add enterprise office applications to SASE - Secure Access Service Edge

Before users can reach an office application through the SASE private network, add the application's IP address or endpoint to SASE. Once added, users connect through the SASE client or a browser, depending on the access mode you configure.

Prerequisites

Before you begin, make sure you have:

Access to the SASE console
The IP address, CIDR block, or domain name of the office application
(Optional) An SSL certificate, if you plan to use Browser-based Access with a CNAME proxy (configured during setup)

Supported application types

SASE supports two categories of office applications:

Private applications — Applications accessible only through private IP addresses or private endpoints. These are internal IT resources such as internal services, servers, and databases, accessible only by specific users.
Public applications with IP whitelisting — Applications accessible through public IP addresses or public endpoints, where the enterprise has configured an IP allowlist to restrict access to specific CIDR blocks. For example, an Elastic Compute Service (ECS) security group or a Cloud Firewall access control policy that permits access only from designated CIDR blocks.

How domain name resolution works

When a private access user sends a domain name resolution request, SASE resolves it in the following order:

Alibaba Cloud DNS PrivateZone — SASE first checks whether the domain name is resolved by PrivateZone. If a matching record exists, SASE returns the result.
Note
If Alibaba Cloud DNS PrivateZone is deployed in your network, SASE automatically syncs its DNS records. No additional configuration is needed in the SASE console. For details, see What is Private DNS?.
Custom DNS service — If PrivateZone returns no result, SASE checks whether a custom DNS service is configured:
- If you have not switched the DNS service on the SASE client, the default DNS service is used.
- If you have switched to a specific DNS service on the SASE client, that specific DNS service is used.
ECS instance default DNS — If no custom DNS service is configured, the request falls through to the default DNS service of the ECS instance.

Add an office application

When you add an application, SASE automatically creates a policy that denies all access based on the zero-trust security principle. After adding the application, configure an access policy to grant users permission. See Configure a zero trust policy.

Manual configuration

Log on to the SASE console.
In the left-side navigation pane, choose Private Access > Application Management.
On the Office Application page, click Add Application.

On the Manual Configuration tab, configure the basic settings.

Parameter	Description
Application Name	A name for the application. Must be 2–100 characters and can contain letters, digits, hyphens (-), underscores (_), and periods (.).
Tag	Tags for classifying, searching, and managing applications. Use custom tags or the default tags.
Status	Enable or disable the application.
Access Mode	Client-based Access: Requires the SASE client. Supports Layer 4 and Layer 7 applications, and terminal security detection and control policies. Browser-based Access: No client required. Works for web applications accessed from a browser. Terminal security detection and control policies are not supported.

Click Next and configure the application address. Parameters vary by access mode.

Client-based Access

Parameter	Description
Application Address	The address SASE uses to reach the application. Supported formats: IP addresses (e.g., `10.10.XX.XX`), CIDR blocks (e.g., `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/24`), specific domain names (e.g., `www.aliyun.com`), or wildcard domain names (e.g., `*.aliyun.com` — SASE matches subdomains based on the port you specify).
Port	The port or port range used by the application. For a range of consecutive ports, enter the start and end values (e.g., 80 to 8080). For non-consecutive ports, enter each port individually (e.g., 80 and 8080). For a single port, enter the same value for start and end (e.g., 80 to 80).
Protocol	TCP or UDP.
Advanced Settings > Web Application Access Reinforcement	Optional security policies for web applications: Security Verification checks the Host request header to prevent malicious bypass. Access Tracing adds user information to the HTTP header for audit purposes — your business system must parse the added request headers: `X-Csas-Client-IP` (device IP address), `X-Csas-Username` (username), and `X-Csas-Device-Tag` (device unique ID).

Browser-based Access

Parameter	Description
Application Address	The address SASE uses to reach the application. Supported formats: IP addresses (e.g., `10.10.XX.XX`) or specific domain names (e.g., `www.aliyun.com`). CIDR blocks and wildcard domain names are not supported.
Port	A single port number, with the same value for start and end (e.g., 80 to 80).
Protocol	HTTP or HTTPS.
Proxy Domain Name (SaaS Proxy Gateway)	Configure a proxy gateway using one of two methods: Domain Name Mapping — SASE creates a new domain name that maps to the original application address; users access the application through the new domain name. CNAME — Configure a CNAME record to resolve the original application address to the SASE zero-trust gateway, which ensures a smooth user experience. With CNAME, also configure: Custom Proxy Domain Name (the CNAME record pointing to the SASE access point domain name), Internal DNS Server (the DNS server used to resolve internal domain names), and SSL Certificate (the certificate for the proxy domain).
Browser Access Settings	The domain rewriting method for browser access: HTML-based Internal Domain Rewriting — Uses HTML URL rewrite techniques to map domain names. Configure Address Before Rewriting and Address After Rewriting. JavaScript-based Internal Request Rewriting — Uses JavaScript URL rewrite techniques. Configure Address Before Rewriting and Address After Rewriting. Anonymous Access — Allows requests from specified IP addresses, CIDR blocks, and request paths without authentication.
Advanced Settings	Rewrite headers and query parameters for finer-grained control: Headers Rewrite — Dynamically add, configure, or delete parameters in request and response headers. Query Parameter Rewriting — Dynamically add, configure, or delete query parameters.

Click OK.

The application appears in the application list.

Batch import

Use batch import to add multiple applications at once.

Log on to the SASE console.
In the left-side navigation pane, choose Private Access > Application Management.
On the Office Application page, click Add Application, then select the Batch Import tab.
Select an Access Mode — Client-based Access or Browser-based Access — then follow the corresponding steps:
- Client-based Access: Click Layer 4 Download Template, fill in the template, then click Upload Local File to upload it.
- Browser-based Access: Click Layer 7 Download Template, fill in the template, then click Upload Local File to upload it.
Note
Only XLSX files are supported. Maximum file size: 100 MB.

Configure a custom DNS service

Configure custom DNS servers to control how internal domain names are resolved for private access users.

On the Office Application tab of the Application Management page, click Internal DNS Configuration.
In the DNS Address dialog box, configure Default DNS Service and Other DNS Service. You can specify multiple server IP addresses for each DNS service. If resolution fails on one server, the request is forwarded to the next server in the list.

Add an application to the private access whitelist

If network traffic for a specific application does not need to be audited by SASE, add its address to the private access whitelist. Network traffic to whitelisted addresses is not audited by SASE.

For example, if you have registered the wildcard domain name *.abc.com in Application Management but the subdomain 123.abc.com handles trusted internal traffic that does not require auditing, add 123.abc.com to the whitelist.

To configure the whitelist, see Configure a private access whitelist. You can add IP addresses, CIDR blocks, specific domain names, or wildcard domain names.

Edit or delete an office application

On the Office Application page, find the application you want to modify:

Edit: Click Details in the Actions column to view or edit the application's configuration in the Details panel.
Delete: Click Delete in the Actions column to remove the application.
Important
After the office application is deleted, users cannot access the application. Proceed with caution.

What's next

Configure a zero trust policy — Create an access control policy to allow specific users to reach the application you added.
Configure a trusted office zone — If users work from a trusted office location and network traffic to applications does not need auditing, configure a trusted office zone to skip inspection for that network.