FAQ for private access security

• How do I configure internal DNS to access a domain-based service?

• Why is an application inaccessible after configuration even if I can ping it?

• Why are some Windows devices unable to access an internal domain-based service?

• How do I troubleshoot a private access failure?

• Where can I download the connector?

Configuring internal DNS for domain-based services

• If your network uses PrivateZone, SASE automatically synchronizes resolution data from PrivateZone. You do not need to configure PrivateZone information on the SASE console.

• If your network does not use PrivateZone, you can configure a custom DNS service. You can specify multiple server IP addresses for a DNS service. If DNS resolution fails on one server, the request is sent to the other servers in the service.

For more information about SASE domain resolution policies and how to configure a custom DNS service, see Application domain name resolution.

Application inaccessible despite successful pings

The ping utility is not a reliable tool to determine connectivity. On macOS, pings are allowed across all subnets. On Windows, pings are allowed only to the 198.18 and 198.19 subnets.

Use telnet, nc (netcat), or other similar commands to verify connectivity.

Windows devices unable to access internal domain services

This issue typically occurs on computers running Windows 11. Browsers on Windows 11 often have a secure DNS setting that must be disabled to enable access. If the DNS configuration on a Windows 11 system was set to use DNS-over-HTTPS (DoH), either by security software or manually, you must switch it to a non-encrypted mode.

Troubleshooting private access failures

On the Log Audit page, find the relevant access log. Check the action in the log to determine if the traffic was allowed or blocked.

• If the action is block, check the reason. A block can be caused by an unconfigured application, unassigned access permissions, or a non-compliant terminal security baseline. Modify the configuration based on the reason provided.

• If the action is allow, go to the Private Access > Network Settings page and check if the network where the application resides is connected.

  If the application is deployed on Alibaba Cloud, verify that the corresponding VPC or CEN is connected.

  If the application is deployed in a non-Alibaba Cloud environment, verify that the dedicated line is connected and that the SASE connector is associated with the application.

Downloading the connector

Go to the Connector Management page, copy the command, and run it. For detailed instructions, see Enable network access for non-Alibaba Cloud services.