Skip to main content
Versa Networks

Configure SASE Secure Clientless Access Policy Rules

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Clientless access is a method of providing secure access to enterprise resources without requiring users to install client software on their devices. Instead, users access resources through a web browser using web-based technologies.

To configure SASE secure clientless access policy rules:

  1. Go to Configure > Security Service Edge > Secure Access > Clientless Access > Policy Rules.

    Note: In Releases 12.1.1 and earlier, the Secure Access folder was called Secure Client Access and Policy Rules was located directly under Secure Client Access (Configure > Security Service Edge > Secure Client Access > Policy Rules). In addition, you configured both client-based and clientless access from Secure Client Access > Policy Rules screens.

    SCA-clientless-left-nav-border.png

    If you have not yet configured a clientless access policy rule, the following screen displays:

    clientless-access-policy-rules-landing-page-full-border.png

    For information about configuring authentication profiles, see Configure User and Device Authentication. For information about configuring application reverse proxy, see Configure Application Reverse Proxy.

    If you have already configured one or more clientless access policy rules, the following screen displays.

    clientless-policy-rule-list-border.png
     
  2. In the horizontal menu bar, you can perform the following operations.

    horizontal-menu-internet-protection-rules-border.png
     
    Operation Description
    Add Create a new secure clientless access policy rule. This button is active when no existing rule is selected.
    Clone

    Clone the policy rule. When you select this option, the configuration wizard for the rule displays with the Review & Deploy screen selected. You can rename the default name of the cloned rule, if desired, then click Save.
    Reorder

    Reorder the selected policy rule. A popup window similar to the following displays.


    1. Select one of the three options:

    • Process the rule last
    • Process the rule first
    • Process the rule in specific placement—A list of the existing rules displays. Click the position in the list where you want to place the rule.

    2. Click Move.
    Delete

    Delete the selected policy rule. A popup window similar to the following displays:

     

    Click Yes to delete the policy rule, or click No to retain the rule.
    Refresh Refresh the list of existing rules.
  3. To customize which columns display, click Select Columns and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default columns settings. The available columns are:
    • Users
    • Source Geo Locations
    • Source IP Address
    • Application Reverse Proxy
    • Status
       
  4. Click the add-icon-blue-on-white-22.png Add icon to configure a new clientless access policy rule.
  5. The Create Clientless Access Rule screen displays. There are four steps to configure for each clientless access rule, organized under Match Criteria, Action, and Review & Configure.

    clientless-policy-rule-users-groups-tab-v2-border.png
     
    • Match Criteria:
      • Users/User Groups
      • Source Geo Location & Source IP Address
    • Action
      • Application Reverse Proxy
    • Review & Configure

      See the sections below to configure secure clientless access rules. 

Configure Users and Groups

To configure users and groups:

  1. In the Create Clientless Application Access Rule screen, select Step 1, Users & Groups. The following screen displays. 

    clientless-policy-rule-users-groups-tab-v2-step-1.png
     
  2. By default, all users and groups are chosen. To customize the users and groups for the security posture, click Customize. The following screen displays, with Known Users selected by default. Known users are all authenticated users.

    clientless-policy-rule-users-groups-known-border.png
     
  3. To apply the policy to specific users or groups, select click Selected Users. The following screen displays.

    clientless-policy-rule-users-groups-selected-users-border.png
     
  4. Select one or more user groups to include in the policy rule.
  5. Click the Users tab, and then select one or more users to include in the policy rule.

    clientless-policy-rule-users-groups-selected-users-users-border.png
     
  6. Click Next to go to the Source Geo Location & Source IP Address screen.

Configure Source Geo Location and Source IP Address

By default, all source geographic locations and all source IP addresses are allowed network access. You can customize either or both of them.

To customize the source geographic locations and source IP addresses:

  1. In the Create Clientless Application Access Rule screen, select Source Geo Location & Source IP Address. 

    clientless-policy-rule-source-geo-location-tab-v2-border.png
  2. To select specific geo locations, click Customize in the Source Geo Location pane. The following screen displays.

    clientless-policy-rule-source-geo-location-screen-border-cropped.png
     
  3. Click Clear All to remove any already selected source locations. (Because all locations are selected by default, they are not displayed.)
  4. To customize the geographic location by country, state, or city, click the down arrow in the Country box. The Selected section lists the country, state, or city with name and location type. 

    selected-country.png
     
  5. To remove a location from the selected list, click the X next to the location type name.
  6. To remove all locations from the selected list, click Clear All.
  7. Click the back-arrow-left-black-on-white.png Back arrow to return to the Source Geo Location & Source IP Address screen.
  8. To select specific IP addresses, click Customize in the Source IP Address pane. In the Source screen, enter information for the following fields.

    clientless-policy-rule-source-IP-full-cropped.png
     
    Field Description
    Source Address (Group of Fields)  
    • Address Group

    Click in the box, and then select one or more address groups. The address groups in the list are those defined in the User Defined Objects section.

    If you want to provide one or more specific source IP addresses, you do not need to select an address group. Instead, use the IP Wildcard field to enter the IP address.

    To create a new address group, click + Add New, and then enter information for the following fields:

    secure-client-access-add-address-group-v4-border.png
     

    1. Click the Enter Addresses section and select the group Type. The type can be Subnet, IP range, IP wildcard, or IPv6 subnet.
    2. Based on the type selected, enter one of the following and press Return:
      • Subnet: An IP address and subnet mask, for example, 10.2.1.0/24
      • IP range: An IP address range, for example, 10.2.1.1-10.2.2.2
      • IP wildcard: A specific IP addresses, for example, 192.68.0.56/255.255.0.255
      • IPv6 subnet: A valid IPv6 subnet
      • FQDN: A fully qualified domain name (FQDN)
      • Dynamic Address: One or more address object names
    3. To add additional address group types, click the  Plus icon. To remove an address group type, click the  Minus icon.
    4. Click Next.
    5. In the Name & Tags section, enter a name for the address group and any tags you want to associate with the group.

      secure-client-access-add-address-group-v2-2-highlight-border.png
       
    6. Click Save.
    IP Subnet Enter an IP subnet to include in the match list (for example, 10.0.0.0/24), then press Return. You can add additional IP subnets by entering the subnet and pressing Return for each one.
    IP Range Enter an IP address ranges to include in the match list (for example, 10.2.1.1-10.2.2.2), then press Return. You can add additional IP address ranges by entering the range and pressing Return for each one.
    IP Wildcard Enter an IP address and mask to include in the match list (for example, 192.68.0.56/255.255.0.255), then press Return. You can add additional IP addresses and masks by entering the it and pressing Return for each one.
    Source Address Negate Select to apply the rule to any source addresses except the ones in the Source Address field.
  9. Click Next to go to Application Reverse Proxy, then enter information for the following fields.

    clientless-policy-rule-App-Reverse-Proxy-v2-full-border.png
     
    Field Description
    Private Applications Click the down arrow and select one or more private applications to include in the rule.
    SaaS Applications Click the down arrow and select one or more SaaS applications to include in the rule.
    Add New Click the add-icon-blue-on-white-22.png Add New icon to add a new application. See Configure Application Reverse Proxy for more information.
  10. Click to go to Review and Configure.

    clientless-policy-rule-Review-full-border.png
     
    Field Description
    Name (Required) Enter a name for the rule.
    Description (Optional) Enter a text description for the rule.
    Tags (Optional) Enter one or more tags to help identify the rule. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching objects.
    Rule is enabled

    Click the slider to enable the rule.
     

    rule-is-enabled-slider-border.png
    Edit Click the pencil-icon-blue-on-white-22.png Edit icon to revise any section, as needed.
  11. Click Save to create the secure clientless access policy rule.

Supported Software Information

Releases 11.1.1 and later support all content described in this article, except:

  • Release 12.2.1 introduces new UI screens to configure secure clientless access policy rules.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.