Before using SASE Private Access, add your enterprise office applications to SASE by configuring their IP addresses or domain names. Employees can access only configured office applications through the SASE client. This topic describes the supported application types, how to add an office application, and the application domain name resolution policy.
Supported application types
-
Applications accessible by using a private IP address or private domain name
A private application is an internal IT resource, such as an internal application service, server, or database, that is used by employees and accessible only to specific users.
-
Applications accessible by using a public IP address or public domain name (with a whitelist configured)
A whitelist is configured for the public application address. For example, you can use an ECS security group or a Cloud Firewall access control policy to allow only specific CIDR blocks to access the application.
Add an office application
When you add an enterprise office application to SASE, SASE enforces the zero-trust security principle for all applications and creates a default policy that denies all access. Therefore, after you add an application, you also need to configure a policy to allow access. For more information, see Configure a zero-trust policy.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
-
On the Office Application page, click Add Application and configure the application as follows.
You can add applications by using manual configuration or batch import.
-
Manual Configuration
-
On the Manual Configuration tab, configure the basic parameters as described in the following table.
Parameter
Description
Application Name
A name for the application.
The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), underscores (_), and periods (.).
Tag
Custom tags for the application. Tags help you classify, search for, and manage applications.
NoteYou can add custom tags to classify, search for, and manage applications, or use the default tags provided by the system.
Status
The status of the application. Valid values: Enabled and Disabled.
Access Mode
Select the access mode that you want to configure.
-
Client-based Access: Users must install the SASE client to access office applications in this mode. This mode supports Layer 4 and Layer 7 applications, meets office and O&M requirements, and provides a rich set of endpoint security detection and control policies.
-
Browser-based Access: Users can access web-based office applications from a browser without installing the SASE client. This mode does not support endpoint security detection and control policies.
-
-
Click Next. Based on your selected access mode, configure the application address information.
-
Client-based Access mode
Parameter
Description
Match Mode
Select global or precise port matching.
-
Global Match: Supports configuring only one pair of Application Address and Port. This is for scenarios where all domain names or IP addresses within a resource use the same port.
-
Fine-grained Match: Supports configuring multiple pairs of Application Address and Port. This is for scenarios where different domain names or IP addresses within a resource use different ports.
Application Address
Enter the address, port, and protocol for the office application to be accessed through SASE.
The application address can be one of the following types:
-
A specific IP address. Example:
10.10.XX.XX. -
A CIDR block. Examples:
10.0.0.0/8,172.16.0.0/12, or192.168.0.0/24. -
A specific domain name. Example:
www.aliyun.com. -
A wildcard domain name. If you enter
*.aliyun.com, SASE matches subdomains based on the port information you provide, allowing access to specific subdomains of*.aliyun.com.
The following port formats are supported:
-
For a range of consecutive ports, use a hyphen. For example,
80-8080includes all ports from 80 to 8080. -
For non-consecutive ports, separate the port numbers with commas. For example:
80, 8080. -
For a single port, enter the number. Example:
80.
Supported protocols:
-
TCP
-
UDP
Port
Protocol
To perform security verification or access tracing for web application traffic, you can configure the following reinforcement policies.
-
Security Verification: Inspects the Host request header to prevent malicious bypass attempts.
-
Access Tracing: Adds user information to the HTTP header for access tracing purposes.
SASE inserts the selected tracing information into the HTTP request headers. Your backend service must be configured to retrieve and parse these headers, which include
X-Csas-Client-IP(device IP),X-Csas-Username(username), andX-Csas-Device-Tag(unique device ID). -
Sensitive Application Detection: Marks internal applications with download behaviors as a Sensitive Application. You can view these applications under the Sensitive Application tag.
When a download occurs in a sensitive application, SASE generates a log record in Log Service (SLS). You can go to Log Analysis and select Internal Sensitive File Download Detection Log to view the download logs.
-
Timeout Configuration: Configures the Layer 7 connection timeout for accessing office applications. The connection is automatically disconnected after the timeout period.
-
Application Layer Port: The port range on which the Web Application Access Reinforcement settings take effect.
Important-
The Web Application Access Reinforcement settings take effect only when the accessed port is within the configured effective port range.
-
The start and end ports must be within the configured application port range.
-
-
-
Browser-based Access mode
Parameter
Description
Application Address
Enter the address, port, and protocol for the office application to be accessed through SASE.
The application address can be one of the following types:
-
A specific IP address. Example:
10.10.XX.XX. -
A specific domain name. Example:
www.aliyun.com.
Port
Set the port number. Example:
80.Protocol
Supported protocols:
-
HTTPS
-
HTTP
Proxy Domain Name (SaaS Proxy Gateway)
Configure the proxy gateway using either domain name mapping or a CNAME record.
-
Domain Name Mapping: Set a mapped domain name. SASE generates a new domain name that maps to the original application address. Employees access the original application through the new domain name.
-
CNAME: Configure a CNAME record to resolve the original domain name to the SASE zero-trust gateway. This method preserves the user experience.
-
Custom Proxy Domain Name: Configure a custom proxy domain name.
WarningYou must create a CNAME record that resolves the custom proxy domain name to the SASE access point domain name.
-
Internal DNS Server: Select the DNS server used to resolve internal domain names.
-
SSL Certificate: Select an SSL certificate.
-
Browser Access Settings
SASE supports three browser access configuration methods.
-
HTML-based Internal Domain Rewriting: Implements domain name mapping by modifying HTML. You must configure the addresses before and after rewriting.
-
JavaScript-based Internal Request Rewriting: Implements domain name mapping by modifying JavaScript files. You must configure the addresses before and after rewriting.
-
Anonymous Access: Configure a whitelist of source IP addresses or CIDR blocks and their access paths. Access control is not performed for requests from these sources.
Advanced Settings
Rewrite the headers and query parameters of gateway requests for more granular configuration.
-
Headers Rewrite: Dynamically add, set, or delete parameters in the request and response headers to achieve more flexible request control and response optimization.
-
Query Parameter Rewriting: Dynamically add, set, or delete parameters in the query string.
-
-
-
-
Batch Import
Depending on the Access Mode, you can select Client-based Access or Browser-based Access.
-
Client-based Access: Requires the SASE client to be installed to access office applications. This mode supports Layer 4 and Layer 7 applications, meets office and O&M requirements, and provides a rich set of endpoint security detection and control policies.
-
Click Download Layer 4 Template and fill out the template.
-
Click Upload Local File to upload the completed template file.
-
-
Browser-based Access: Does not require the SASE client to be installed. Users can access web-based office applications from a browser. This mode does not support endpoint security detection and control policies.
-
Click Download Layer 4 Template and fill out the template.
-
Click Upload Local File to upload the completed template file.
-
NoteOnly XLSX files are supported. The maximum file size is 100 MB.
-
-
-
Click OK.
The new enterprise office application appears in the application list.
Application domain name resolution
Domain name resolution policy
-
When a user on a Private Access endpoint initiates a domain name resolution request, SASE first queries Alibaba Cloud DNS PrivateZone for matching DNS records, and returns the result.
NoteIf Alibaba Cloud DNS PrivateZone is part of your network architecture, SASE automatically synchronizes the PrivateZone resolution data. You do not need to configure PrivateZone information in the SASE console. For more information about PrivateZone, see Introduction to private DNS resolution.
-
If the domain name is not found in PrivateZone, SASE checks whether a custom DNS service (Default DNS Service or Other DNS Services) is configured. If so, SASE forwards the request to the custom DNS service, and returns the result.
-
If the employee has not switched the DNS service in the SASE client, the default DNS service is used for domain name resolution.
-
If the employee switches to a specific DNS service in the SASE client, the selected DNS service is used for domain name resolution.
-
-
If no custom DNS service is configured, SASE sends the request to the default DNS service configured on the ECS instance, and returns the result.
Configure a custom DNS service
-
On the Office Application page, click Internal DNS Configuration.
-
In the DNS Address dialog box, configure the Default DNS Service and Other DNS Services.
You can configure multiple server IP addresses for a DNS service. If one server fails to resolve a domain name, the request is sent to another server of the same DNS service.
Each DNS service includes a Name and Server IP. In the Server IP input box, enter an IP address and press Enter to confirm. You can configure up to two IP addresses for each DNS service.
Whitelist office applications
When to whitelist an application
To bypass SASE security analysis and auditing of network traffic for certain office applications, you can add the application's IP address or domain name to the Private Access whitelist. After the application is whitelisted, its network traffic bypasses SASE.
For example, you have configured the wildcard domain name *.abc.com in application management. If your enterprise considers traffic to the subdomain 123.abc.com to be safe and does not require SASE analysis and auditing, you can add 123.abc.com to the whitelist.
Configure an office application whitelist
You can add the IP addresses or domain names of applications to the office application whitelist. You can add multiple entries, such as multiple IP addresses or CIDR blocks, and multiple domain names or wildcard domain names. For more information about how to configure a whitelist, see Configure a private access whitelist.
Edit or delete an office application
You can perform the following operations as required:
-
Edit: Click Details. In the Details panel, view or modify the application's information.
-
Delete: Click Delete to remove the application.
ImportantAfter you delete an application, it becomes inaccessible to employees. Proceed with caution.
Next steps
-
Create an access policy for the added office application. For more information, see Configure a zero trust policy.
-
If your employees work within a trusted area, you can configure a trusted office zone to bypass SASE traffic analysis and auditing for their office application access. For more information, see Configure office zone identification.