About Browser-Based Access ZTNA
Overview
Customer Edge
- Client initiates a browser connection to the application specific URL
- This request gets resolved and redirected to the nearest SNI proxy based upon anycast DNS
Service Edge
- SNI Proxy knows which service to reach out to from the connection request
- Connects to the nearest Umbrella cloud where the service is running and proxy the traffic coming from the browser
Fabric Services
- The Zero-trust proxy (Zproxy) changes the traffic source to an address within 100.64.0.0/10 (carrier grade NAT range)
- Request is sent for authentication and posture check
- Once authenticated and authorized, it will redirect the request to policy engine where the decision is made to let the request in or not based upon your set policies
- Once decided, it will be sent to our routing engine to correctly deliver traffic to the application
Customer Environment
- User has secured access to the application
Note: Dynamic routing is not available currently. Therefore, for return traffic, the application side router must have a route to the 100.64.0.0/10 through the backhaul tunnel.
Future Enhancements
- Customized block pages
- Customized defined URL and customer owned certificate
- Dynamic Routing