Manage Private Resources

You can configure and add private resources to your organization. Private resources are applications, networks, or subnets that your organization controls. These resources are not publicly accessible from outside your network, such as:

  • Applications and services that run on-premises in your data center
  • Resources running on private clouds hosted from your data center

Table of Contents

Step 1 – Configure Private Resources

Configure end user connections to a private resource, and then add a private resource to a private resource group.

  1. Understand your connection options
    Specify connection requirements for private resources where you want to allow access.

  2. Add Private Resources

    • Work with resource owners to gather the information needed to configure each resource. For more information, see Add Private Resources.
  3. Add new Private Resources to Resource Connector Groups
    If your traffic connects through Resource Connectors rather than Network Tunnels, and you add a private resource after you add the resource connector group, you must add the new resource to a connector group. For more information, see Assign Private Resources to a Connector Group.

Optional Configuration for Private Resources

  1. (Optional) Block zero-trust access to specified subdomains
    If you configure a Private Resource with an IP address having a leading wildcard (for example: *.example.com), you can block zero-trust connections to subdomains that you specify.

    Notes:
    -- User devices must have the Cisco Secure Client deployed. For more information, see Using Wildcards to Configure Traffic Steering for Private Destinations.
    -- If you have deployed the zero trust client on iOS devices, see unique matching information in the "Guidelines and Limitations" section of the Set up the Zero Trust Access App for iOS Devices topic.

  2. (Optional) Add Private Resource Groups
    To speed creation and management of access rules, and ensure consistent handling of related private resources, create groups of private resources that you want to manage as a unit. For more information, see Add Private Resource Groups.

Step 2 — Set Up Network Connections, VPN Profiles, and Certificates

  1. Configure network connectivity for zero-trust connections
    Add Network Tunnel Groups or Resource Connectors to allow Secure Access to communicate with and direct traffic to your private resources. For more information, see Manage Network Connections.
  2. Add VPN profiles
    To allow VPN connections to private resources, add VPN profiles to your organization. VPN configurations such as VPN traffic steering rules must exist for the applicable network address spaces. For more information, see Manage Virtual Private Networks.
  3. Add and manage certificates for private resources
    Secure Access requires certificates in order to connect user traffic with your private resources and decrypt that traffic for inspection by the Intrusion Prevention System (IPS). You can upload the certificate for a resource when you configure the resource, or manage certificates from the certificate list. For more information, see Certificates for Private Resource Decryption.

Step 3 — Add Private Resources in Private Access Rules

  1. Add private access rules
    After you add private resources to your organization, these resources are available for you to use as destinations in your private access rules. Add private access rules that define which users and devices can access the private resource in the organization. For more information, see Add a Private Access Rule.

Step 4 — Set Up the Cisco Secure Client and Distribute URLs

  1. Ensure that user devices are set up for client-based Zero Trust Access
    To configure resources for client-based zero-trust access, ensure that user devices meet the requirements for Zero Trust. You must have the Cisco Secure Client Zero Trust Access module deployed on the devices in your organization. For more information, see Requirements for Cisco Secure Access with Zero Trust.
  2. Distribute URLs for browser-based Zero Trust Access
    Establish a system for making users aware of the special URLs needed for browser-based Zero Trust Access.

Delete a Roaming Device < Manage Private Resources > Add a Private Resource