Skip to main content
Versa Networks

Configure SASE Secure Client Access Profiles in Release 12.1.1

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Secure client access profiles define the application monitors, browser access, DNS resolvers, and routes that are used to bind public keys to the client. A DNS resolver is a server that determines which DNS name server the client uses to perform DNS lookups for all traffic. You can configure DNS resolvers that are then shared with the clients when they register.

To periodically monitor end-to-end network and application performance for a user device, you can enable Digital Experience Monitoring (DEM) on SASE clients. To do this, you add an application monitor when configuring a secure client access profile. The SASE client receives the settings listed in the application monitor when it registers with the SASE portal. The SASE client collects DEM statistics based on these settings and periodically forwards them to its currently connected SASE gateway. For information about viewing DEM statistics, see the Digital Experience section in Secure Access Dashboards.

Configure Secure Client Access Profiles

To configure SASE secure client access application monitors, browser access, DNS resolvers, and routes:

  1. Go to Configure > Security Service Edge > Secure Client Access > Profiles.

    secure-client-access-profiles-left-nav-v2-border.png

    If you have not configured a secure access client profile, the Welcome to the Secure Access Profile page displays. On this page, you can choose to configure one of the following types of profiles:
     
    • Client-based profile
    • Clientless access profile

      welcome-secure-access-client-profile-client-based-v2-border.png

      If you have configured one or more secure access client profiles, the Secure Client Access Profile List screen displays the profiles that are already configured.

      secure-client-access-profiles-list-dashboard-preconfig-border.png
  2. In the horizontal menu bar, you can select one of the following operations.
     
    Operation Description
    Add Create a new secure client access profile. This button is active when no existing profile is selected.
    Clone

    Clone the selected secure client access profile. When you click Clone, the configuration wizard for the profile displays. You can edit the configuration. In the Review & Deploy screen, rename the default name of the cloned profile, if needed, and then click Save.
    Delete

    Delete the selected access control policy. A popup window similar to the following displays:
     

    delete-Profile-rule-border.png

    Click Yes to delete the profile, or click No to retain the profile.
    Refresh Refresh the list of existing policies.
    Select Columns

    To select the columns that you want to display, click the down arrow. To return to the default column selection, click Reset.
  3. To edit an existing profile, click the profile name, edit the entries as needed, and then click Save.
  4. To configure a new profile, click the add-icon-blue.png icon, then select a type of profile to create, and then click Next.

    secure-client-access-profiles-list-dashboard-12-1-1-border.png
     
    • Client-Based Profile—You are then prompted to configure routes, DNS resolvers and applications for monitoring. Then you are prompted to review and deploy the profile.

      client-based-profile-border.png
    • Clientless Access Profile—For browser access, you are prompted to select custom and predefined applications for clientless VPN access. Then you are prompted to review and deploy the profile.

      clientless-access-profile-border.png

      client-based-and clientless-border.png

Note: The remaining steps in this procedures show how to configure both a client-based and a clientless access profile. To configure only a client-based or only a clientless access profile, follow the same procedure, performing only the relevant steps.

  1. In Step 1, Routes and DNS Resolvers, click Customize in the Routes pane to add routes to the profile. Routes are prefixes that can be reached over the remote access VPN. The Routes pane displays the routes that are already configured.

    routes-DNS-resolvers-border.png
  2. Click + Add to add a new route. In the Add Route popup window, enter information for the following fields.

    add-route-border.png
     
    Field Description
    Name Required) Enter a name for the route.
    Description Enter a text description for new route.
    Prefix (Required) Enter a prefix for the route. By default, if you are using Versa Secure Internet Access (VSIA), the 0.0.0.0/0 subnet is advertised to the client. If you are using Versa Secure Private Access (VSPA), the prefix must be in the private access subnet range as defined in RFC 1918 (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ).
    Metric

    Enter a value for the route metric.

    Range: 0 through 4294967295

    Default: None
    Encryption

    Select to encrypt the route and to route the traffic for applications and domains to an encrypted tunnel. By default, encryption is enabled.
     

    encryption-enabled-border.png

    To disable encryption, click the slider.
     

    encryption-is-disabled-border.png

    If you disable encryption, traffic is routed on an encrypted or non-encrypted (clear-text) route, depending on the configuration, for applications and domains. If the route is not encrypted, the Versa secure client access creates two tunnels, encrypted and clear text, and then routes traffic. In this case, you might consider securing the application using a different method, such as SSL/TLS.
  3. Click Add. The Routes screen displays the new route.
  4. Click Back. The Routes and DNS resolvers screen displays.
  5. To add DNS resolvers to the profile, click Customize in the DNS Resolvers pane. The DNS Resolvers screen displays the DNS resolvers that are already configured.

    DNS-resolvers-border.png
     
  6. Click + Add to add a new DNS resolver. In the Add DNS Resolver popup window, enter information for the following fields.

    secure-client-access-profiles-add-dns-resolver.png
     
    Field Description
    Name Enter a name for the DNS resolver.
    Description Enter a text description for the DNS resolver.
    Domain Enter a valid domain name for the DNS resolver to send to the client. The client uses the DNS resolver to perform DNS lookups for all traffic.
    DNS Server IP Address

    Enter a valid IP address for the DNS server. To enter additional addresses, click the plus-icon-blue.png Plus icon.
  7. Click Add to add the new DNS resolver to the secure client access profile. The DNS Resolvers screen displays the new DNS resolver.
  8. Click Back. The Routes and DNS resolvers screen displays the routes and DNS resolvers that you added.

    routes-DNS-resolvers-configured-border.png
     
  9. Click Next to continue to Step 2, Application Monitor. To configure DEM, click Customize in the Application Monitor pane.

    secure-client-access-sase-application-monitor-v2-border.png
     
  10. In the Application Monitor screen, enter information for the following fields. These parameters are downloaded to the SASE client when a user registers the client with the SASE client portal.

    secure-client-access-sase-application-monitor-screen-border.png
     
    Field Description
    Network Segments (Group of Fields)
    • Device Monitoring
    		 Click to monitor the health of devices, including memory, CPU, disk utilization, and battery life.
    • Internet Monitoring
    		 Click to monitor internet performance, including delay, hops, hop-by-hop latency, jitter, and packet loss.
    • Local Network Monitoring
    		 Click to monitor the performance of the local network, including latency, jitter, packet loss, WiFi SSID, and signal strength.
    • Interval

    Enter how often to monitor an application, in seconds.
    Application Monitoring (Group of Fields)
    • Custom Applications
    		 Select one or more user-defined applications.
    • Predefined Application
    		 Select one or more predefined applications. 
  11. Click Back. The Application Monitor screen displays the applications that you added.

    secure-client-access-sase-application-monitor-configured-border.png
     
  12. Click Next to continue to Step 3, Browser Access. To select custom and predefined applications for clientless VPN access, click Customize in the Browser Access pane.

    browser-access-border.png
     
  13. In the Browser Access screen, select custom applications or predefined applications, or both.

    browser-access-screen-border.png
     
  14. Click Back. The Browser Access screen displays with custom and predefined applications that you added.

    browser-access-configured-border.png
     
  15. Click Next. In the Review & Submit screen, enter information for the following fields.

    review-deploy-full-border.png
     
    Field Description
    Name (Required) Enter a name for the profile.
    Description Enter a text description for the profile.
    Tags Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.
  16. Review the remaining information. Click the edit-pencil-icon-blue.png Edit icon to make changes to any of the sections.
  17. Click Submit.

Supported Software Information

Releases 11.1.1 and later support all content described in this article, except:

  • Release 12.1.1 allows you to clone Private Application Protection Profiles; supports Digital Experience Monitoring (DEM).