SSEDOCS-874 - Traffic Steering for ZTA Connections to Internet and SaaS Destinations
Some internet and SaaS destinations outside your organization's network, such as YourCompany.OtherCompany.com, allow access only to traffic that originates from IP addresses that are within your organization's IP address space. Users who are in the office or using VPN will have the required IP address. Remote users who are not using VPN, including mobile devices and users who are on another company's VPN (for example a partner's or client's VPN), would not have access to the internet resource.
To allow these users to access the resource, use the solution described on this page to ensure that the egress IP address associated with their devices is within your organization's IP address space.
There are two ways to do this:
- Option 1: Use the method described in this topic to allow Zero Trust Access connections to internet and SaaS destinations you specify.
- Option 2: Configure these internet destinations as private resources and follow additional instructions in Zero Trust Access for Internet Destinations.
Either method is seamless for your users. All users and devices that are properly configured for Zero Trust Access will automatically use the method you configure to connect to configured destinations.
Procedure
To allow client-based Zero Trust Access to internet and SaaS destinations:
- Ensure that each destination site allows access from the egress IP addresses that your users' connections will use, as discussed in the Web Traffic and NATaaS section of Secure Access NAT as a Service.
- Add the applicable destinations to one or more destination lists. See Manage Destination Lists and subtopics. URLs are treated as domains. Do not include addresses that are not publicly routable.
- Install the latest version of Cisco Secure Client on user endpoint devices. Ensure that the client is enrolled in Zero Trust Access. See the applicable subtopics under Cisco Secure Client Overview. Windows, macOS, iOS, and Android clients support this feature.
- Navigate to Connect > End User Connectivity > Zero Trust Access > Traffic Steering, edit the Zero Trust Access Profile, go to the internet and SaaS destinations page of the wizard, and select one or more destination lists. Optionally, add any exceptions.
- Define internet access rules for the destinations. You can specify the same destination lists that are specified in the ZTA profile.
Keep the following points in mind:
- URLs in destination lists are treated as domains for traffic steering purposes.
- When you configure the traffic steering profile, you can specify destinations on the list that you do not want to be handled using Zero Trust Access. For example, if the destination list includes *.example.com, and you want to exclude ExcludedDestination.example.com, add that exclusion to the traffic steering rule.
Enter destinations to exclude as a comma-separated list. - Removing a destination list from a Zero Trust Access profile does NOT remove the destination list from Secure Access.
- Future deletions, changes, additions to selected destination lists will affect Zero Trust Access traffic steering to those destinations.
- User authentication interval settings configured on the rule defaults page for access rules do NOT apply to internet traffic.
Using Wildcards for Zero Trust Destinations < Traffic Steering for ZTA Connections to Internet and SaaS Destinations > Addresses That Never Use Zero Trust Access
Updated 16 days ago