Guides
Secure Access Help Center

Trusted Networks for Zero Trust Access Connections

Trusted networks are typically within your corporate network, but could for example be part of a trusted partner's network. Different trusted networks might represent different site locations, for example Hong Kong or London.

Define trusted networks using the criteria that Cisco Secure Client will use to detect when the user endpoint device is "in the office" so the user's traffic can be routed as intended.

For example, if you have configured certain destinations to be connected using Zero Trust Access, you can choose not to use Zero Trust Access when the user is in the office, and instead use the security and connectivity mechanisms that apply to on-network traffic.

Caution: You can define any network as a trusted network; Secure Access does not impose any restrictions. Define your trusted networks carefully and ensure that any expected security and connectivity mechanisms are in place.

This feature is sometimes called "Trusted Network Detection."

To define a trusted network:

  1. Navigate to Connect > End User Connectivity and click the Zero Trust Access tab.
  2. In the ZTA Profiles section, click the Manage Trusted Networks button.
  3. Click + Trusted Network.
  4. Add at least one criterion that the client will use to determine whether the device is on a trusted network, and add at least one value for each enabled criterion.
    You can specify each criterion type only once, but you can enter multiple values for each type.
    For example, you can choose DNS Servers as a criterion, and specify multiple DNS Servers. The client needs to detect only one of the specified DNS Servers.
    If you specify multiple criterion types, the client must detect one entry of each type. For example, if you select DNS Domains and DNS Servers, the client must detect one of the specified entries for each.
    • Criteria are:
      • DNS Domain
      • DNS Server
      • Trusted Server
  5. If you enable the Trusted Servers criterion, you must provide the server address and the hash of the certificate that the specified server will present to the client.
    You can specify up to 10 trusted servers. The client only needs to validate the certificate hash of one server in the list to meet the Trusted Server criterion.
  6. Click Save.

Example:

If you configure the following criteria:

  • DNS Domains: YourCompany.com and AcquiredCompany.com
  • DNS Servers = 10.10.10.10 and 10.10.10.11
  • Trusted Servers = server1.YourCompany.com with hash xyz and server2.YourCompany.com with hash abc

Then the client will recognize a trusted network if it detects:

  • AcquiredCompany.com
  • 10.10.10.11
  • server2.YourCompany.com with hash abc

Addresses That Never Use Zero Trust Access < Trusted Networks for Zero Trust Access Connections > Manage Internet Security

Updated 19 days ago