This topic answers common questions about the private access feature of Secure Access Service Edge (SASE).
How do I configure an internal DNS server to access a website that has a domain name?
Why can I ping an application that cannot be accessed after it is configured?
Why am I unable to access internal domain names from my Windows device?
How do I handle the issue that private access is unavailable?
How do I configure an internal DNS server to access a website that has a domain name?
The required steps depend on whether Alibaba Cloud DNS PrivateZone is deployed in your network:
| Scenario | Action |
|---|---|
| Alibaba Cloud DNS PrivateZone is deployed | No action needed. SASE automatically synchronizes DNS records from PrivateZone. |
| Alibaba Cloud DNS PrivateZone is not deployed | Configure a custom DNS service in the SASE console. You can add multiple server IP addresses — if resolution fails on one server, SASE automatically retries on the next. |
For configuration steps, see Resolve the domain name of the office application.
Why can I ping an application that cannot be accessed after it is configured?
ping does not reliably indicate whether a SASE application is reachable:
| OS | ping behavior |
|---|---|
| macOS | ping succeeds over all CIDR blocks, regardless of actual connectivity |
| Windows | ping succeeds only over the 198.18 and 198.19 CIDR blocks |
To verify connectivity, use Telnet or nc (netcat) to test the application's specific host and port.
A successful connection confirms the application is reachable through SASE.
Why am I unable to access internal domain names from my Windows device?
This issue is most common on Windows 11, where browsers enable secure DNS (DNS over HTTPS, or DoH) by default. When DoH is active, internal domain name queries bypass the private DNS resolver configured by SASE, causing resolution to fail.
To fix this, disable the secure DNS service in your browser settings.
If security software on the device changed the system-level DNS to use DoH, switch the DNS configuration to non-encrypted mode in that software's settings.
How do I handle the issue that private access is unavailable?
Follow these steps to isolate the root cause.
Step 1: Check whether access is being blocked
In the SASE console, go to Log Analysis > Log Audit and review the access log for the relevant request.
If the log shows that access is blocked, identify the cause and apply the corresponding fix:
| Cause | Fix |
|---|---|
| Application not configured | Add the application in the SASE console |
| Access permission not assigned | Grant the user access permission for the application |
| Terminal security baseline non-compliant | Bring the device into compliance with the security baseline |
Step 2: Check network connectivity
If the log shows that access is allowed but the application is still unreachable, go to Private Access > Network Settings and check whether the application shows as connected.
| Network type | What to check |
|---|---|
| Alibaba Cloud business network (virtual private cloud (VPC) or Cloud Enterprise Network (CEN)) | Verify that the VPC or CEN is enabled |
| Non-Alibaba Cloud business network | Verify that the dedicated line connection is established and that a SASE connector is associated with the application |
Where can I download the connector component?
Go to the Connector Management page in the SASE console, copy the installation command, and run it on the target host. For detailed steps, see Enable network connections for services outside Alibaba Cloud.