About Isolated Destinations


Secure Access Packages and Feature Availability

Not all of the features described here are available to all Secure Access packages. Information about your current package is listed on the Admin > Licensing page. For more information, see Determine Your Current Package. If you encounter a feature here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Secure Access Packages

Remote browser isolation (RBI) protects identities from potential malware and other threats by redirecting browsing to a cloud-based host. Destinations and threat categories supported by RBI can be isolated when added to an Internet access rule in a Secure Access policy. When you add a rule and specify an Isolate rule action, the selected destination or threat category in the rule will create a remote browser when users attempt to access the content. Instead of blocking identities from the endpoints, a cloud-based browser hosts the browsing session for that destination or threat category.

Table of Contents


There are prerequisites that must be met before you can successfully isolate destinations.

Secure Access Prerequisites

  • Decryption must be enabled for the rule. Make sure it is enabled in the web profile selected in the rule.
  • If a Do Not Decrypt list is specified in the web profile, the list cannot include destinations (within destination lists, content categories, or application settings) that are required for isolation to ensure those domains and URLs can be decrypted.
  • Destinations required or intended for isolation should not be included your bypass lists. For more information see Manage Domains and Manage Internet Security.

Browser Prerequisites

  • Access to third-party cookies enabled.
    Note: By default, most browsers (for example, Google Chrome) have third-party cookies blocked in incognito mode. You must update this setting to allow access to third-party cookies for isolation to work.
  • Minimum supported browser versions:
    • Apple Safari 9
    • Google Chrome 34
    • Microsoft Edge 12
    • Mozilla Firefox 17
    • Samsung Internet 11
  • The Cisco Secure Access root certificate or customer CA-signed certificate must be installed. For more information, see Manage Certificates .

Note: Browser extensions and plugins are not supported and browser-specific features are not guaranteed to work. Regardless of the browser the user initiates the browsing session with, the cloud-based browser for isolation will always be Google Chrome.

Secure Access Package Support for RBI and Isolation Rules

Secure Access remote browser isolation (RBI) provides an added layer of protection against browser-based security threats for high-risk users. RBI moves the most dangerous part of browsing the internet away from the end user’s device and into the cloud. This makes it possible for users to visit risky web destinations safely, enabling users to be productive and access the web destinations they need without negative impacts.

Secure Access provides two levels of RBI support:

Isolate Any

Supported destinations include:

  • All content categories
  • All destination lists
  • All applications
  • All threat categories

Isolate Risky

Supported destinations include:

  • Uncategorized content categories
  • All threat categories

When chosen as the rule action, the availability of destinations and threat categories is based on your Secure Access package's RBI support.

  • Isolate Any is bundled with the Secure Access Advantage.
  • Isolate Risky is bundled with Secure Access Essentials.
  • If you have the Secure Access Essentials package and want the Isolate Any capability, you need to upgrade to the Secure Access Advantage package.
  • You cannot upgrade your RBI capability independent of the Secure Access Advantage package upgrade.

Limitations of Isolation

  • You can isolate either destinations or threat categories in a Secure Access policy Internet access rule. You cannot specify both in the same rule. You can create a separate rule for each type.
  • Only top-level page requests can be isolated and pages can either be entirely isolated (top-level request and resource requests) or not.
  • Isolation only functions for an entire application, not for specific actions such as uploads or posts. When an application is isolated, it can no longer be blocked, allowed, or warned, even at the action level. For example, if one rule in a ruleset is configured to block Box Cloud Storage uploads, but another rule is configured to isolate Box Cloud Storage for the same identities, uploads for Box Cloud Storage will not be blocked.
  • If your Secure Access package expires or downgrades, any rule with Isolate will no longer work as expected. You should review and update the Action setting for these rules as needed.

Edit the Default Access Rules < About Isolated Destinations > Manage Endpoint Security