All Products
Search
Document Center

Secure Access Service Edge:Global office acceleration

Last Updated:Jun 23, 2026

Configure an Alibaba Cloud Secure Access Service Edge (SASE) connector to connect your corporate intranet and integrate with Global Accelerator (GA), providing globally distributed employees with fast, stable, and secure access to internal applications.

Prerequisites

Before you begin, ensure you meet the following requirements:

  • You have activated Alibaba Cloud Secure Access Service Edge (SASE).

  • You have an Alibaba Cloud account with the required permissions to manage SASE, Global Accelerator (GA), VPC, and ECS.

  • The SASE client is installed on employee devices in the acceleration region.

Acceleration traffic flow

Note

The following diagram shows an example of a user in Shanghai, China accessing a service in Silicon Valley, USA.

image

Billing

Enabling Global Accelerator automatically creates a pay-as-you-go GA instance in Global Accelerator (GA), which incurs additional fees.

Configure SASE identities and users

Step 1: Create an identity source

  1. Navigate to the Identity Access page and click the Identity synchronization tab.

  2. Click Create IdP. This guide uses a Custom IdP as an example.

    Note

    In a production environment, we recommend integrating SASE with your corporate identity provider (IdP), such as AD, LDAP, DingTalk, or WeCom.

    1. In the Basic Configurations step, enter an IdP Name and Description, and set the IdP Status to Enabled. Click Next.

    2. In the Logon Settings step, configure the PC Logon Method and Mobile Device Logon Method. This example uses the default settings. You can enable Two-factor Authentication as needed.

    3. After confirming the settings, click Ok to create the identity source.

Step 2: Create users and user groups

  1. Navigate to the Identity Access page and click the Employee Center tab. From the drop-down list on the left, select the identity source you created in the previous step and click Add User.

  2. In the Add User panel, enter the username, password, and other information, and assign the user to the target identity source under Department.

    Other fields include Position, Email (required), Mobile, Employment Status (defaults to Active), Account Expiration Time, and Remarks. The system automatically freezes the account upon expiration. When finished, click OK.

  3. Switch to the User Group Management tab. Click Create User Group, set a name (for example, dev-group), and configure the Group Scope as needed.

    In the Group Scope area, you can filter users by criteria such as Organizational Structure, Account Name, Email, or Mobile Number, and set the Configuration relationship (equals or not equals). When finished, click OK.

  4. After confirming the information, click OK.

Configure connector connectivity

Deploy a SASE connector on the server or in the data center that hosts your business resources, then enable the instance to establish network connectivity.

Step 1: Add a SASE connector

  1. Log on to the Secure Access Service Edge console. In the left-side navigation pane, choose Private Access > Network Settings.

  2. On the Non-Alibaba Cloud business tab, add a connector.

    1. On the Connectors tab, click Add Connector.

    2. In the Add Connector dialog box, configure the parameters. Then, click OK.

      Parameter

      Description

      Region

      The region where the connector is deployed. Select the region closest to your server for optimal access quality.

      Instance Name

      The name of the connector.

      Instance Switch

      SASE end users can access applications associated with the connector only when the instance switch is in the Enable state.

      You can also enable the instance switch from the connector list or on the connector's Details panel.

      Important

      Disabling the connector instance switch will prevent end users from accessing internal applications through the SASE client. Proceed with caution.

      After adding the connector, you can view it in the connector list.

  3. Enable Global Accelerator.

    1. Find the connector instance you created and click Details in the Actions column.

    2. On the connector's instance information page, find the Global Acceleration section and enable it.

    3. In the Enable GA dialog box, enter the following information:

      Important

      When you enable Global Accelerator for the first time, you are prompted to authorize the automatic creation of the service-linked roles AliyunServiceRoleForGaCdt and AliyunServiceRoleForGaVpcEndpoint. These roles allow Global Accelerator to access your resources in SASE.

      Parameter

      Description

      GA Instance Name

      Required. Enter a name for the Global Accelerator instance.

      Important

      Global Accelerator fees include instance fees, Capacity Unit (CU) fees, and data transfer fees.

      Resource Group

      Select a resource group.

      Terms of service

      By clicking Submit, you agree to the relevant service terms.

      After confirming the information, click Next.

    4. Configure the Acceleration Region and Allocate Bandwidth.

      Parameter

      Description

      Acceleration Region

      Select an acceleration region geographically close to your users.

      Note

      The Dubai region is not currently supported as an acceleration region.

      Allocate Bandwidth

      The bandwidth value can range from 2 to 10,000 Mbps. The following bandwidth allocation methods are supported:

      • Allocate Bandwidth by Region: Customize the peak bandwidth for each acceleration region.

      • Batch Set: Set a uniform peak bandwidth for all regions.

      After completing the configuration, click OK. Creating the acceleration instance may take some time.

    5. After the acceleration instance is created, you can view its details on the details page.

      The details page shows the following: Associated Policy is not yet configured, the instance switch is enabled, Global Accelerator is enabled, the Acceleration instance status is Available, and the Acceleration instance ID starts with ga-.

Step 2: Deploy the connector

  1. In the Actions column for the connector you added, click Deploy. In the Deploy panel, obtain the deployment command.

  2. Log in to the destination server or virtual machine as the root user and run the deployment command. The Deploy panel also provides commands for upgrading the connector, uninstalling it, and exporting logs.

    The Deploy panel provides the following server specification recommendations: CentOS 7.0+, Ubuntu 18.04+, or Debian 12+ (with SELinux disabled), 4-core CPU, and 8 GB memory. A single server provides up to 200 Mbps of access bandwidth. A connector instance can be deployed on multiple servers for high availability. The panel also provides the command to stop the service: systemctl stop aliyun_sase_connector.service.

  3. After deployment, the instance status will be Connected on the instance details page, where you can also view the instance ID and other information.

Step 3 (Optional): Configure managed objects

To improve network transmission quality, change the transmission network type by following these steps.

  1. Navigate to the Instances page on the Global Accelerator console to view managed objects and their status.

    The instance status column shows Available and Managed. Hovering over the Managed tag displays a tooltip indicating the managed cloud service is CSAS. The Actions column provides links to Manage instance and Unmanage.

  2. If the current account supports Cross-border Express Connect, the automatically created managed GA instance defaults to the Cross-border Express Connect mode. Otherwise, it defaults to the BGP (Multi-ISP) Pro mode.

    On the Instance Information tab of the GA instance, the Transmission network quality type area shows that Cross-border Express Connect is Enabling, and the instance management status is Managed (CSAS).

Step 4: Add an application and address

  1. Navigate to the Application Management page and click Add Application.

  2. In the Basic Configurations step, configure the following parameters:

    • Application Name: Enter a name for the application.

    • Description: Enter a description for the application.

    • Tag: Select tags for the application.

    • Status: Set the application status to Enable or Disable.

    • Access Mode:

      • Client-based Access: Requires users to install the SASE client app to access office applications. This mode supports access to Layer 4 and Layer 7 applications, meets office and O&M requirements, and supports a wide range of endpoint security detection and control policies.

      • Browser-based Access: Allows users to access corporate web applications without installing the SASE client app. This mode does not support endpoint security detection and control policies.

  3. After confirming the settings, click Next to proceed to the Application Address configuration and enter the following information:

    • Application Address: Enter the domain name or IP address of the application server.

    • Port: Enter the start and end ports for the application.

    • Description: Enter a description for the address.

    • Protocol: Select TCP or UDP.

    • Web Application Access Reinforcement (Advanced Settings): Optional. Configure access hardening as needed.

  4. After confirming the application address information, click OK.

  5. After configuration, the application appears in the list on the Office Applications page. The Application Address column displays the configured address, the Access Mode is APP Access, and the Status switch is on.

  6. Use the configured access mode (such as APP Access) to connect to the accelerated address and verify the setup.

Step 5: Configure a connector forwarding rule

  1. On the Connectors tab, click Forwarding Policies.

  2. On the Forwarding Policies page, click Create Policy.

  3. In the Create Policy panel, configure the parameters. Then, click OK.

    Parameter

    Description

    Policy Name

    The name of the connector forwarding rule.

    Description

    The description of the rule.

    Priority

    The priority of the rule. The value can range from 1 to 100. A smaller number indicates a higher priority.

    Policy Details

    Add the effective users and associated applications.

    Associated Connector

    Select the connector to associate with the rule.

    Policy Status

    The rule takes effect only when its status is set to Enable.

Step 6: Configure a zero trust policy

  1. On the Zero trust policy page, click Create Policy.

  2. In the Create Policy panel, configure the parameters. Then, click OK.

    Parameter

    Description

    Policy Name

    The name of the zero trust policy.

    Description

    The description of the policy.

    Priority

    The policy priority. The value can range from 1 to 45.

    Action

    Set the action to Allow (default) or Prohibit.

    Policy Details

    Add the effective users and associated applications.

    Trusted Process

    Disabled by default.

    Note

    If enabled, the zero trust gateway verifies whether the process initiating the access is a trusted process. Access from untrusted processes is blocked.

    Security Baselines

    Optional. Select a security baseline to apply.

    Trigger Templates

    Optional. Select a trigger template to apply.

    Policy Status

    Enabled by default. The policy takes effect only when its status is Enabled.

Add a private access whitelist

To exempt certain IP addresses or domain names from behavior auditing during acceleration, add them to a private access whitelist.

  1. Navigate to the Whitelist page and click the Private Access tab.

  2. In the IP Address Whitelist area, add the IP addresses you want to whitelist. You can add multiple IP addresses.

  3. In the Domain Name Whitelist area, add the domain names you want to whitelist. You can add multiple domain names.

  4. After adding the entries, click Submit.

Private access auditing

Navigate to the General Logs page under Private Access Audit. After a client connects to an application, you can search for and view the access logs.

The log list displays fields such as Username, Department, Application Name, Client Version, Policy Type, Policy Name, and Destination Address. A policy type of Zero trust and a policy name of Default Policy indicate that the zero trust policy has taken effect.

Network diagnostics

Create a diagnostic task

  1. Navigate to the Network Diagnostics page and click Create Task.

  2. In the panel that appears, configure the following parameters:

    • Task Type: You can select End-to-end Diagnostics or Application Diagnostics. For an office acceleration diagnostic task, select End-to-end Diagnostics.

    • Task Object: Set the target objects for this diagnostic task. You can add multiple objects.

      • Username: Select a user.

      • Application Protocol: Supports TCP and UDP protocol types.

      • Application Address: Enter the domain name or IP address and the port number of the application.

    • Access Point: The default is Automatic Selection. You can also manually specify an access point.

  3. After confirming the information, click OK.

View diagnostic results

  1. Navigate to the Network Diagnostics page and find the diagnostic task you created in the task list.

  2. Click View in the Actions column to expand the task's diagnostic details.

    The expanded diagnostic details are presented as an end-to-end topology diagram, passing through six nodes in order: Desktop, POP access point, accelerator, connector server, connector client, and origin server. The latency between each link is labeled (for example, 74ms, 4ms, 3ms, 169ms, 167ms). Each node's details include its name, address, resource ID, and geographical location (such as Singapore/Alibaba Cloud, China (Hong Kong)/Alibaba Cloud).