All Products
Search
Document Center

Secure Access Service Edge:Configure office applications

Last Updated:Jun 21, 2026

Before using SASE Private Access, add your enterprise office applications to SASE by configuring their IP addresses or domain names. Employees can access only configured office applications through the SASE client. This topic describes the supported application types, how to add an office application, and the application domain name resolution policy.

Supported application types

  • Applications accessible by using a private IP address or private domain name

    A private application is an internal IT resource, such as an internal application service, server, or database, that is used by employees and accessible only to specific users.

  • Applications accessible by using a public IP address or public domain name (with a whitelist configured)

    A whitelist is configured for the public application address. For example, you can use an ECS security group or a Cloud Firewall access control policy to allow only specific CIDR blocks to access the application.

Add an office application

When you add an enterprise office application to SASE, SASE enforces the zero-trust security principle for all applications and creates a default policy that denies all access. Therefore, after you add an application, you also need to configure a policy to allow access. For more information, see Configure a zero-trust policy.

  1. Log on to the Secure Access Service Edge console.

  2. In the navigation pane on the left, choose Private Access > Application Management.

  3. On the Office Application page, click Add Application and configure the application as follows.

    You can add applications by using manual configuration or batch import.

    • Manual Configuration

      1. On the Manual Configuration tab, configure the basic parameters as described in the following table.

        Parameter

        Description

        Application Name

        A name for the application.

        The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), underscores (_), and periods (.).

        Tag

        Custom tags for the application. Tags help you classify, search for, and manage applications.

        Note

        You can add custom tags to classify, search for, and manage applications, or use the default tags provided by the system.

        Status

        The status of the application. Valid values: Enabled and Disabled.

        Access Mode

        Select the access mode that you want to configure.

        • Client-based Access: Users must install the SASE client to access office applications in this mode. This mode supports Layer 4 and Layer 7 applications, meets office and O&M requirements, and provides a rich set of endpoint security detection and control policies.

        • Browser-based Access: Users can access web-based office applications from a browser without installing the SASE client. This mode does not support endpoint security detection and control policies.

      2. Click Next. Based on your selected access mode, configure the application address information.

        • Client-based Access mode

          Parameter

          Description

          Match Mode

          Select global or precise port matching.

          • Global Match: Supports configuring only one pair of Application Address and Port. This is for scenarios where all domain names or IP addresses within a resource use the same port.

          • Fine-grained Match: Supports configuring multiple pairs of Application Address and Port. This is for scenarios where different domain names or IP addresses within a resource use different ports.

          Application Address

          Enter the address, port, and protocol for the office application to be accessed through SASE.

          The application address can be one of the following types:

          • A specific IP address. Example: 10.10.XX.XX.

          • A CIDR block. Examples: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/24.

          • A specific domain name. Example: www.aliyun.com.

          • A wildcard domain name. If you enter *.aliyun.com, SASE matches subdomains based on the port information you provide, allowing access to specific subdomains of *.aliyun.com.

          The following port formats are supported:

          • For a range of consecutive ports, use a hyphen. For example, 80-8080 includes all ports from 80 to 8080.

          • For non-consecutive ports, separate the port numbers with commas. For example: 80, 8080.

          • For a single port, enter the number. Example: 80.

          Supported protocols:

          • TCP

          • UDP

          Port

          Protocol

          Advanced Settings > Web Application Access Reinforcement

          To perform security verification or access tracing for web application traffic, you can configure the following reinforcement policies.

          • Security Verification: Inspects the Host request header to prevent malicious bypass attempts.

          • Access Tracing: Adds user information to the HTTP header for access tracing purposes.

            SASE inserts the selected tracing information into the HTTP request headers. Your backend service must be configured to retrieve and parse these headers, which include X-Csas-Client-IP (device IP), X-Csas-Username (username), and X-Csas-Device-Tag (unique device ID).

          • Sensitive Application Detection: Marks internal applications with download behaviors as a Sensitive Application. You can view these applications under the Sensitive Application tag.

            When a download occurs in a sensitive application, SASE generates a log record in Log Service (SLS). You can go to Log Analysis and select Internal Sensitive File Download Detection Log to view the download logs.

          • Timeout Configuration: Configures the Layer 7 connection timeout for accessing office applications. The connection is automatically disconnected after the timeout period.

          • Application Layer Port: The port range on which the Web Application Access Reinforcement settings take effect.

            Important
            • The Web Application Access Reinforcement settings take effect only when the accessed port is within the configured effective port range.

            • The start and end ports must be within the configured application port range.

        • Browser-based Access mode

          Parameter

          Description

          Application Address

          Enter the address, port, and protocol for the office application to be accessed through SASE.

          The application address can be one of the following types:

          • A specific IP address. Example: 10.10.XX.XX.

          • A specific domain name. Example: www.aliyun.com.

          Port

          Set the port number. Example: 80.

          Protocol

          Supported protocols:

          • HTTPS

          • HTTP

          Proxy Domain Name (SaaS Proxy Gateway)

          Configure the proxy gateway using either domain name mapping or a CNAME record.

          • Domain Name Mapping: Set a mapped domain name. SASE generates a new domain name that maps to the original application address. Employees access the original application through the new domain name.

          • CNAME: Configure a CNAME record to resolve the original domain name to the SASE zero-trust gateway. This method preserves the user experience.

            • Custom Proxy Domain Name: Configure a custom proxy domain name.

              Warning

              You must create a CNAME record that resolves the custom proxy domain name to the SASE access point domain name.

            • Internal DNS Server: Select the DNS server used to resolve internal domain names.

            • SSL Certificate: Select an SSL certificate.

          Browser Access Settings

          SASE supports three browser access configuration methods.

          • HTML-based Internal Domain Rewriting: Implements domain name mapping by modifying HTML. You must configure the addresses before and after rewriting.

          • JavaScript-based Internal Request Rewriting: Implements domain name mapping by modifying JavaScript files. You must configure the addresses before and after rewriting.

          • Anonymous Access: Configure a whitelist of source IP addresses or CIDR blocks and their access paths. Access control is not performed for requests from these sources.

          Advanced Settings

          Rewrite the headers and query parameters of gateway requests for more granular configuration.

          • Headers Rewrite: Dynamically add, set, or delete parameters in the request and response headers to achieve more flexible request control and response optimization.

          • Query Parameter Rewriting: Dynamically add, set, or delete parameters in the query string.

    • Batch Import

      Depending on the Access Mode, you can select Client-based Access or Browser-based Access.

      • Client-based Access: Requires the SASE client to be installed to access office applications. This mode supports Layer 4 and Layer 7 applications, meets office and O&M requirements, and provides a rich set of endpoint security detection and control policies.

        1. Click Download Layer 4 Template and fill out the template.

        2. Click Upload Local File to upload the completed template file.

      • Browser-based Access: Does not require the SASE client to be installed. Users can access web-based office applications from a browser. This mode does not support endpoint security detection and control policies.

        • Click Download Layer 4 Template and fill out the template.

        • Click Upload Local File to upload the completed template file.

      Note

      Only XLSX files are supported. The maximum file size is 100 MB.

  4. Click OK.

    The new enterprise office application appears in the application list.

Application domain name resolution

Domain name resolution policy

  1. When a user on a Private Access endpoint initiates a domain name resolution request, SASE first queries Alibaba Cloud DNS PrivateZone for matching DNS records, and returns the result.

    Note

    If Alibaba Cloud DNS PrivateZone is part of your network architecture, SASE automatically synchronizes the PrivateZone resolution data. You do not need to configure PrivateZone information in the SASE console. For more information about PrivateZone, see Introduction to private DNS resolution.

  2. If the domain name is not found in PrivateZone, SASE checks whether a custom DNS service (Default DNS Service or Other DNS Services) is configured. If so, SASE forwards the request to the custom DNS service, and returns the result.

    • If the employee has not switched the DNS service in the SASE client, the default DNS service is used for domain name resolution.

    • If the employee switches to a specific DNS service in the SASE client, the selected DNS service is used for domain name resolution.

  3. If no custom DNS service is configured, SASE sends the request to the default DNS service configured on the ECS instance, and returns the result.

Configure a custom DNS service

  1. On the Office Application page, click Internal DNS Configuration.

  2. In the DNS Address dialog box, configure the Default DNS Service and Other DNS Services.

    You can configure multiple server IP addresses for a DNS service. If one server fails to resolve a domain name, the request is sent to another server of the same DNS service.

    Each DNS service includes a Name and Server IP. In the Server IP input box, enter an IP address and press Enter to confirm. You can configure up to two IP addresses for each DNS service.

Whitelist office applications

When to whitelist an application

To bypass SASE security analysis and auditing of network traffic for certain office applications, you can add the application's IP address or domain name to the Private Access whitelist. After the application is whitelisted, its network traffic bypasses SASE.

For example, you have configured the wildcard domain name *.abc.com in application management. If your enterprise considers traffic to the subdomain 123.abc.com to be safe and does not require SASE analysis and auditing, you can add 123.abc.com to the whitelist.

Configure an office application whitelist

You can add the IP addresses or domain names of applications to the office application whitelist. You can add multiple entries, such as multiple IP addresses or CIDR blocks, and multiple domain names or wildcard domain names. For more information about how to configure a whitelist, see Configure a private access whitelist.

Edit or delete an office application

You can perform the following operations as required:

  • Edit: Click Details. In the Details panel, view or modify the application's information.

  • Delete: Click Delete to remove the application.

    Important

    After you delete an application, it becomes inaccessible to employees. Proceed with caution.

Next steps

  • Create an access policy for the added office application. For more information, see Configure a zero trust policy.

  • If your employees work within a trusted area, you can configure a trusted office zone to bypass SASE traffic analysis and auditing for their office application access. For more information, see Configure office zone identification.