GA Release of Trusted Network Detection for Client-Based ZTA

Venkat Tamilraj · ‎07-15-2025

We are excited to announce the General Availability (GA) of Trusted Network Detection (TND) for client based Zero Trust Access (ZTA) in Cisco Secure Access. This feature empowers administrators to configure Cisco Secure Client to automatically pause ZTA traffic steering and enforcement when an endpoint is connected to a trusted network. Once the endpoint leaves the trusted network, ZTA enforcement seamlessly resumes. TND settings can be independently managed for private and internet ZTA destinations, providing granular control for different network environments.

Packaging and Licensing

Trusted Network Detection is available as part of the Cisco Secure Access offering. No additional licensing is required for customers with active Secure Access subscriptions that include client-based ZTA functionality.

Key Benefits / Value Delivered

Optimized Performance and Reduced Latency: Temporarily pausing ZTA enforcement on trusted networks can improve network efficiency and create a smoother end-user experience.
Flexible Resource Utilization: Enables organizations to enforce local security policies on trusted networks while maintaining strict ZTA enforcement elsewhere.
Independent Configuration: Separate TND settings for private and internet destinations allow for tailored security and operational strategies.
End-User Transparency: Users experience seamless connectivity with no additional actions required as they move between trusted and untrusted networks.

Use Cases

Campus or Corporate Networks: Automatically suspend ZTA enforcement when users are within a highly secure corporate network, optimizing application performance and reducing authentication friction.
Remote and Hybrid Work: Ensure that ZTA protections are enforced only when users are outside trusted environments, balancing security with productivity for hybrid and remote users.
Granular Policy Management: Apply differentiated TND policies for access to internal resources versus internet destinations, aligning with business and compliance needs.

Getting Started

Access the Feature: Trusted Network Detection can be configured in the Secure Access dashboard under the ZTA End User Connectivity section.
Configuration: Define trusted network criteria and specify TND behavior for private and internet ZTA destinations.
Roll Out to Endpoints: TND requires Cisco Secure Client 5.1.10 or later. Deploy updated Secure Client to your endpoints.
Monitor & Optimize: Review policy effectiveness and make adjustments as needed.

Best Practices

Define Trusted Networks Carefully: Use well-defined criteria to prevent accidental disabling of ZTA enforcement. Combine passive probes (DNS domains / DNS servers) with active probes (Trusted Server) to maximize security.
Test Before Rollout: Pilot the feature with a subset of users to ensure network policies align with your organization’s security posture.
Monitor Logs and Reports: Regularly review Secure Access logs to ensure that TND is functioning as expected and to identify opportunities for tuning.
Educate End Users: Communicate with users about the seamless experience and reinforce security awareness, especially when moving between networks.

Documentation and Resources

Trusted Networks for Zero Trust Access Connections

dazor · ‎07-17-2025

Can I define a Trusted Network with RFC1918 or a Public IP ?