Comparison of Client-Based and Browser-Based Zero Trust Access Connections

You can configure up to two ways for users to connect to private resources using Zero Trust Access:

Client-based connections:

  • The Cisco Secure Client is installed on the end-user device.
  • Users can access resources using any protocol.
  • Users access using the internal resource address you specify in the Private Resource.
  • The client-based posture profile offers more options for controlling endpoint (device) requirements than the browser-based posture profile offers.
  • You can block access to specified subdomains when the resource address for client-based connections is configured as a wildcard FQDN. See Using Wildcards to Configure Traffic Steering for Private Destinations.
  • If traffic is blocked, the user sees a Block page if all requirements are met.
    See Block pages for Private Resources.

Browser-based connections:

  • Access does not require a client installed on the user endpoint device.
  • Use this option to allow access from devices with an operating system that the client does not support.
  • You can enable this option for private resources to allow connections from users who do not have managed devices, such as contractors, vendors, and others with bring-your-own (BYOD) devices, and from devices that do not have a client. You do not need to install anything on such devices.
  • Access is solely via browser.
  • Users access private resources using a dummy URL that does not expose your actual resource address. Secure Access redirects browser-based traffic to the actual resource if access rules allow the traffic.
  • You can specify endpoint (device) requirements for these connections, but fewer than in the client-based posture profile.
  • If traffic is blocked, the user sees only a standard browser error. This prevents bad actors from obtaining information about your resources.

Comparison of Zero Trust Access and VPN< Comparison of Client-Based and Browser-Based Zero Trust Connections > Network Authentication for Zero Trust Access