Connection Scenarios for Private Destinations

If both the client-based zero trust and VPN options are enabled for the resource:

• If the client is installed on the user device and enrolled for zero trust access, the connection uses client-based zero trust access.
• Otherwise, the connection uses VPN.
• If a client that is enabled for zero trust access cannot reach a resource that is configured for client-based zero trust access, the system does not attempt to connect using VPN.

If a private resource is not configured in Secure Access but the VPN client is installed on the end-user device, the user can access the resource using VPN if:

• A VPN traffic steering rule routes traffic to the applicable network address space
• A private access rule allows traffic to the applicable network address space

If a user accesses a resource with their browser using the address configured in a private resource for that purpose, the connection will always use browser-based zero trust access, even if Cisco Secure Client is installed.

If a private access rule allows traffic to a destination that is not configured as a private resource, for example the destination is entered directly in a private access rule: Traffic may use zero trust access if a traffic steering rule for the destination has been added to the list on the Connect > End User Connectivity > Zero Trust page.