Zero Trust Access to Internet Destinations
Some internet destinations outside your organization's network, such as YourCompany.OtherCompany.com, allow access only to traffic that originates from IP addresses that are within your organization's IP address space. Users who are in the office or using VPN will have the required IP address. Remote users who are not using VPN, including those using mobile devices, would not have access to the internet resource.
To allow these users to access the resource, use the solution described on this page to ensure that the egress IP address associated with their devices is within your organization's IP address space.
This solution also provides the ability to source traffic from local regions that do not currently have a Secure Access data center.
The solution on this page can be used only for individual SaaS applications that match the description above. It cannot be used for zero trust access to internet destinations in general, such as those defined by content category.
Solution Overview
- Install the Cisco Secure Client, including the Zero Trust Access module if applicable for the device, on managed devices, including mobile devices. Enroll each device in Zero Trust Access.
For details, see Zero Trust Access links in Cisco Secure Client Overview. - Configure a resource connector group and connectors in the region near the location from which the internet destination is hosted. For details, see Manage Resource Connectors and Connector Groups.
- Ensure that you have deployed enough connectors to handle potential capacity.
- Configure a private resource:
- Tip: Configure a private resource with the address of an actual private resource, ensure that all other requirements on this page are met, then test. After you verify that your configuration works as expected for the internal resource, change the Internally reachable address in the Private Resource configuration to the internet address and test again.
- The following settings are required:
- Specify the specific internet destination in the Internally reachable address field.
- Enable client-based zero trust access connections.
- Do not enable decryption.
- Associate the resource with a resource connector group.
Network tunnels will not work for this purpose.
- For details, see Add a Private Resource.
- Configure client-based endpoint requirements.
For details, see Add a Client-Based Zero Trust Access Posture Profile. - Ensure that all requirements are met for connecting traffic to a private resource using client-based Zero Trust Access and resource connectors.
For example, see Requirements for Zero Trust Access. - Network authentication requirements apply to this traffic. See Network Authentication for Zero Trust Access.
- Create a private access rule (NOT an internet access rule) and choose the private resource, configured above with the internet address, as a destination. For details, see Add a Private Access Rule.
- Note: Intrusion prevention (IPS) may not be fully effective because decryption is disabled.
- Ensure that your network (such as routes, ACLs, and NAT requirements) allows this traffic to be routed to the internet. (This step is performed outside of Cisco Secure Access.)
Updated 2 months ago