect to configured destinations.

Previous topic Procedure Next topic Procedure