How does secure access protect remote users?

bryan-cruz · ‎11-12-2024

I would like to understand how the secure access solution protects remote users, if I am not in the VPN I do not have DNS protection, web filtering, CASB or DLP?

Because I have been testing and I see that only with the ZTNA agent I have access to private applications, but I have no internet protection until I connect my VPN. Is this normal?

On the other hand, I tested and with the umbrella module installed on the endpoint I do have all this but nowhere in the documentation do I see that the secure access architecture implies having the umbrella module, is it okay to put it or on the contrary am I doing something wrong?

Lastly, if I already have umbrella on a client with a connection to the AD on premise, how do I authenticate my users with SAML and Azure if the documentation says that I cannot have two (Azure and AD on premise) authentication sites active at the same time

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Quisiera entender como la solución de secure access protegue a los usarios remotos, si yo no estoy en la VPN no tengo protección de DNS, web filtering, CASB o DLP?

Porque he estado probando y veo que solo con agente de ZTNA tengo acceso a aplicaciones privadas, pero no tengo nada de protección de internet hasta que conecto mi VPN. Esto es normal?

Por otro lado probe y con el modulo de umbrella instaldo en endpoint si tengo todo esto pero en ninguna parte de la documentación veo que la arquitectura de secure access implica tener el modulo de umbrella, esta bien ponerlo o por el contrario estoy haciendo algo incorrecto?

por ultimo si ya tengo umbrella en un cliente con conexión al AD onpremise, como autenticacio mis usuarios con SAML y azure si la documentación dice que no puedo tener dos (azure y AD onpremise ) sitios de autentiación activos al tiempo.

sitecountryy · ‎01-15-2025

Secure access solutions, like ZTNA (Zero Trust Network Access), are designed to protect remote users, but the level of protection varies depending on the configuration and tools in use. Generally, when you're not connected to a VPN, certain protections like DNS security, web filtering, CASB (Cloud Access Security Broker), and DLP (Data Loss Prevention) might not be active, unless additional security modules like Umbrella are in place. This is because VPNs traditionally offer secure tunneling that enables access to internal resources while providing extra layers of security for the internet connection.

In your case, using the ZTNA agent allows access to private applications, but without a VPN connection, your internet traffic isn't being protected, which is normal for some configurations. To address this, integrating Umbrella can offer DNS filtering and web security while also providing protection when you're not connected to a VPN.

Regarding the SAML and Azure authentication issue, it's important to note that the documentation you're referring to may restrict having two authentication sites (Azure and AD on-premise) active simultaneously. You may need to choose one method, either Azure AD or on-premises AD, for authentication or explore configurations that enable seamless integration between both services.

It's recommended to double-check the architecture and documentation of your secure access solution and possibly consult with support to ensure you're following best practices and not causing conflicts in your setup.