Secure Access Service Edge (SASE) provides the SASE client to redirect Internet traffic from enterprise office terminals to the nearest SASE service node. Terminals on which the SASE client is not installed cannot be managed by using zero trust policies. This topic describes how to configure accounts, whitelists, and message push. This topic also describes how to install the SASE client and configure custom settings.
Background information
After the users of an enterprise install the SASE client on terminals, the enterprise administrator can view the total number of terminals and the details about the terminals in the terminal list. The enterprise administrator can also obtain information about the users who do not install the SASE client and the terminals on which the SASE client is not installed from the terminal list at the earliest opportunity. For more information, see View the terminal list.
After a user logs on to the SASE client, the SASE client forwards the Internet traffic from the corresponding terminal. The SASE client also detects and manages the Internet access of the terminal.
Configure an account
The Account Settings tab consists of the Enterprise Authentication Identifier, Account Authentication Frequency, and Account Authentication Policy sections.
Log on to the SASE console.
In the left-side navigation pane, click Settings.
On the Account Settings tab, configure the parameters.
Configure an enterprise authentication identifier.
In the Enterprise Authentication Identifier section, configure an enterprise authentication identifier.
An enterprise authentication identifier is an important credential for users to log on to the SASE client. We recommend that you use the enterprise name or information that is easy to remember as the enterprise authentication identifier. The first time a user logs on to the SASE client, the user must manually enter the enterprise authentication identifier.
Configure account validity.
On the Account Settings tab, configure Account Authentication Frequency and Account Authentication Policy.
Account Authentication Frequency
This parameter specifies the authentication interval. During the authentication interval, after a user logs on to the SASE client, the user does not need to be authenticated for the subsequent logons. After the specified authentication interval ends, the logon page is displayed and the user must re-enter the username and password to log on to the SASE client.
Account Authentication Policy
Immediate Authentication
After the specified authentication interval ends, the SASE client is immediately logged off from and the user must re-enter the username and password for authentication. This configuration ensures security but may cause interruptions.
Authentication During Network Change
After the specified authentication interval ends, the SASE client is not immediately logged off from. When the computer wakes up or the network connection changes, the user must re-enter the username and password for authentication. This configuration ensures user experience and does not cause interruptions.
Configure a whitelist
If behaviors such as accessing office applications, accessing a public website, transferring files outbound, using peripherals, and using watermarked files are risk-free and you do not want the SASE client to manage or audit the behaviors on the public website, you can configure a whitelist. This section describes how to configure a whitelist for a website.
Log on to the SASE console.
In the left-side navigation pane, click Settings.
On the Whitelist tab, configure a private access whitelist or a data loss prevention (DLP) whitelist.
Configure a private access whitelist.
On the Private Access tab, configure a whitelist for a website.
You can use one of the following methods to configure a whitelist in SASE:
IP Address Whitelist: Add the IP address or CIDR block of a website. You can add multiple IP addresses or CIDR blocks.
Domain Name Whitelist: Add the domain name or wildcard domain name of a website. You can add multiple domain names or wildcard domain names.
Click Submit.
After you configure the whitelist, you can directly access the office applications in the whitelist.
Configure a DLP whitelist.
On the Data Loss Prevention tab, configure a whitelist for files, peripherals, or watermarks.
SASE supports the following types of whitelists. When you configure a whitelist, you must separate multiple users with commas (,).
Outbound File Transfer Detection Whitelist
Peripheral Control Whitelist
Watermark Whitelist
Click Submit.
After you configure the whitelist, SASE no longer manages or blocks the behaviors of users in the whitelist.
Configure message push
If you want to obtain user logon logs, information about registered terminals, client uninstallation, and applications for using unauthorized software at the earliest opportunity, you can configure message push. After you configure message push, the messages of users are automatically pushed to your enterprise group by DingTalk Chatbot, WeCom Chatbot, or Lark Chatbot. This allows you to obtain up-to-date information.
Before you configure message push in SASE, you must create a custom chatbot for DingTalk, WeCom, or Lark.
For more information about how to create a custom DingTalk chatbot and obtain the webhook URL and webhook key, see DingTalk chatbot.
For more information about how to create a custom WeCom chatbot and obtain the webhook URL, see WeCom chatbot.
For more information about how to create a custom Lark chatbot and obtain the webhook URL and webhook key, see Lark chatbot.
Log on to the SASE console.
In the left-side navigation pane, click Settings.
On the Message Push tab, click Create Template.
In the Create Template panel, configure the push template based on your data source.
Parameter
Description
Notification Source
DingTalk Chatbot
WeCom Chatbot
Lark Chatbot
Chatbot Configuration
DingTalk Webhook URL
Example: https://oapi.dingtalk.com/robot/send?access_token=****.
Webhook Key
Example: 123456.
WeCom Webhook URL
Example: https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=90e25f1d-99b5-4496-890d-4d1c6efe3****.
Lark Webhook URL
Example: https://open.feishu.cn/open-apis/bot/v2/hook/4c83950f-2335-42ae-a5bd-11a96d6d****.
Webhook Key
Example: 123456.
Message Type
You can select multiple message types. Valid values:
Notification of Client Log Report
Notification of Exceeded Registration Quota on Client
Notification of Application for Client Uninstallation
Application for Using Unauthorized Software
Notification of Abnormal Connector
Click Connectivity Test. If the connectivity test is successful, click OK.
To modify or delete a template, click Edit or Delete on the Message Push tab.
ImportantAfter you delete a message push template, SASE cannot automatically push messages to your enterprise group. Proceed with caution.
Configure client elements
SASE allows you to configure custom elements for the SASE client. You can change the logo, background image, and promotional text of the SASE client. This section describes how to configure custom elements for the SASE client.
Log on to the SASE console.
In the left-side navigation pane, click Settings.
On the Enterprise Elements tab, configure custom elements for the SASE client or on the client download page.
Download the SASE client
Log on to the SASE console.
In the left-side navigation pane, click Settings.
On the Download Client tab, download the client installation package.
You can download the SASE mobile client, SASE desktop client, and enterprise-specific client.
Decompress the downloaded installation package and double-click the .exe file to install the client.
After the installation is complete, the icon of the SASE client appears on the terminal desktops of users.
Update the SASE client
Log on to the SASE console.
In the left-side navigation pane, click Settings.
On the Client Update tab, select a tab based on the operating system of your terminal.
Find the version that you want to manage and click Download in the Actions column. Then, download the installation package as prompted.
If you want to push an update task to users, find the version that you want to manage and click Push Update. In the panel that appears, configure the parameters and click OK.
You can specify a custom update percentage. After you create an update task, the system randomly updates the SASE client on the terminals that belong to the specified applicable users based on the specified update percentage.