Manage enterprise terminal endpoints - Secure Access Service Edge

SASE provides built-in Software as a Service (SaaS) endpoints that serve as the initial connection points for enterprise networks. You can also deploy dedicated endpoints in offices, data centers, or other cloud environments using the SASE service. This deployment enables zero trust permission management for users accessing enterprise applications from office locations. This topic describes how to manage SaaS endpoints, configure dedicated endpoints, and configure endpoint access policies.

Types of terminal endpoints

SASE uses a software-defined wide area network (SD-WAN) architecture. The SASE App intelligently identifies and connects to the nearest endpoint to ensure a high-quality user experience.

Endpoint endpoint Type

Description

Server deployment requirement

SaaS endpoint

SaaS endpoints are shared by all users and may cause network latency.

Supported editions:

Private Access Basic Edition
Private Access Premium Edition

Dedicated endpoint

A dedicated endpoint is exclusive to your enterprise and provides high security at low network latency.

Supported edition:

Private Access Premium Edition

To configure a dedicated endpoint, you must prepare a server for deployment. The server must meet the following requirements:

Operating system: CentOS 7 or later, Ubuntu 18.04 or later, or Debian 12 or later. SELinux must be disabled.
CPU: 4 cores
Inbound bandwidth per server: 400 Mbps
Memory: 8 GB

Note

To achieve high availability and prevent a single point of failure, you can deploy a dedicated endpoint on multiple servers. The servers can be physical machines or virtual machines.

Manage SaaS endpoints

After you enable the private access feature, all SaaS endpoints are enabled by default. You can enable or disable individual endpoints based on your requirements. The following table lists the endpoints and VPC networks supported by each edition.

Edition	Supported endpoints and VPC networks
Private Access (Basic Edition)	Beijing, Shanghai, Shenzhen, Silicon Valley, Virginia, Frankfurt, Singapore, Tokyo, Hong Kong (China), and Dubai.
Private Access (Premium Edition)	Beijing, Shanghai, Shenzhen, Silicon Valley, Virginia, Frankfurt, Singapore, Tokyo, Hong Kong (China), and Dubai.
Internet Access Security (Office Data Protection Edition)	Not supported.
Endpoint Protection (Anti-virus Edition)	Not supported.

Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Private Access > Terminal Access.
On the Access Point Management > SaaS Access Point page, view information about the built-in SaaS endpoints of SASE.
Find the target endpoint and, in the endpointAccess Point Switch column, enable or disable the endpoint.
Click Details in the Actions column of the target endpoint to view its address, name, and configuration. You can also modify the endpoint name.
Configure a whitelist of back-to-origin IP addresses on the application side to ensure connectivity.
- In the Origin IP column of the target endpoint, view the Origin IP. If your business application restricts access by IP address, add the Origin IP to the application’s access whitelist, such as a firewall or security group.
- If your office network restricts access by IP address, go to the Private Access > Terminal Access page before upgrading and add the IP address ranges of all enabled points of presence (POPs) to the whitelist. Otherwise, employees may be unable to connect to the private network through SASE SaaS endpoints after the upgrade.
  Note
  This does not apply in the following cases:
  - Your office network has no IP whitelist restrictions.
  - Only SASE domain names—not fixed IP addresses—are added to the whitelist of your office network.
  - You use dedicated endpoints.

Configure a dedicated endpoint

Step 1: Add a dedicated endpoint

On the Access Point Management > Dedicated Access Point tab, click Create Dedicated Access Pointendpoint.

In the Create Dedicated Access Pointendpoint panel, configure the parameters and click OK.

Configuration item	Description
Chinese Access Point Name	Set the Chinese name of the dedicated endpoint.
English Access Point Name	Set the English name of the dedicated endpoint.
endpointAccess Point Location	Set the region where the dedicated endpoint is located. Valid values: the Chinese mainland and outside the Chinese mainland.
endpointAccess Point Configuration	You can configure a public endpoint and a private endpoint as needed. Configure a public endpoint Public Endpoint When employees work remotely, the SASE App automatically connects to the dedicated endpoint through a public domain name. After the user is authenticated based on the zero trust policy, the dedicated endpoint forwards access traffic to the destination application. Important Before you start, make sure that the public IP address of the server where the dedicated endpoint is deployed can access your enterprise applications. Certificate Content Upload the certificate content for the public endpoint. The certificate file must be in the .crt or .pem format. Private Key Content Upload the private key of the certificate. The private key file must be in the .key or .pem format. Configure a private endpoint Private Endpoint When employees work in the office, the SASE App automatically connects to the dedicated endpoint through a private domain name. After the user is authenticated based on the zero trust policy, the dedicated endpoint forwards access traffic to the destination application. Important Before you start, make sure that the private IP address of the server where the dedicated endpoint is deployed can access your enterprise applications. If you enable this configuration, allow only the private IP of the endpoint server to access all your enterprise applications. Certificate Content Upload the certificate content for the private endpoint. The certificate file must be in the .crt or .pem format. Private Key Content Upload the private key of the certificate. The private key file must be in the .key or .pem format.
Port	Enter the port number of the endpoint.
Status	Set the enabling status of the dedicated endpoint. Only dedicated endpoints in the Enabled state can be used by enterprise employees.

Step 2: Deploy a dedicated endpoint on a server

On the Access Point Management > Dedicated Access Point tab, find the dedicated endpoint that you added and click Actions in the Deploy column.
On the Deploy tab, copy the deployment command and run it on the server to deploy the dedicated endpoint.
After deployment completes, manually add a DNS record on the deployment server.
SASE also provides commands to upgrade or uninstall the dedicated endpoint on the server. Run these commands as needed to upgrade or uninstall the endpoint.
After successful deployment, you can use the dedicated endpoint to access the server over the Internet. In this network topology, business data does not pass through SASE, but logs are reported to SASE.
If you do not want to expose the public IP address of your application server, modify the network topology. Deploy the endpoint on an Internet-facing server to isolate your business network. In this case, create an SASE connector and establish a network channel between the dedicated endpoint and the SASE connector (Step 3). For more information, see Use an SASE connector.

Step 3: Establish a network channel between the dedicated endpoint and the SASE connector

On the Access Point Management > Dedicated Access Point tab, find the dedicated endpoint that you added and click Details in the Actions column.
On the Associated Connector tab, turn on the Associated Connector switch.
Configure the reverse connection port used for communication between the SASE connector server and the dedicated endpoint server.
By default, the dedicated endpoint uses port 9813. If this port is already in use, specify a different reverse connection port.
Configure the IP address of the dedicated endpoint server that communicates with the SASE connector server.
Use a private IP address for communication. To use a public IP address, configure an access control policy to allow public IP communication only between the dedicated endpoint server and the SASE connector server.
If your network contains multiple application servers and you have deployed an SASE connector on each server, configure the IP address of each application server.
Click OK.
After configuration completes, you can view the status and details of the endpoint in the dedicated endpoint list.

Configure a terminal access policy

SASE provides a built-in policy that authorizes access to the SASE built-in endpoints in the Chinese mainland. This policy is enabled by default. If you have authorized endpoints for Global Office, the built-in SASE client access policy also includes the Global Office endpoints.

If the built-in access policy does not meet your business requirements, you can create a custom terminal access policy.

Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Private Access > Terminal Access.
On the Policy Management page, click Create Policy.

In the Create Policy panel, configure the parameters and click OK.

Configuration item	Description
Policy Name	Set the name of the terminal access policy. The name must be 1 to 64 characters in length and can contain Chinese characters, letters, digits, hyphens (-), underscores (_), and periods (.).
Authorized Access Points	Set the endpoints that authorized users are allowed to access.
Secondary Access Points	Add backup endpoints. Backup endpoints are not displayed by default. They are enabled when the latency of all authorized endpoints exceeds 500 ms.
Policy Status	The status of the terminal access policy. Only policies in the Enabled state can take effect.

What to do next

Employees log on to the SASE App, select a network endpoint, and connect to the private network. For more information, see Enable or disable security protection for private access.

References

For more information about how to authorize and enable endpoints for global offices, see Establish network channels for global offices.