All Products
Search
Document Center

Secure Access Service Edge:Settings

Last Updated:May 20, 2026

SASE (Secure Access Service Edge) provides a security client that routes internet traffic from corporate endpoints to the nearest Alibaba Cloud SASE service node. Endpoints without the security client cannot be managed by your zero trust policy. This topic describes how to configure account information, allowlists, and push notifications, and how to install and customize the SASE security client.

Background information

After employees install the SASE security client on their endpoints, administrators can view the total number of endpoints with the client installed and their details in the terminal list. The terminal list also helps administrators identify users and endpoints that have not yet installed the client. For more information, see View the terminal list.

After an employee logs on to the SASE security client, the endpoint's internet traffic is routed through SASE. SASE then inspects and manages the endpoint's internet access behavior.

Configure account information

The Account Settings tab includes sections for an enterprise authentication identifier, an account expiration time, and an account expiration policy.

  1. Log on to the SASE console.

  2. In the left-side navigation pane, click Settings Center > General Configurations.

  3. On the Account Settings tab, configure the following information.

    • Enterprise Authentication Identifier

      The enterprise authentication identifier is the credential your employees provide to log on to the SASE security client. We recommend using an identifier that is easy for users to remember, such as your company name. Users must enter this identifier when they first log on to the SASE security client.

    • Set account expiration information

      • Account Authentication Frequency

        This setting defines the period after the last logon during which the SASE security client can automatically sign in. If this period is exceeded, the user is returned to the logon page and must re-enter their credentials to log on to the SASE security client.

      • Account Authentication Policy

        • Immediate Authentication

          When the session expires, the SASE security client logs off immediately, and the employee must authenticate again. This option prioritizes security and may interrupt work.

        • Authentication During Network Change

          When the session expires, the SASE security client does not log off immediately. Instead, the employee is prompted to re-authenticate the next time the computer wakes up or the network connection changes. This option prioritizes user experience and avoids interrupting work.

Configure allowlists

If you determine that specific internal applications, public websites, outbound files, external devices, or watermarks are secure and do not require SASE management or auditing, you can add them to an allowlist. The following procedure describes how to configure an allowlist for websites.

  1. Log on to the SASE console.

  2. In the left-side navigation pane, click Settings Center > General Configurations.

  3. On the Whitelist tab, configure an allowlist for private access or data protection.

    • Configure a private access allowlist

      1. On the Private Access tab, add a website to the allowlist.

        SASE provides two ways to add a website to an allowlist:

        • IP Address Whitelist: Add one or more IP addresses or IP address ranges for the website.

        • Domain Name Whitelist: Add one or more domain names or wildcard domain names for the website.

      2. Click Submit.

        After the allowlist is configured, corporate users can directly access the allowlisted internal applications.

    • Configure a data protection allowlist

      1. On the Data Loss Prevention tab, add an allowlist for specified files, data storage, external devices, or watermarks.

        SASE supports the following types of allowlists. When you configure an allowlist, separate multiple user entries with a comma (,).

        • Outbound File Transfer Detection Whitelist

        • Data Storage (Available only in the Data Protection edition of SASE Internet Access)

        • Peripheral Control Whitelist

        • Screen Watermark Whitelist

        • Application Watermark Whitelist

        • Print Watermark Whitelist

      2. Click Submit.

        After the allowlist is configured, SASE no longer manages or intercepts the actions of allowlisted users. If a user is on the storage space allowlist and triggers an outbound detection policy, their files are not stored.

    • Configure an internet behavior management allowlist

      1. On the Internet Behavior Management tab, add users, user groups, and domains to an allowlist.

        • User Whitelist

        • User Group Whitelist

        • Exceptional Domain Name

      2. Click Submit.

        After the allowlist is configured, SASE no longer manages or intercepts the internet behavior of allowlisted users and user groups, or their access to allowlisted domains.

Configure push notifications

To receive timely alerts about endpoint user activities, such as logon events, device registrations, client uninstallation requests, and requests to use non-compliant software, you can configure push notifications. Once configured, SASE uses DingTalk, WeCom, or Lark chatbots to send these notifications to your corporate chat groups. This allows you to track events as they happen.

Before you configure SASE push notifications, you must create a custom chatbot in DingTalk, WeCom, or Lark.

  1. Log on to the SASE console.

  2. In the left-side navigation pane, click Settings Center > General Configurations.

  3. On the Message Push tab, click Create Template.

  4. In the Create Template panel, configure push notifications by selecting a notification source.

    Parameter

    Description

    Notification Source

    • DingTalk Chatbot

    • WeCom Chatbot

    • Lark Chatbot

    • SMS

    • Email Address

    Chatbot Configuration

    • DingTalk Webhook URL

      Example: https://oapi.dingtalk.com/robot/send?access_token=****

    • Webhook Key

      Example: 123456

    WeCom Webhook URL

    Example: https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=90e25f1d-99b5-4496-890d-4d1c6efe3****

    • Lark Webhook URL

      Example: https://open.feishu.cn/open-apis/bot/v2/hook/4c83950f-2335-42ae-a5bd-11a96d6d****

    • Webhook Key

      Example: 123456

    Message Type

    Select one or more of the following message types:

    • Log Storage Capacity Threshold Notification

    • File Storage Capacity Threshold Notification

    • Notification of Client Log Report

    • Notification of Exceeded Registration Quota on Client

    • Notification of Application for Client Uninstallation

    • Application for Using Unauthorized Software

    • Notification of Abnormal Connector

    • Terminal Alert

  5. Click Connectivity Test. When a success message appears, click OK.

    To modify or delete the template later, click Edit or Delete on the Message Push tab.

    Important

    If you delete a push notification template, SASE can no longer automatically send notifications to your corporate chat group. Proceed with caution.

Configure client enterprise elements

SASE allows you to customize the branding for the client, download page, browser authentication page, and help guide in both Chinese and English. The following procedure uses the Chinese version as an example to show how to customize these elements.

  1. Log on to the SASE console.

  2. In the left-side navigation pane, click Settings Center > General Configurations.

  3. On the Enterprise Elements tab, perform the relevant configurations.

    image

    Client elements

    1. Click Custom Client Elements.

    2. On the 中文版设置 and English Client Settings tabs, configure the Logo, Background Image, Title, and Promotion Text for the Chinese and English versions of the client, respectively. You can preview the changes on the right side of the page.

    3. After you complete the configuration, click OK.

    Download page

    1. Click Custom Elements on Client Download Page.

    2. On the 中文版设置 and English Client Settings tabs, configure the Logo, Logo Name, Title, Description, Download URL for Android Client, and Download URL for iOS Client for the Chinese and English versions of the client download page, respectively. You can preview the changes on the right side of the page.

    3. After you complete the configuration, click OK.

    Authentication page

    1. Click Customize Browser Authentication Page Elements.

    2. On the 中文版设置 and English Client Settings tabs, configure the Logo, Background Image, and Title for the Chinese and English versions of the browser authentication page, respectively. You can preview the changes on the right side of the page.

    3. After you complete the configuration, click OK.

    Help guide

    The help guide feature helps users understand and use the product. Common formats include new user guides, operational tips, and Frequently Asked Questions (FAQs). Users can access the guide from the client at any time.

    1. Click Guide.

    2. On the 中文版设置 and English Client Settings tabs, configure the Title, Description, and URL for the Chinese and English versions of the help guide, respectively, and then click OK.

    3. Log on to the SASE client.

    4. Go to Settings > Toolbox to view the configured help guide.

      Important

      Ensure that your SASE App version is v4.8.5 or later.

      image

Configure custom storage

By default, trace data from outbound file detection is stored in the cloud. To enhance data security and control, the Data Protection edition of SASE Internet Access supports custom storage configurations. This feature allows you to store trace data in your own Object Storage Service (OSS) bucket or an on-premises MinIO storage system.

  1. Log on to the SASE console.

  2. In the left-side navigation pane, click Settings Center > General Configurations.

  3. On the Custom Storage Settings tab, view the built-in storage usage, click the toggle switch, and then click OK.

  4. In the Data Storage Settings dialog box, you can configure your Alibaba Cloud OSS bucket or an on-premises MinIO storage system. Refer to the following table for parameter descriptions.

    Parameter

    Description

    Custom Storage Type

    • Alibaba Cloud OSS: Configure your purchased Alibaba Cloud OSS bucket.

    • On-premises MinIO storage system: Transfer data to your on-premises storage space. Currently, only MinIO storage systems are supported.

      Note

      1. When storing data in an on-premises MinIO system, you must encrypt the data in MinIO to mitigate the security risks of plaintext storage.

      2. If the network connection between your on-premises MinIO system and the SASE platform is lost, you cannot download original files from trace logs on the console. You must use the file storage address from the logs to download the files directly from your MinIO system.

      3. SASE uses a cloud-based OCR detection engine. When detecting image files, the files are uploaded to the SASE cloud platform for analysis. However, SASE does not store your enterprise's outbound image data.

    Bucket

    The bucket name of your storage space.

    Endpoint

    The endpoint of your storage space. Both HTTP and HTTPS protocols are supported.

    Important

    We recommend that you configure the HTTPS protocol. Otherwise, you may need to adjust your browser settings to view screenshot evidence or download source files.

    AccessKey ID

    The AccessKey ID for the storage space. Enter an AccessKey ID that has data download permissions. Otherwise, you cannot download original files from Log Audit - Sensitive File Detection.

    AccessKey Secret

    The AccessKey secret for the storage space.

    Maximum Size

    Specifies the maximum size of a single file to be stored, up to 60 MB.

  5. Click Test Network Connectivity to test the connection to the storage space.

  6. Click Ok.

    After configuration, custom data storage is automatically enabled. Data files that trigger an outbound detection policy are stored in your specified storage space.

    To disable custom data storage, toggle the switch off. When disabled, data files that trigger an outbound detection policy are stored in the SASE built-in storage space. Ensure that the built-in storage has sufficient capacity to avoid storage issues.

Other operations

If your built-in storage space is insufficient, you can Scale Up or Clear the storage.

  • Expand: Click Scale Up to go to the SASE purchase page and buy additional file storage capacity.

  • Clear: Click Clear. In the Clear Logs dialog box, you can choose to Clear by Time Range or Clear All. Then click OK.

Download the SASE client (SASE App)

  1. Log on to the SASE console.

  2. In the left-side navigation pane, click Settings Center > General Configurations.

  3. On the Download Client tab, download the client installation package.

    Downloads are available for PC and Download Mobile Client.

  4. Unzip the downloaded client package and double-click the setup.exe installer to install the security client.安装程序

    After installation, the SASE security client icon appears on the employee's desktop.

Upgrade the SASE client (SASE App)

  1. Log on to the SASE console.

  2. In the left-side navigation pane, click Settings Center > General Configurations.

  3. On the Client Update tab, select the operating system of your server.

    image

  4. Under the tab for each operating system, select the SASE App version that you want to download and click Download in the Actions column.

  5. To push an upgrade task to employees, click Push Update, add an upgrade task, and then click OK.

    You can specify a custom upgrade percentage. SASE randomly rolls out the upgrade to a corresponding percentage of the total endpoints that belong to employees in the effective user group.

    In the Create Update Task dialog box, configure Task Name, Version Upgrade, Update Percentage, Update Method (Silent Update is recommended; Linux/Android/iOS do not support silent upgrade; alternatively select Popup Notification), Task Delivery Time, and Priority (valid values: 1 to 99; a smaller value indicates a higher priority).

    image

Traffic redirection settings

The default SASE back-to-origin IP address assigned to each Virtual Private Cloud (VPC) may overlap with your corporate intranet's IP range, which can cause routing conflicts or access failures. To avoid this, you can configure custom proxy IP addresses.

  1. Log on to the SASE console.

  2. In the left-side navigation pane, click Settings Center > General Configurations.

  3. On the Traffic Redirection Settings tab, configure proxy addresses for different operating systems, and click Submit.

    Important
    • Only internal IP addresses can be configured as proxy IPs.

    • If your corporate internal applications have a firewall or other security control policies, ensure that the SASE back-to-origin IP address is included in those policies' allowlists to prevent traffic from being blocked.