Comparison of Client-Based and Browser-Based Zero Trust Access Connections

You can configure up to two ways for users to connect to private resources using Zero Trust Access:

Client-based connections:

The Cisco Secure Client is installed on the end-user device.
Users can access resources using any protocol.
Users access using the internal resource address you specify in the Private Resource.
The client-based posture profile offers more options for controlling endpoint (device) requirements than the browser-based posture profile offers.
You can block access to specified subdomains when the resource address for client-based connections is configured as a wildcard FQDN. See Using Wildcards to Configure Traffic Steering for Private Destinations.
If traffic is blocked, the user sees a Block page if all requirements are met.
See Block pages for Private Resources.

Access does not require a client installed on the user endpoint device.
Use this option to allow access from devices with an operating system that the client does not support.
You can enable this option for private resources to allow connections from users who do not have managed devices, such as contractors, vendors, and others with bring-your-own (BYOD) devices, and from devices that do not have a client. You do not need to install anything on such devices.
Access is solely via browser.
Users access private resources using a dummy URL that does not expose your actual resource address. Secure Access redirects browser-based traffic to the actual resource if access rules allow the traffic.
You can specify endpoint (device) requirements for these connections, but fewer than in the client-based posture profile.
If traffic is blocked, the user sees only a standard browser error. This prevents bad actors from obtaining information about your resources.
Users who have the client installed can always access a resource using the clientless browser-based URL if your access rules allow them access.