SASE provides built-in SaaS endpoints as shared network entry points for your enterprise, and lets you deploy dedicated endpoints in your offices, data centers, or cloud environments. This topic describes how to manage SaaS endpoints, deploy dedicated endpoints, and configure terminal access policies.
Endpoint types
SASE uses SD-WAN (Software-Defined Wide Area Network) technology to identify and connect employees to the nearest access point automatically. Two endpoint types are available:
| Type | Description | Server deployment |
|---|---|---|
| SaaS endpoint | Shared across all users. Subject to shared network latency. Supported editions: Private Access Basic Edition, Private Access Premium Edition | Not required |
| Dedicated endpoint | Exclusive to your enterprise. Lower latency and higher security. Supported edition: Private Access Premium Edition only | Required. See Prerequisites for deploying a dedicated endpoint. |
Use a SaaS endpoint for standard remote access where shared infrastructure is acceptable. Use a dedicated endpoint when your enterprise requires lower latency, stricter network isolation, or direct control over the access point server.
Manage SaaS endpoints
After you enable the Private Access security feature, all SaaS endpoints are enabled by default. Enable or disable individual endpoints based on your needs.
The following table lists the available regions per edition:
| Edition | Available regions |
|---|---|
| Private Access (Basic Edition) | Beijing, Shanghai, Shenzhen, Singapore, and Hong Kong (China) |
| Private Access (Premium Edition) | Beijing, Shanghai, Shenzhen, Silicon Valley, Virginia, Frankfurt, Singapore, Tokyo, Hong Kong (China), Dubai, Hangzhou, and Jakarta. |
| Internet Access Security (Office Data Protection Edition) | Not supported |
| Endpoint Protection (Anti-virus Edition) | Not supported |
To manage SaaS endpoints:
Log on to the Secure Access Service Edge console.
In the left-side navigation pane, choose Private Access > Terminal Access.
Go to Access Point Management > SaaS Access Point to view all built-in SaaS endpoints.
In the Access Point Switch column, toggle the endpoint on or off. To view or modify endpoint details, click Details in the Actions column. You can view the endpoint address, name, and configuration, and modify the endpoint name.
Add the origin IP addresses to your application's whitelist to ensure connectivity.
In the Origin IP column, find the origin IP for the target access point. If your internet-facing application has IP restrictions, add this IP to the application's firewall or security group whitelist.
If your office network uses IP-based access restrictions, add the IP ranges of all enabled access points (POPs) to the whitelist before upgrading. Otherwise, employees may lose connectivity to the private network through the SASE SaaS endpoint after the upgrade.
The IP whitelist requirement above does not apply if: your office network has no IP whitelist restrictions, your office network whitelists only SASE domain names (not static IPs), or you use dedicated endpoints.
Deploy a dedicated endpoint
Deploying a dedicated endpoint involves three steps: creating the endpoint configuration, running the deployment command on your server, and optionally connecting the endpoint to a SASE connector for additional network isolation.
Prerequisites for deploying a dedicated endpoint
Before deploying, make sure your server meets the following requirements:
Operating system: CentOS 7 or later, Ubuntu 18.04 or later, or Debian 12 or later. SELinux must be disabled.
CPU: 4 cores
Memory: 8 GB
Inbound bandwidth: 400 Mbps per server
For high availability and to eliminate single points of failure, deploy the dedicated endpoint on multiple servers (physical machines or virtual machines). Each server in the group runs an independent instance of the endpoint software.
Step 1: Add a dedicated endpoint
Go to Access Point Management > Dedicated Access Point, then click Create Dedicated Access Point.
In the Create Dedicated Access Point panel, configure the following parameters and click OK.
| Parameter | Description |
|---|---|
| Chinese Access Point Name | A Chinese name for the dedicated endpoint. |
| English Access Point Name | An English name for the dedicated endpoint. |
| Access Point Location | The region for the dedicated endpoint: the Chinese mainland or outside the Chinese mainland. |
| Access Point Configuration | Configure one or both of the following address types based on your network setup. |
| — Configure Public Access Address | For remote and work-from-home scenarios. The SASE app connects to the endpoint via a public domain name. After zero trust authentication, the endpoint forwards traffic to the target enterprise application. Important Make sure your enterprise applications are reachable from the dedicated endpoint server's public IP address. Upload the certificate content (.crt or .pem) and private key (.key or .pem) for the public address. |
| — Configure Private Access Address | For in-office scenarios. The SASE app connects to the endpoint via a private domain name. After zero trust authentication, the endpoint forwards traffic to the target enterprise application. Important Make sure your enterprise applications are reachable from the dedicated endpoint server's private IP address. If you enable this option, restrict application access to the private IP address of the endpoint server only. Upload the certificate content (.crt or .pem) and private key (.key or .pem) for the private address. |
| Port | The port number for the endpoint. |
| Status | Set to Enabled so employees can use the endpoint. |
Step 2: Deploy the endpoint on your server
Go to Access Point Management > Dedicated Access Point, find the endpoint you created, and click Deploy in the Actions column.
On the Deploy tab, copy the deployment command and run it on your server. After the command completes, the endpoint appears in the dedicated endpoint list with an active status.
Manually add a DNS record for the endpoint domain so it resolves correctly. SASE does not create this record automatically.
SASE also provides commands to upgrade or uninstall the dedicated endpoint. Run these from the same Deploy tab as needed.
Network topology: By default, clients reach the application server over the public internet through the dedicated endpoint. In this topology, application data bypasses SASE, but logs are still reported to SASE.
To avoid exposing your application server's public IP, place the dedicated endpoint on a server that faces the public network and keep your application servers on a separate internal network. In this setup, create a SASE connector to establish a private channel between the dedicated endpoint and your application servers (see Step 3). For details, see Use a SASE connector.
Step 3: Connect the endpoint to a SASE connector (optional)
Skip this step if you do not need to route traffic through a SASE connector.
Go to Access Point Management > Dedicated Access Point, find the endpoint, and click Details in the Actions column.
On the Associated Connector tab, turn on the Associated Connector switch.
Configure the reverse connection port used for communication between the SASE connector server and the dedicated endpoint server. The default port is 9813. If port 9813 is already in use, specify a different port.
Enter the dedicated endpoint server's IP address for communication with the SASE connector server. Use a private IP address when possible. If you must use a public IP address, configure an SASE policy that restricts traffic to only the public IP addresses of the dedicated endpoint server and the SASE connector server. If you have multiple application servers, each with its own SASE connector, enter the IP address of each server.
Click OK.
After saving, the endpoint's status and association information appear in the dedicated endpoint list.
Configure access policies
SASE includes a built-in terminal access policy that authorizes access to SASE's own endpoints in the Chinese mainland. This policy is enabled by default. If you have enabled endpoints for Global Office, the built-in policy also covers those endpoints.
Create a custom terminal access policy if the built-in policy does not meet your requirements.
Log on to the Secure Access Service Edge console.
In the left-side navigation pane, choose Private Access > Terminal Access.
On the Policy Management page, click Create Policy.
In the Create Policy panel, configure the following parameters and click OK.
| Parameter | Description |
|---|---|
| Policy Name | A name for the policy. 1–64 characters. Allowed characters: Chinese characters, letters, digits, hyphens (-), underscores (_), and periods (.). |
| Authorized Access Points | The endpoints that authorized users can connect to. |
| Secondary Access Points | A fallback endpoint. Hidden from users by default. Activates automatically when the latency of all authorized endpoints reaches 500 ms or higher. |
| Policy Status | Set to Enabled for the policy to take effect. |
Next steps
Employees log on to the SASE app, select a network endpoint, and connect to Private Access. For details, see Enable or disable security protection for private access.
Related topics
For information about authorizing and enabling endpoints for Global Office, see Establish network channels for global offices.