Cisco Security

Login

Cisco Secure Access DNS Defense Help

Cisco Secure Access - DNS Defense Help
- Welcome to Cisco Secure Access – DNS Defense
  - Sign into Secure Access – DNS Defense with Security Cloud Sign On
    - Prerequisites
    - Procedure
  - Find Your Organization ID
    - Prerequisites
    - Procedure
  - Determine Your Current Package
  - View Cloud Security Service Status
    - Cloud Security Service Status
      - Cisco Secure Access Services
      - Secure Access Service Status
    - Past Incidents
  - Contact Cisco Secure Access Support
- Secure Access Single Sign-On Authentication
  - Configure Single Sign-On Authentication
    - Prerequisites
      - Add Your Organization's Identity Provider in Security Cloud Sign On
      - Add Administrators to Secure Access
    - Procedure
  - Troubleshoot Single Sign On Authentication
- Get Started
  - Begin Secure Access Onboarding Workflow
  - Step 1 – Configure Network Connections
    - Prerequisites
    - Task 1 – Add Network Connections
      - Add Network Tunnel Groups
      - Add Resource Connectors and Connector Groups
    - Task 2 – Provision Users and Groups
    - Task 3 – Configure Integrations with SAML Identity Providers
    - What's Next
  - Step 2 – Configure Access to Resources
    - Prerequisites
    - Task 1 – Set Up Private Resources
    - Task 2 – Configure Rule Defaults and Global Settings
      - Manage Rule Defaults
      - Manage Global Settings
    - Task 3 – Add a Policy Rule
    - What's Next
  - Step 3 - Configure End User Connectivity
    - Prerequisites
    - Task 1 – Configure Zero Trust
    - Task 2 – Configure Virtual Private Networks
    - Task 3 – Configure Internet Security
    - Task 4 - Configure Endpoints and Networks
  - Step 4 – Configure Endpoints and Network Sources
    - Prerequisites
    - Add Networks to Secure Access
    - Set Up the Cisco Secure Client
    - Add IPS Profiles
    - Configure Rule Profiles
  - Secure Access Overview Dashboard
    - Prerequisites
    - Get Started Workflow
    - Connectivity
    - Data Transfer
    - Security
      - Security Activity
      - Top Security Categories
    - Users and Groups
    - Private Resources
- Limitations and Range Limits
  - Internet Protocol Versions
  - Secure Access Components
  - Identity Integrations
  - Users and Roles
  - Reporting
  - Data Retention
  - Monthly DNS Query Average
- Network Requirements for Secure Access
  - Secure Access DNS Resolvers
    - Best Practices
    - Cisco Secure Client
    - Cisco Secure Client and External DNS Resolution
  - Secure Access Encrypted DNS Queries
  - Secure Access DNS, Web, and Block Pages
  - Secure Access DNS and Web – Client Configuration Services
    - Windows Only
  - Secure Access DNS and Web – Client Sync Services
  - Secure Access DNS and Web – Client Certificate Revocation Services
  - Cisco Secure Client and Captive Portal Detection
  - Cisco Secure Client and Device Hostnames
  - Transport Layer Security Protocol Requirements
    - TLS 1.2 Support in Windows
    - TLS 1.2 Support in macOS
  - Secure Access Secure Web Gateway Services
    - Egress IP Addresses for the Secure Web Gateway
    - Ingress IP Addresses for the Secure Web Gateway
  - Secure Access Encrypted Web Requests
  - Secure Access Realtime DLP Secure ICAP
  - Secure Access SaaS Tenants
    - Microsoft 365
  - Secure Access SAML Gateway Services
    - Active Directory Federation Service SAML Identity Provider
  - Secure Access SAML Identity Provider Domains
    - Azure AD SAML Identity Provider
  - Secure Access SAML Gateway Client Certificate Revocation Services
  - Secure Access VPN Services
  - Secure Access VPN Client Certificate Revocation Services
  - Secure Access Zero Trust Client-Based Enrollment Services
  - Secure Access Zero Trust Client-Based Proxy Services
    - Known Network Restrictions for Zero Trust Clients
  - Secure Access Zero Trust Client-Based Proxy – Client Certificate Revocation Services
  - Secure Access Zero Trust Proxy Services – Unmanaged Devices
  - Secure Access Zero Trust Services and Connector Groups
- Manage Network Connections
  - Comparison of Network Connection Methods
    - Resource Connectors (Deployed in Connector Groups)
    - Network Tunnels (Deployed in Network Tunnel Groups)
- Manage Network Tunnel Groups
  - Device Compatibility and Network Tunnels
    - IPsec Tunnel Requirements
    - Supported Devices for Setting Up IPsec Tunnels
  - Add a Network Tunnel Group
    - Prerequisites
    - Procedure
      - Configure Tunnel on Network Device
      - Verify Tunnel Traffic in Secure Access
  - Delete a Network Tunnel Group
    - Prerequisites
    - Procedure
  - Edit a Network Tunnel Group
    - Prerequisites
    - Procedure
  - View Network Tunnel Group Details
    - Prerequisites
    - Procedure
    - Network Tunnel Overview
      - List Tunnel Status
  - Supported IPsec Parameters
- Network Tunnel Configuration
  - Establish a Tunnel
    - Maximum Transmission Unit (MTU) Size
    - Tunnel Size
    - Client Reachable Prefixes
    - Throughput and Multiple Tunnels
- Manage Resource Connectors and Connector Groups
  - Overview: Setting Up Resource Connectors and Connector Groups
- Manage Users and Groups
  - Import Users and Groups from CSV File
    - Prerequisites
      - CSV File Format
      - CSV File Fields
    - Procedure
    - View Provisioned Users and Groups in Secure Access
  - Provision Token for Identity Provider
    - Prerequisites
    - Procedure
    - Configure Identity Providers
  - Provision Users and Groups from Okta
    - Prerequisites
    - Limitations
    - Supported Features
    - Import the ObjectGUID Attribute from Okta to Secure Access
    - Configure the Cisco Secure Access App
      - Step 1 – Add the App to Okta
      - Step 2 – Add the Secure Access SCIM Token to the App
      - Step 3 – Configure the Required User Options
      - Step 4 – (Optional) Add a New Attribute and Create the User Profile Mapping
      - Step 5 – Assign Users and Groups in the App
      - Step 6 – View Logs in the App
    - View Provisioned Users and Groups in Secure Access
    - Refresh SCIM Token
  - Provision Users and Groups from Azure AD
    - Prerequisites
    - Limitations
    - Procedure
    - Configure the Cisco User Management for Secure Access App
    - View Users and Groups Provisioned from Azure
    - Refresh the SCIM Token
  - Provision Users and Groups from Google Workspace
  - View User Details
    - Prerequisites
    - Procedure
    - User Details
      - General User Details
      - Device Connectivity
      - Groups and Events
      - Associated Rules
  - View Group Details
    - Prerequisites
    - Procedure
    - Group Details
      - General Group Details
      - Users and Events
      - Associated Rules
  - View Endpoint Device Details
    - Prerequisites
    - Procedure
  - Unenroll Devices for Client-Based Zero Trust Access
    - Reenroll the User Device on the Secure Client
    - Prerequisites
    - Procedure
  - Disconnect Remote Access VPN Sessions
    - Prerequisites
    - Procedure
  - Provision Users, Groups and Endpoint Devices from Active Directory
    - Prerequisites for AD Connectors
      - Connector Server
      - Outbound Network Access to Secure Access
      - Connector Account
    - Connect Active Directory to Secure Access
      - Prerequisites
        
        Connector Server
        
        Outbound Network Access to Cisco Secure Access
        
        Connector Account
      - Step 1 – Choose a Provisioning Method
      - Step 2 – Register a Domain Controller or Domain in Secure Access
        
        Register a Domain Controller
        
        Register a Domain
      - Step 3 – Install the Secure Access AD Connector
      - Step 4 – Configure Updates on Deployed AD Connectors
      - Step 5 – Verify that the Connector Syncs with Secure Access
      - Specify AD Groups of Interest
        
        Supported Organizational Units
        
        Unsupported Organizational Units
        
        Sample File Entries
        
        Total Number of Groups Selected for Synchronization
    - Connect Multiple Active Directory Domains
    - Change the Connector Account Password
      - Prerequisites
        
        Connector Server
        
        Outbound Network Access to Cisco Secure Access
        
        Connector Account
      - Procedure
    - AD Connector Communication Flow and Troubleshooting
      - Communication Flow
      - Troubleshooting
        
        Firewall or Access Control Requirements
    - View AD Components in Secure Access
      - Prerequisites
      - Procedure
        
        View AD Components in Secure Access
- Configure Integrations with SAML Identity Providers
  - Use Cases
    - Secure Internet Access—Networks and Network Tunnels
    - Zero Trust Access with the Cisco Secure Client
    - Zero Trust Access with an Unmanaged Device
  - Configure Identity Providers for SAML Authentication
- Manage End-User Connectivity
  - DNS Servers
  - Traffic Steering for Cisco Secure Client Connections
  - Virtual Private Networks Settings and Profiles
  - Internet Security
- Manage DNS Servers
  - Prerequisites
  - About DNS Server Configuration
  - Add a DNS Server
  - View DNS Servers
  - Edit a DNS Server
  - Delete a DNS Server
- Traffic Steering for Zero Trust Access Client-Based Connections
  - Best Practices
- Manage Virtual Private Networks
  - FQDNs for Network Connections
    - About Fully Qualified Domain Names (FQDNs)
    - Secure Access Global FQDN
    - Secure Access Regional FQDNs
    - Secure Access VPN FQDNs
  - Manage IP Pools
  - Add an IP Pool
    - Prerequisites
    - Procedure
      - Add an IP Pool
      - Add a RADIUS Group (optional)
  - Manage VPN Profiles
  - Add VPN Profiles
    - Prerequisites
    - Step 1 – General Settings
    - Step 2 – Authentication, Authorization, and Accounting
      - SAML
      - SAML Configuration
      - SAML Metadata XML Configuration
      - Manual Configuration
      - RADIUS
      - Certificate
    - Step 3 – Traffic Steering (Split Tunnel)
    - Step 4 – Cisco Secure Client Configuration
  - Add a RADIUS Group
    - Prerequisites
    - Procedure
- Manage Internet Security
  - Download Cisco Secure Client or Roaming Client
  - Add Bypass Domains and Set Up Internet Security
  - Next Steps
- Manage Domains
  - Add Internal Domains
    - Prerequisites
    - Procedure
- Internal Networks Setup Guide
  - Provision a Subnet for Your Virtual Appliance
    - Prerequisites
    - Procedure
  - Manage Sites
    - Prerequisites
    - Before You Begin
    - Procedure
  - Manage Internal Networks
    - Prerequisites
    - Before You Begin
    - Procedure
    - Apply DNS Policies to Internal Network
  - Assign a Policy to Your Site
- Manage a Network Device
  - Prerequisites
  - Procedure
    - Step 1: Create a Network Devices API Key
    - Step 2: Register a Network Device
    - Step 3: Add Network Device to a DNS Policy
    - Step 4: Test Your Network Device Integration
- Manage Registered Networks
  - Add Network Resources
    - Prerequisites
      - Dynamic IP Address—IPv4 Only
    - Procedure
      - Step 1 – Select the Network
      - Step 2 – Configure the Network Resource
      - Step 3 – Change the DNS Settings on Your Relevant Network Device
      - Step 4 – Apply a Policy Rule to the Network Resource
      - Step 5 – Test Your Network
  - Point Your DNS to Cisco Secure Access
    - Cisco Secure Access DNS Resolvers – IP addresses
    - Cisco Secure Access DNS Resolvers – Anycast IP Addresses
    - Prerequisites
    - Procedure
      - Step 1 – Identify Where Your Public DNS Server Addresses are Configured
      - Step 2 – Log Into the Server or Router Where DNS is Configured
      - Step 3 – Change Your DNS Server Addresses
        
        Primary and Secondary Servers
      - Step 4 – Test Your New DNS Settings
  - Clear Your DNS Cache
    - Prerequisites
    - Clear Your DNS Cache on Computers and Servers
      - Windows 7 and Earlier
      - Windows 8 and Newer
      - OS X 10.4 TIGER
      - OS X 10.5 and 10.6 LEOPARD
      - OS X 10.7 and 10.8 Lion
      - OS X 10.9 and 10.10
      - Linux
      - Ubuntu Linux
    - Clear Your DNS Cache on Browsers
      - Internet Explorer 8 and Newer – Windows
      - Mozilla Firefox – Windows
      - Apple Safari – macOS
      - Apple Safari – macOS
      - Google Chrome – Windows
      - Google Chrome – macOS
  - Update a Network Resource
    - Prerequisites
    - Edit the Registered Network Resource Name
    - Update the Registered Network Resource
  - Delete a Network Resource
    - Prerequisites
    - Procedure
- Manage Roaming Devices
  - View Internet Security Settings for Roaming Devices
    - Prerequisites
    - Procedure
      - Host Information
  - Edit Internet Security Settings for Roaming Devices
    - Prerequisites
    - Procedure
      - Edit the Auto-Delete Interval for Roaming Devices
  - Delete a Roaming Device
    - Prerequisites
    - Procedure
- Manage Destination Lists
  - Best Practices
  - How to Format Your Destination List
  - Add a Destination List
    - Prerequisites
    - Procedure
  - Edit a Destination List
    - Prerequisites
    - Procedure
  - Add Destinations in Bulk
    - Prerequisites
    - Procedure
  - Download Destinations to a CSV File
    - Prerequisites
    - Procedure
  - Control Access to Custom URLs
    - Prerequisites
      - Enable the Intelligent Proxy
      - Install a Root Certificate
    - Block a URL
      - URL Normalization
      - URL Normalization for Destination Lists
      - Troubleshooting Unblocked URLs
      - Reporting for Blocked URLs
    - Examples
    - Contact Support
  - Wildcards and Destination Lists
  - Add Punycode Domain Name to Destination List
    - What is Punycode?
    - Examples of Unicode and Punycode Encoded Strings
  - Test Your Destinations (Hidden in SSE/SSE DNS)
  - Search for a Destination List
  - Troubleshoot Destination Lists
    - Destination Lists and Common Error Conditions
- Manage Internet and SaaS Resources
- Manage Application Lists
  - Add an Application List
    - Prerequisites
    - Procedure
  - Application Categories
    - Category Descriptions
  - Delete an Application List
    - Prerequisites
    - Procedure
- Manage Content Category Lists
  - Available Content Categories
  - Add a Content Category List
    - Prerequisites
    - Procedure
  - Request a Category for an Uncategorized Destination
    - Prerequisites
    - Procedure
  - Dispute a Content Category
    - Prerequisites
    - Submit Categorization Request Through Cisco Talos
    - Submit Categorization Request Through Umbrella
  - View Content Categories in Reports
    - Prerequisites
    - View Content Categories in Activity Search Report
    - View Content Categories in Top Threats Report
    - View Content Categories in Total Requests Report
    - View Content Categories in Activity Volume Report
    - View Content Categories in Top Destinations Report
    - View Content Categories in Top Categories Report
- Manage Private Resources
  - Step 1 – Configure Private Resources
    - Optional Configuration for Private Resources
  - Step 2 — Set Up Network Connections, VPN Profiles, and Certificates
  - Step 3 — Add Private Resources in Private Access Rules
  - Step 4 — Set Up the Cisco Secure Client and Distribute URLs
- Manage AAA Servers
- Manage Connections to Private Destinations
  - Comparison of Zero Trust Access and VPN
  - Comparison of Client-Based and Browser-Based Zero Trust Access Connections
    - Client-based connections:
    - Browser-based connections:
  - Requirements for Zero Trust Access
    - Resource requirements for client-based zero trust access
    - Resource requirements for browser-based zero trust access
    - Network Requirements for Zero Trust Access
  - Network Authentication for Zero Trust Access
  - Manage Branch Connections
    - Endpoint Connection Methods
    - Branch Networks in Private Access Rules
      - Users and Groups Connections to Private Resources
      - Sources for Branch Network Connections
      - Destinations for Branch Network Connections
      - Source Connections to Destinations
    - Add an IPS Profile on Private Access Rules
    - Log Connections From Branch Networks to Private Resources
- Manage the Access Policy
  - About the Access Policy
    - Best Practices
    - Default Rule Data
  - Show Additional Data on Your Access Rules
    - Prerequisites
    - Procedure
  - Edit the Order of the Rules in Your Access Policy
  - Rule Defaults: Default Settings for Access Rules
    - Zero Trust Access: Endpoint Posture Profiles
    - Zero Trust Access: User Authentication Interval
    - Intrusion Prevention (IPS)
  - Global Settings for Access Rules
    - Global Settings for Access Rules
    - Decryption Logging
  - Edit Rule Defaults and Global Settings
    - Prerequisites
    - Procedure
  - Edit the Default Access Rule
    - Default Internet Access Rule
    - Default Private Access Rule
    - To View or Edit Default Access Rules
- Get Started With Private Access Rules
  - Components for Private Access Rules
    - Sources
    - Destinations
      - Private Resources
      - Private Resource Groups
    - Endpoint Posture Profiles (for Endpoint Requirements)
    - Security Controls
  - Default Settings for Private Access Rules
  - Add a Private Access Rule
    - Prerequisites
    - Set Up the Private Access Rule
      - Enable the Rule and Edit Your Logging Settings
      - Add a Rule Name
      - Choose a Rule Order
    - Step 1 — Specify Access Options
      - Rule Action
      - Sources
      - Destinations
      - Endpoint Requirements
      - User Authentication Requirements
    - Step 2 — Configure Security Control Options
      - Intrusion Prevention (IPS)
    - Summary
  - About Configuring Sources in Private Access Rules
    - Source Components for Private Access Rules
    - Composite Sources for Private Access Rules
      - Limitations of Composite Sources
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Add Composite Sources
      - Combining IPs, CIDRs, or Wildcard Masks on a Source
    - Use Wildcard Masks in Composite Sources
      - Guidelines
      - Examples of Wildcard Masks
    - Combining Multiple Sources in a Rule (Boolean logic)
  - About Configuring Destinations in Private Access Rules
    - Destination components for Private Access Rules
    - Composite Destinations for Private Access Rules
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Ports
      - Protocols
      - Add Composite Destinations
      - Combining Destination Components as a Single Destination
    - Use Wildcard Masks in Composite Destinations
      - Guidelines
      - Examples of Wildcard Masks
    - Combining Multiple Destinations in a Rule (Boolean Logic)
  - About Endpoint Requirements in Access Rules
  - Allowing Traffic from Users and Devices on the Network
  - Global Settings for Private Access Rules
  - View Rules Associated with a Private Resource
  - Troubleshoot Private Access Rules
    - General Troubleshooting Tips
    - Problems While Creating a Rule
      - Next button is not available
    - Problems After Creating a Rule
      - Traffic is unexpectedly blocked
      - Traffic is unexpectedly allowed
      - Rule does not match traffic as expected
- Get Started With Internet Access Policy
  - Components for Internet Access Rules
    - Sources
    - Destinations
    - Security Controls
      - Security Profile
        
        Configure Threat Category Settings
        
        Set Up Certificates for Decrypting Internet Traffic
        
        Configure Do Not Decrypt Lists
        
        (Optional) Configure Custom End-User Block and Warn Notifications
        
        Configure Security Profiles for Internet Access
  - Default Settings for Internet Access Rules
  - Add an Internet Access Rule
    - Prerequisites
    - Procedure
    - Access Options
      - Disable or Enable the rule
      - Logging settings
      - Summary
      - Rule name
      - Rule order
      - Rule action
      - Pre-Configured Sources
      - Composite Sources
      - Pre-Configured Destinations
      - Composite Destinations
      - App Risk Profile
      - Advanced Application Controls
    - Security Control Options
      - Security Profile
    - Next Steps
  - About Configuring Sources in Internet Access Rules
    - Source Components for Internet Access Rules
    - Composite Sources for Internet Access Rules
      - Limitations of Composite Sources in Internet Rules
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Adding Composite Sources
      - Combining IPs, CIDRs, or Wildcard Masks on a Source
    - Combining Multiple Sources in a Rule (Boolean logic)
  - About Configuring Destinations in Internet Access Rules
    - Destination Components for Internet Access Rules
    - Pre-Configured Destinations on an Internet Rule
    - Application Lists and Application Categories on an Internet Rule
    - Application Protocols on an Internet Rule
      - How Application Protocols Combine with Composite Destinations
    - Composite Destinations for Internet Access Rules
      - Limitations of Composite Destinations
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Ports
      - Adding Composite Destinations
      - Combining Destination Components as a Single Destination
    - Combining Multiple Destinations in a Rule (Boolean Logic)
    - Number of Destinations in a Rule
  - Ensure Rule Matching for Encrypted Internet Traffic
  - Block Internet Access to Geographic Locations
  - Advanced Application Controls
    - Applications with Advanced Controls
      - Cloud Storage
      - Collaboration
      - Content Management
      - Media
      - Office Productivity
      - P2P
      - Social Networking
    - Prerequisites
    - Procedure
    - Troubleshooting
  - Global Settings for Internet Access Rules
  - About Isolated Destinations
    - Prerequisites
      - Secure Access Prerequisites
      - Browser Prerequisites
    - Secure Access Package Support for RBI and Isolation Rules
      - Isolate Any
      - Isolate Risky
    - Verifying Isolation
    - Limitations of Isolation
  - Troubleshoot Internet Access Rules
    - General troubleshooting tips
    - Problems while creating the rule
      - The Next button is unavailable
    - Problems after creating a rule
      - Internet traffic is unexpectedly blocked
      - Internet traffic is unexpectedly allowed
      - Internet Access rule is not matching traffic as expected
  - Zero Trust Access to Internet Destinations
    - Solution Overview
- Manage File Inspection for Internet Policy
  - How File Inspection Works
    - How is a File Inspected?
      - Cisco Advanced Malware Protection (AMP) Scanning
      - Antivirus Scanning
- Manage File Inspection and File Analysis for Private Access Rules
  - Overview of Configuring File Inspection and Analysis
  - File Inspection Details
    - Cisco Advanced Malware Protection (AMP)
    - Antivirus Scanner
  - Cisco Secure Malware Analytics (formerly Threat Grid) Details
    - Supported Files and File Limitations
    - Secure Malware Analytics Sandbox
- Manage File Type Controls
- Manage the Intelligent Proxy
  - How the Intelligent Proxy Works
  - Advantages of Using the Intelligent Proxy
  - Sites That are Not Proxied by the Intelligent Proxy
  - Best Practices
  - SSL Decryption Requirements and Implementation
  - Do Not Decrypt Lists
- Manage Endpoint Security
  - About Endpoint Posture
  - About Posture Profiles
  - Endpoint Posture Assessment
- Manage Zero Trust Access Posture Profiles
  - Zero Trust Access Posture Attributes
- Manage VPN Connection Posture Profiles
  - VPN Posture Attributes
- Manage IPS Profiles for Private Access
  - How IPS Works
    - Hit Counts
    - Cisco-Provided IPS Signature Lists
  - Decryption is Required for Effective Intrusion Prevention
- Manage Security Profiles
  - Security Profiles for Internet Access
    - Functionality Included in a Security Profile for Internet Access
    - Decryption
    - SSO Authentication
      - Requirements for Enabling OIDC Authentication
      - Requirements for Enabling SAML Authentication
      - Requirements for Disabling SAML Authentication
    - Security and Acceptable Use Controls
    - End-User Notifications
    - Get Started: Security Profiles for Internet Access
  - Add a Security Profile for Internet Access
    - Prerequisites
    - Procedure
    - Add a Security Profile
    - Security and Acceptable Use Controls
      - Threat Categories
      - File Inspection
      - SafeSearch
      - Intelligent Proxy
    - Configure End-User Notifications
    - View Security Profiles
    - Configure Additional Security Options
    - Add a Security Profile on Internet Access Rules
    - Edit a Security Profile
    - Delete a Security Profile
  - Enable SafeSearch
    - Enable SafeSearch
    - Confirm That SafeSearch is Working
      - Google
      - YouTube
      - Yahoo
      - Bing
  - Security Profiles for Private Access
  - Add a Security Profile for Private Access
    - Prerequisites
    - Procedure
    - Next steps
- Manage Threat Categories
  - Threat Category Descriptions
  - Add a Threat Category List
    - Prerequisites
    - Procedure
  - Dispute a Threat Categorization
    - Prerequisites
    - Procedure
  - Threat Intelligence Feeds
  - Add Threat Intelligence Feeds
    - Prerequisites
    - Additional Prerequisites for Cisco AMP Threat Grid
    - Enable Third-Party Platform Feeds
    - Add a Threat Intelligence Feed
    - Add Threat Intelligence Feeds to Internet Access Rule
      - List the Blocked Domains
    - Logging and Reports
      - View Reports
      - View Admin Audit Log
      - Access Logs in S3
  - Custom Feed Best Practices
    - Known Domains and Destination Lists
    - Delete a Domain from Custom Destination Block List
- Manage Notification Pages
  - View Notification Pages Displayed to End Users
  - Display Custom Notification Pages to End Users
  - About Block Pages for Private Access Traffic
- Manage Traffic Decryption
  - Internet Access Features Requiring Decryption
  - Internet Traffic That Should Not Be Decrypted
  - Decryption in Private Access Rules
  - Decryption Settings
  - Decryption Requires Certificates
  - Decryption Logging
  - Troubleshooting Decryption
- Manage Certificates
  - Certificate Installation Methods
  - Manage the Cisco Umbrella Root Certificate
    - Why Install a Certificate?
  - Manage the Secure Access Root Certificate
    - Certificate Installation Methods
  - View the Cisco Trusted Root Store
    - Prerequisites
      - Download the Cisco Trusted Union Root Bundle
    - Extract the Certificates
      - Step 1: Extract the Signing Certificate
      - Step 2: Extract Certificate Bundle as Message
      - Step 3: Extract PEM-Formatted Certificates From Bundle
      - Step 4: Generate Individual Certificate Files
        
        Linux
        
        macOS
    - View an Individual Certificate File
  - Certificates for Internet Decryption
    - Certificates for Displaying Notifications
    - Certificates for Decrypting Internet Traffic
      - Option 1: Distribute Self-Signed Certificates to End-User Devices
      - Option 2: Use a Signed Certificate for Decrypting Internet Traffic
  - Manage Certificates for Private Resource Decryption
    - Prerequisites
      - Install a Certificate Authority Certificate on a Private Resource
    - Procedure
      - View Notifications About Expired Private Resource Certificates
      - Upload Private Resource Certificates
        
        Option 1: Upload or enter a certificate-key pair directly to the private resource
        
        Option 2: Upload a certificate and key to the Certificates page
  - Certificates for Private Resource Decryption
  - Certificates for SAML Authentication
  - Manage SAML Certificates for Service Providers
    - Prerequisites
    - Procedure
      - View Notifications About Expired Service Provider Certificates
      - Download Zero Trust Service Provider Certificates
      - Download Virtual Private Network Service Provider Certificates
  - Manage SAML VPN Service Provider Certificate Rotation
    - Prerequisites
    - Procedure
      - View Notifications About Expired Service Provider Certificates
      - Activate a New VPN Service Provider Certificate
  - Manage SAML Certificates for Identity Providers
    - Prerequisites
    - Procedure
      - View Notifications About Expired Identity Provider Certificates
      - Manage Zero Trust Identity Provider Certificates
      - Manage Virtual Private Network Identity Provider Certificates
  - VPN Certificates for User and Device Authentication
  - Push the Cisco Root Certificate to Managed Devices
    - Prerequisites
    - Procedure
- Manage Accounts
  - Add a New Account
    - Prerequisites
    - Procedure
  - Edit Account Settings
    - Prerequisites
    - Procedure
  - Delete an Account
  - Hide Identities with De-identification
    - Prerequisites
    - Identity Types
    - Enable De-identification
    - Disable De-identification
    - Limitations
- Manage SaaS API Data Loss Prevention
  - Enable SaaS API Data Loss Prevention
    - Prerequisites
    - Procedure
  - Revoke SaaS API Data Loss Prevention for a Platform
    - Prerequisites
    - Procedure
  - Enable SaaS API Data Loss Prevention for Google Drive Tenants
    - Prerequisites
    - Validation
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Webex Teams Tenants
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Microsoft 365 Tenants
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Dropbox Tenants
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Box Tenants
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Slack Tenants
    - Prerequisites
    - Limitations
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for ServiceNow Tenants
    - Prerequisites
    - Limitation
    - Find the Instance Name for your ServiceNow admin Account
    - Assign the oauth_user role to the ServiceNow admin Account
    - Add an OAuth Client to Your ServiceNow Deployment
    - Authorize a Tenant
    - Revoke Authorization
    - View the Cisco Quarantine Table in Service Now
  - Enable SaaS API Data Loss Prevention for AWS Tenants
    - Prerequisites
    - Limitation
    - Enable CloudTrail Event Logging for S3 Buckets and Objects
    - Obtain Your AWS Account ID
    - Authorize an AWS Tenant
    - Create an AWS Stack
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Azure Tenants
    - Prerequisites
    - Limitation
    - Authorize an Azure Tenant
    - Run an Azure PowerShell Script to Obtain Account Information
    - Revoke Authorization
- Manage Cloud Malware Protection
  - Cloud Access Security Broker Protection for Google Drive and Microsoft 365
- Manage API Keys
  - Add Secure Access API Keys
    - Prerequisites
    - Add API Key
    - Refresh API Key
    - Update API Key
    - Delete API Key
  - Add KeyAdmin API Keys
    - Use Cases
    - Prerequisites
    - Add KeyAdmin API Key
    - Refresh KeyAdmin API Key
    - Update KeyAdmin API Key
    - Delete KeyAdmin API Key
- Log Management
  - Where are Logs Stored?
    - Logging to the Secure Access Data Warehouse
    - Logging to Amazon S3
    - Advantages and Disadvantages of Configuring a Cisco-Managed Bucket
Reports
- Monitor Secure Access with Reports
  - Export Report Data to CSV
  - Bookmark and Share Reports
    - Prerequisites
    - Procedure
  - Report Retention
  - Report Scheduling
  - Schedule a Report
    - Prerequisites
    - Procedure
      - Check Your Spam Folder
      - Unsubscribe From a Scheduled Report
  - Update a Scheduled Report
    - Prerequisites
    - Procedure
- Remote Access Log Report
  - View the Remote Access Log Report
    - Prerequisites
    - Procedure
    - View the Remote Access Log Report
    - View Details
- Activity Search Report
  - View and Customize the Activity Search Report
    - Prerequisites
    - View the Activity Search Report
    - Customize the Activity Search Report
    - Save Activity Search Report columns and filters for future use
    - Customize and Manage Saved Searches
  - View Zero Trust Events in Activity Search Report
    - Prerequisites
    - Procedure
      - Access Details
      - Block Details
      - Endpoint Details
  - View Activity Search Report Actions
    - Prerequisites
    - See Full Details
    - Filter Views
  - Schedule an Activity Search Report
  - Use Search and Advanced Search
    - Prerequisites
    - Search
    - Wildcards
      - Domains
      - URLs
      - File Names
    - Advanced Search
- Security Activity Report
  - View Activity and Details by Filters
    - Prerequisites
    - Procedure
  - View Activity and Details by Event Type or Security Category
    - Prerequisites
    - Procedure
      - Group Security Categories
  - View an Event's Details
    - Prerequisites
    - Procedure
  - Search for Security Activity
    - Prerequisites
    - Procedure
      - Advanced Search
- Total Requests Report
  - Prerequisites
  - Procedure
- Activity Volume Report
  - Prerequisites
  - View Requests by Activity Volume
  - View Activity Volume by Threat Category
    - Prevent
    - Contain
  - View Activity Volume by Policy Traffic
  - View Trends Over Time
- App Discovery Report
  - Prerequisites
  - Procedure
- Top Destinations Report
  - Prerequisites
  - View the Top Destinations Report
  - View Further Details
- Top Categories Report
  - Prerequisites
  - View the Top Categories Report
    - Sort by Traffic
    - Ascending or Descending Order
  - Top Categories Quick View
  - View Category in Other Reports
- Third-Party Apps Report
  - Prerequisites
  - View the Third-Party Apps Report
  - Search the Third-Party Apps Report
  - Export the Third-Party Apps Report
- Cloud Malware Report
  - Prerequisites
  - View the Cloud Malware Report
  - Use the Cloud Malware Report
    - Quarantine a Malicious File
    - Delete a Malicious File
    - Dismiss an Item from the Report
    - Export the Report
- Admin Audit Log Report
  - Prerequisites
  - Generate Admin Audit Log Report
- Top Threats Report
  - View the Threats Report
  - View Top Threat Types
  - View How Threats Impact Your Environment
  - Search for Threats in Activity Search
  - Threat Type Details
    - Prerequisites
    - View a Threat's Details
    - View a Threat Type's Requests
    - View the Threat Type's Impact on Your Environment
    - View More Details in Activity Search
  - Threat Type Definitions
- Top Identities Report
  - Prerequisites
  - View the Top Identities Report
  - View Identity in Other Reports
DNS Forwarders
- Virtual Appliance Introduction
  - How Secure Access Virtual Appliances Work
  - Benefits of Virtual Appliances
  - Prerequisites
    - Virtual Appliance Requirements
      - VMware Requirements
      - Microsoft Hyper-V Requirements
      - Cloud Platform Requirements
      - KVM Requirements
      - Nutanix Requirements
    - Networking Requirements
      - SSH Support Tunnel
      - Networking: Additional Considerations
    - DNSCrypt
  - Deployment Guidelines
    - Virtual Appliance Deployment Best Practices
      - Redundancy
      - Multiple DNS Egresses
      - Single DNS Egress
      - Double NAT
  - Importance of Running Two VAs
    - Benefits of Two VAs
- Deploy Virtual Appliances
  - Deploy VAs in Hyper-V for Windows 2012 or Higher
    - Procedural Overview
    - 1. Download the Hyper-V Installer
      - 2. Import the Virtual Appliance
      - 3. Copy and Rename Image Files
      - 4. Select Network Adapter
      - 5. Select Hard Drive
      - 6. Power on the Virtual Machine
      - 7. Repeat for the Second Virtual Appliance
  - Deploy VAs in VMware
    - Procedural Overview
    - 1. Download OVF Template
      - 2. Deploy OVF Template
      - 3. Deploy a Second Virtual Appliance
      - 4. Power on the Virtual Machines
  - Deploy VAs in Microsoft Azure
    - Prerequisites
    - Before You Begin
    - Procedure
    - Step 1: Prepare the Virtual Appliance Image on Azure
      - Step 2: Launch the Virtual Appliance on Azure
  - Deploy VAs in Amazon Web Services
    - Prerequisites
    - Procedural Overview
    - 1. Prepare the Virtual Appliance Amazon Machine Image
      - 2. Launch the Virtual Appliance on Amazon Web Services
  - Deploy VAs in Google Cloud Platform
    - Prerequisites
    - Procedural Overview
    - Prepare the Virtual Appliance Instance Template on GCP
      - Launch the Virtual Appliance on Google Cloud Platform
  - Deploy VAs in KVM
    - Prerequisites
    - Procedural Overview
    - 1. Create the qcow2 files for KVM
      - 2. Launch the Virtual Appliance on KVM
  - Deploy VAs in Nutanix
    - Prerequisites
    - Procedure
- Configure Virtual Appliances
  - Prerequisites
  - Enter Configuration Mode on a VA Deployed on VMware, Hyper-V, or KVM
  - Enter Configuration Mode on a VA Deployed in Azure, AWS, or Google Cloud Platform
  - Configure the VA Through Configuration Mode
  - Add a Second VA
- Local DNS Forwarding
  - Manage Domains in the VA
    - What format does the internal domains list accept?
    - Which domains should be added?
    - (Optional) Add A & PTR Records for the VAs
  - Configure Local DNS Servers on the VA
    - Examples
- Reroute DNS
  - Test VAs
  - Test with Endpoints
  - Transition Production Traffic
- Update Virtual Appliances
  - Update Your Virtual Appliance
  - Configure Automatic Update of Virtual Appliances
  - Manual Update of a Virtual Appliance
  - Configure Automatic Update Postponement
- Virtual Appliance Sizing Guide
  - Network Prerequisites
  - What is a Virtual Appliance?
  - Connector Sizing Guidelines
  - Deployment Considerations
    - Overall Latency
    - Number of Secure Access Sites
    - Number of Users per VA
- SNMP Monitoring
  - Enable SNMP Monitoring
    - SNMPv2.x
    - SNMPv3
    - Privacy Password
    - Configure SNMP in Secure Access Virtual Appliance
    - SNMP Command Syntax
  - About SNMP Monitoring
  - Standard OIDs Supported by the Virtual Appliance
  - Extended OIDs Supported by the Virtual Appliance
- Troubleshoot Virtual Appliances
  - Reset a Virtual Appliance's Password
  - Use Configuration Mode to Troubleshoot
  - Establish a Support Tunnel From the VA
  - Troubleshoot Intermittent DNS Resolution Failures on a VA Deployed in Azure
  - Troubleshoot DNS Resolution in Configuration Mode
  - Troubleshoot DNS Resolution Failures Behind a Firewall
  - Troubleshoot Egress Network Connectivity From VA
- Other Configurations
  - Configure Rate Limiting
  - Configure NTP Servers
    - Configure DNS Resolvers
    - Configure DNSSEC Support
    - Configure Logging to Remote Syslog Server
      - Turn Off the Logging
      - Configure Dual-NIC Support on the VA
        
        Configure an Existing VA to Support Dual-NIC
        
        Deploy a New VA to Support Dual-NIC DMZ Mode
      - Configure Anycast
        
        Configure Anycast over BGP on the VA
        
        Configure Load Balancing
        
        Configure Identity Association Timeouts
- Active Directory Integration with the Virtual Appliances
  - Network Diagram for VA Deployments
Managed iOS Device
- Cisco Security Connector—Secure Access Setup Guide
  - Requirements
    - Optionally
  - Getting Started
- Meraki Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Push of Profile Config
    - Anonymize Your Device
    - Verify Secure Access on Your Device
- Verify Secure Access with Meraki
  - Prerequisites
  - Procedure
    - Verify Local Operation on the iOS Device
    - Verify Secure Access
    - Verify Clarity
    - Upgrade the Cisco Security Connector
    - Uninstall the Cisco Security Connector
- Meraki Documentation
- Apple Configurator 2 Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your Device
- IBM MaaS360 Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Intune Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Jamf Registration
  - Prerequisites
  - Procedure
    - Step 1: Add an Organization Administrator's Email Address
    - Step 2: Add a Mobile Device
    - Alternate Configuration
    - Anonymization
  - Verify Secure Access on Your iOS Device
  - Install Root Certificate
- MobiConnect Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS device
- MobileIron Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Step 1: Add an Organization Administrator's Email Address
    - Step 2: Add a Mobile Device
  - Verify Secure Access on Your iOS device
  - Install Umbrella Root Certificate
- Workspace ONE Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Register an iOS Device Through a Generic MDM System
  - Anonymization
  - Prerequisites
  - Procedure
    - Step 1: Add an Organization Administrator's Email Address
    - Step 2: Add a Mobile Device
  - Verify That Your Device is Protected by Secure Access
  - Install Root Certificate
- Apply Secure Access Policies to Your Mobile Device
  - Prerequisites
  - Procedure
- Anonymize Devices
  - Prerequisites
  - Procedure
- Add User Identity for Cisco Security Connector
  - Prerequisites
  - Procedure
  - Test Integration of User Identity With Cisco Security Connector
- Troubleshooting
  - Prerequisites
  - Generate Diagnostics and Email the Secure Access Reports
  - Generate Diagnostics and Share the Secure Access Reports
- Configure Cellular and Wifi Domains
  - Prerequisites
  - Procedure
Managed Android Device
- Cisco Secure Client (Android OS)
  - Device Security
  - Prerequisites
  - Known Issues
- Deploy the Android Client
  - Download Configuration
  - MDM Configurations
  - Umbrella Certificate
- Manage Identities
  - Cisco Meraki Systems Manager
  - Microsoft Intune
  - Samsung Knox
  - VMWare WorkspaceOne
  - Access the User Identities on the Secure Access Dashboard
    - Configure Policy Based on User Identity
    - Monitor User Activity
- Troubleshooting
  - Is this a VPN to Secure Access?
  - An Internal Site Isn't Loading
  - Configuration Issues
  - Check for VPN Connection and Policy
  - Check Block Page
  - Get the Android ID
  - Fail Close/Open Scenario
  - Check Device Registration
  - Missing CA Certificate
  - Org ID on Policy Page is 0
  - App Installation is Blocked
  - Offboarding Users
  - Known Issues
- Frequently Asked Questions
Unmanaged Mobile Device Protection
- Secure Access Unmanaged Mobile Device Protection
- Administrator Actions
  - Prerequisites
  - Procedure
- End-User Actions
  - Android
    - Known Limitations
    - Prerequisites
    - Deployment
    - Enrollment
    - Enrollment by QR code
    - Enrollment without Camera Access
    - Registration and Activation
  - iOS
    - Known Limitations
    - Prerequisites
    - Deployment
    - Enrollment by Link
    - Enrollment by QR code
    - Registration and Activation
Cisco Secure Client
- Cisco Secure Client Overview
- Get Started and Manage Client-based Zero Trust Access from Mobile Devices
  - Set up the Zero Trust Access App for iOS Devices
    - System Requirements
    - Guidelines and Limitations
    - Configure Settings in Cisco Secure Access
    - Install the App
    - Have End Users Enroll in Zero Trust Access
    - Notes for administrators
  - Set up the Zero Trust Access App for Android on Samsung Devices
    - Requirements and Prerequisites
    - Configure Cisco Secure Access
    - Install the App
    - (Optional) Set up the Android device for Zero Trust Access using MDM
      - Add the app to MDM
      - Set up the App on the Samsung Device
    - Enroll the Device in Zero Trust Access
    - Notes for administrators
  - Monitor and Troubleshoot the Zero Trust Access App from Mobile Devices
    - Monitor Activity
    - General Troubleshooting
    - Troubleshoot iOS Devices
    - Troubleshoot Samsung Devices Running Android OS
    - Troubleshoot access issues
- Get Started with Cisco Secure Client on Windows and macOS Devices
  - Prerequisites
    - Secure Access Requirements
      - Download the Cisco Secure Client Pre-Deployment Package
    - Install Cisco Secure Client
  - Download Cisco Secure Client
    - Step 1 - Navigate to the Download Cisco Secure Client window
    - Step 2 - Download Cisco Secure Client
      - Download the latest version of Secure Client from Secure Access
      - Download the cloud-managed version of Secure Client
      - Download a previous version of Secure Client from Cisco Secure Central
    - Step 3 - Download configuration files
    - Step 4 - Install Secure Client
      - ThousandEyes Endpoint Agent Module
  - Download the OrgInfo.json File
    - Prerequisites
    - Procedure
      - Step 1 – Download the OrgInfo.json File
      - Step 2 – Copy the OrgInfo.json File to the Target Directory
  - Manual Installation of Cisco Secure Client (Windows and macOS)
  - Mass Deployment Overview
  - Contents
  - Remote Installation
    - Profile Installation
    - Customization Options
  - Mass Deployment (Windows)
  - Contents
    - (Optional) Package Customization
      - Add Umbrella Profile
    - Automated Installation (Windows)
      - Install Cisco Secure Client
      - Install the Umbrella Profile
      - (Optional) Disable VPN Functionality (Post installation)
  - Customize Windows Installation of Cisco Secure Client
    - Requirements
    - Prerequisites
    - Procedure
      - Deploy the Cisco Secure Client VPN Module
      - Deploy the Cisco Secure Client Umbrella Roaming Security Module
      - (Optional) Deploy the Cisco Secure Client DART Module
      - Hide Cisco Secure Client from Add/Remove Programs List
    - Optional OrgInfo.json Configurations
  - Mass Deployment (macOS)
  - Contents
    - (Optional) Package Customization
      - Add Umbrella Profile
      - (Optional) Disable VPN Functionality
      - Save the .dmg image
    - Automated Installation (macOS)
      - Installation (Pre-Deployment Package)
      - Installation (Web Deployment Package)
      - Install Umbrella Profile
      - (Optional) Disable VPN Functionality (Post-Installation)
      - Allow Secure Client System Extensions
  - Customize macOS Installation of Cisco Secure Client
    - Requirements
    - Prerequisites
    - Procedure
    - Step 1 – Make the DMG Package Writeable
    - Step 2 – Generate the Module Installation Configuration File
      - Step 3 – Copy OrgInfo.json to Cisco Secure Client Installation Directory
      - Step 4 – (Optional) Hide the VPN Module
        
        Step 5 – Customize the Cisco Secure Client Installation Modules
        
        Example – Customize Cisco Secure Client Modules
        
        Step 6 – Set Up the Correct Extension Permission Settings
        
        Step 7 – Install Cisco Secure Client with Selected Modules
  - VPN Headend Deployment
  - Meraki Systems Manager (SM) Deployment
  - Migration from Umbrella Roaming Client
  - Install the Root Certificate for All Browsers
    - Inspect and Decrypt HTTPS Traffic
    - Render Notification Pages
  - Cloud Management
  - Contents
  - Overview
  - Deploying Cisco Secure Client
  - Profiles
  - Uploading the Orginfo.json profile
  - Create a Deployment
  - Post Deployment
    - Additional Reference
  - Additional References
  - Remote Monitoring and Management Deployment Tutorials
- Manage Internet Security on Cisco Secure Client
  - Umbrella Roaming Security Module Requirements
    - System Requirements
    - Network Requirements
      - Secure Access DNS Block Pages
      - Secure Access and SAML Identity Provider Domains
    - Transport Layer Security Protocol
    - Network Access
      - Host Names
      - Secure Access DNS Resolvers
      - Encrypted DNS
      - External DNS Resolution
      - HTTP and HTTPS
      - Secure Access DNS – Client Configuration Services
      - Secure Access DNS – Client Sync Services
      - Secure Access DNS and Web – Client Certificate Revocation Services
    - Roaming Security DNS Requirements
    - Internal Domains
  - Domain Management
    - Internal Domains List
    - DNS Suffixes
    - Operational Flow
      - Configure Internal Domains
      - Cisco Secure Client and External Queries
      - Cisco Secure Client and Internal Queries
    - Advanced Topics
      - Unencrypted
      - DNS Suffixes (Continued)
  - Interpret Internet Security Diagnostics
    - Prerequisites
    - Procedure
      - Generate the Diagnostic Report from the Cisco Secure Client
      - Generate the Diagnostic Report on the Command Line
  - IPv4 and IPv6 DNS Protection Status
    - Prerequisites
    - Procedure
    - DNS and IP Layer State Descriptions
- Manage Zero Trust Access on Cisco Secure Client
  - Invite Users to Enroll in Zero Trust Access for Secure Client
    - Prerequisites
    - Recommended: Use MFA Authentication and Biometric Identity
    - Procedure
  - Requirements for Secure Client with Zero Trust Access
  - Troubleshoot Client-Based Zero Trust Access
    - Pre-Enrollment Errors
    - Enrollment Errors
    - Post-Enrollment Errors
    - Requests to Reauthenticate
  - Unenroll a Device from Zero Trust Access
- Manage Virtual Private Networks on Cisco Secure Client
  - Prerequisites
Cisco Security for Chromebook Client
- About Cisco Security for Chromebooks
  - Key benefits
- Prerequisites for Cisco Security for Chromebooks Client
- Limitations for Cisco Security for Chromebooks
- Integrate the Google Workspace Identity Service
  - Limitations
  - Prerequisites
  - Procedure
- Deploy the Cisco Security for Chromebooks Client
  - About DNS-Layer Protection
  - High-Level Steps for Deploying Cisco Security for Chromebook Client
    - Step 1. In Secure Access:
    - Step 2. In the Google Admin console
  - Procedure
    - Step 1
    - Step 2
- View Protection Status of Chromebook Devices
  - Procedure
- Add Policies to a Chromebook Device
  - Prerequisites
  - Procedure
- Cisco Security for Chromebooks Client FAQ
- Google Workspace Identity Service FAQ

Cisco Secure Access - DNS Defense Help Manage Certificates View the Cisco Trusted Root Store Extract the Certificates Step 2: Extract Certificate Bundle as Message

Last updated: Dec 02, 2025

Previous topic Step 1: Extract the Signing Certificate Next topic Step 3: Extract PEM-Formatted Certificates From Bundle