Comparison of Client-Based and Browser-Based Zero Trust Access Connections

You can configure users to connect to private resources using Zero Trust Access.

About Client-Based Connections

  • The Cisco Secure Client is installed on the end-user device.
  • Users can access resources using any protocol.
  • Users access using the internal resource address you specify in the Private Resource.
  • The client-based posture profile offers more options for controlling endpoint (device) requirements than the browser-based posture profile offers.
  • You can block access to specified subdomains when the resource address for client-based connections is configured as a wildcard FQDN. For more information, see Using Wildcards to Configure Traffic Steering for Private Destinations.
  • If traffic is blocked, the user sees a Block page if all requirements are met. For more information, see Block pages for Private Resources.

About Browser-Based Connections

  • Access does not require a client installed on the user endpoint device.
  • Use this option to allow access from devices with an operating system that the client does not support.
  • You can enable this option for private resources to allow connections from users who do not have managed devices, such as contractors, vendors, and others with bring-your-own (BYOD) devices, and from devices that do not have a client. You do not need to install anything on such devices.
  • Access is solely from the browser.
  • Users access private resources using a dummy URL that does not expose your actual resource address. Secure Access redirects browser-based traffic to the actual resource if access rules allow the traffic.
  • You can specify endpoint (device) requirements for these connections, but fewer than in the client-based posture profile.
  • If traffic is blocked, the user sees only a standard browser error. This prevents bad actors from obtaining information about your resources.
  • Users who have the client installed can always access a resource using the clientless browser-based URL if your access rules allow them access.

Comparison of Zero Trust Access and VPN\ < Comparison of Client-Based and Browser-Based Zero Trust Connections > Network Authentication for Zero Trust Access