This topic describes how to use a browser to access internal corporate applications without installing the Secure Access Service Edge (SASE) client.
Use cases
This is ideal for external vendors or remote employees who need to securely access internal corporate applications from a browser without installing a client.
Prerequisites
If you use the CNAME proxy method, you must configure a CNAME record for your custom proxy domain name that points to the SASE access point domain name.
Implementation methods
SASE provides two proxy methods for agentless private access to internal domain names. Select the method that best suits your requirements.
|
Proxy method |
How it works |
Pros |
Cons |
|
Domain mapping |
SASE provides a new proxy domain name. Your employees can use this domain name to access the internal application. |
Uses a separate, new domain name that does not interfere with existing access logic. |
Changing the access domain name can cause the following issues:
|
|
CNAME |
Uses a domain name owned by your organization. You create a CNAME record to point it to the SASE gateway, and your employees use this domain name to access the internal application. |
Allows you to reuse an internal domain name. |
More complex configuration process:
|
Step 1: Create an application
-
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
Decide which proxy method to use based on whether you want to use a custom proxy domain name.
Domain mapping
Use a new proxy domain name provided by SASE. Your employees can use this domain name to access the internal application.
-
Click Add Application. In the section, enter an Application Name, select the Browser-based Access checkbox, and then click Next.
-
In the Application Address section, configure the Application Address, Port, Protocol, Proxy Domain Name (SaaS Proxy Gateway), and Configure Domain Name Mappings to configure the domain mapping proxy method.
For Proxy Domain Name (SaaS Proxy Gateway), select Domain Mapping. SASE generates a new domain name that maps to the original application address, allowing employees to access the application through this new domain. In the Browser Access Settings section, select HTML-based Internal Domain Rewriting, JS-based Internal Request Rewriting, or Anonymous Access as needed.
CNAME proxy
Use a domain name owned by your organization and create a CNAME record to point it to the SASE gateway. Your employees use this domain name to access the internal application.
-
In the upper-right corner of the page, click Certificate Management and upload your corporate SSL certificate and its private key to the SASE console.
-
Click Add Application. In the section, enter an Application Name, select the Browser-based Access checkbox, and then click Next.
-
In the Application Address section, configure parameters such as Application Address, Port, and Protocol. For Proxy Domain Name (SaaS Proxy Gateway), select CNAME and enter your custom proxy domain name.
Example configuration: Set Port to
3001and Protocol to HTTPS. Set Custom Proxy Domain Name toapp.sase-test.comand create a CNAME record that points this domain to the access point domain name, for example,xxx.cloudsecsase.com. You also need to configure the DNS server address for Private DNS and select the corresponding SSL certificate.
-
-
If your application meets the following conditions, you can click OK to finish creating the application. Otherwise, proceed to configure the Browser Access Settings and Advanced Settings.
-
Single sign-on (SSO) is not integrated.
-
Access to the application is not restricted by domain name.
-
The application does not contain links to other internal addresses.
-
The application's front end does not make cross-domain requests to other internal applications.
Browser access settings
If your application contains links to internal addresses or makes cross-domain requests to other internal applications, these resources are typically accessible when a client is used because the user is on the internal network. In an agentless scenario, however, other internal applications cannot be accessed directly. You must rewrite these links to ensure they work.
Configure HTML rewriting
-
Select the HTML-based Internal Domain Rewriting checkbox. If other internal applications referenced in your application are already configured with proxy domain names in SASE, SASE automatically scans and replaces the links with the correct proxy domain names.
-
In the following cases, the SASE gateway cannot perform automatic recognition. You must specify the original and rewritten addresses for SASE to replace the proxy domain name.
<script> // In this example, a URL is declared in a JavaScript variable. // The SASE gateway cannot automatically detect this link, so you must specify a rewrite rule. const url = "https://www.a.com/" // The URL is then assigned to window.href. window.href = url </script>To handle this, select the HTML-based Internal Domain Rewriting checkbox. Enter
www.a.comin the Original Address field andwww.b.comin the Rewritten Address field.
Configure JavaScript rewriting
Select the JavaScript-based Internal Request Rewriting checkbox. If your application's front-end JavaScript code makes cross-domain requests to other internal applications, SASE automatically rewrites the request addresses.
Configure anonymous access
Select the Anonymous Access checkbox. Configure specific IP addresses or CIDR blocks that can access specific internal paths without identity verification or zero trust policy checks. Requests from these sources are allowed automatically.
Advanced settings
You can configure gateway request rewriting to modify headers and query parameters in agentless requests. This allows you to add identifiers to requests for tracking and analysis.
In the Advanced Settings section, configure Headers Rewrite: Set Type to Request Header, Operation to Add, Parameter Name to
source, and Parameter Value toagent. For Query Parameter Rewrite, set Operation to Add, Parameter Name toname, and Parameter Value to Username. -
-
After you complete the configuration, click OK. The configuration takes effect in about 2 minutes.
Step 2: Configure a zero trust policy
Configuring a zero trust policy enhances security by ensuring that only authenticated users can access the application through a browser.
-
In the left-side navigation pane, choose .
-
Click Create Policy. In the Create Policy panel, configure the Applicable User and the application.
NoteAgentless applications do not support security baselines or trigger templates.
The form also includes Policy Name (example: "Agentless Access Zero Trust Policy"), Description, Priority (range: 1 to 50, and cannot start with 0), and Action (example: Allow Access, which you can toggle on or off). In this example, "HR Department" is added to Applicable User, and "app1-agentless" is added to Selected Applications. After you complete the configuration, click OK.
-
Click OK.
Step 3: Verify the configuration
-
On a test machine, verify that the proxy domain name resolves to the SASE access point.
-
Open a browser and navigate to the proxy domain name to verify that you can access the internal application.
NoteWhen you access the application for the first time, you are redirected to a login page.
-
Domain mapping method: Copy the proxy address from the application list.
-
CNAME proxy method: Access the application by using your custom proxy domain name.
-
Other operations
For users who have enabled DingTalk as an identity provider, refer to Secure access for DingTalk users through Secure Access Service Edge. Create a web application, set the Application Homepage Address to the proxy domain name of your agentless private access application, and specify the applicable users. With this configuration, DingTalk users can access the application without logging in again.