Announcing Access Server 3.1.0: Domain Routing for Modern Secure Access

We’re excited to announce Access Server version 3.1.0 which delivers powerful, customer-driven enhancements that expand secure access capabilities and simplify certificate management. (See the release notes here.)

This latest version delivers domain routing, designed to simplify and strengthen secure access to SaaS, cloud-hosted, and internal applications. It also supports native Let’s Encrypt integration via ACME to automate SSL certificate issuance and renewal (more on that below).

With domain routing, you can define access policies using domain names or hostnames instead of IP addresses or IP subnets. This makes access controls more reliable, easier to manage, and better aligned with how modern applications are deployed today.

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode | Grok

See domain routing in action

To get a quick overview of how domain routing works in Access Server 3.1.0, watch the short walkthrough below:

This video highlights how administrators can define application access by hostname, enforce role-based segmentation, and simplify SaaS allowlisting using a trusted egress IP.

The challenge: why IP-based routing is no longer enough

Traditional VPN access controls rely on IP addresses or subnets. That worked when infrastructure was static. Today, most SaaS tools, cloud services, and even internal applications run on distributed systems behind CDNs, load balancers, and failover clusters.

A single domain such as company[.]salesforce[.]com can resolve to multiple IP addresses that vary by location or time. Those IP addresses may also host other domains. This makes it difficult to reliably identify applications by IP alone.

For VPNs that rely on IP-based rules, managing access becomes fragile and time-consuming:

• Administrators must constantly determine which IPs belong to which applications.
• Rules must be updated as IPs change.
• Broad public IP ranges may be over-allowlisted, unintentionally routing excessive internet traffic through the VPN.

This model creates unnecessary operational overhead and increases the risk of misconfiguration.

The solution: domain routing in Access Server 3.1.0

Domain routing eliminates this complexity by allowing access to be defined by hostname or domain name rather than IP address.

Instead of tracking static or dynamic IPs, administrators simply specify the domain they want to control. Access Server automatically handles DNS resolution and routing behind the scenes, ensuring consistent connectivity even as underlying infrastructure changes.

Also available in CloudConnexa, domain routing is now built into Access Server 3.1.0 — bringing modern, domain-centric access control directly to your VPN deployment.

Key benefits at a glance

IP-free access control

Define application access by domain name instead of managing static or changing IP addresses. This reduces configuration complexity and ongoing maintenance while improving policy reliability.

Role-based application segmentation

Grant or restrict access to specific domains by group or user. Enforce least-privilege access without exposing entire subnets, and move beyond broad network-level access.

Secure SaaS allowlisting

Route SaaS traffic through a trusted Access Server egress IP so applications can allowlist a single IP. This effectively converts public SaaS services into private resources for VPN-connected users, reducing attack surface and simplifying compliance.

Efficient split tunneling

Route only selected domains through the VPN instead of forcing all internet traffic through Access Server. Improve performance, reduce bandwidth usage, and eliminate complex IP-based split-tunnel rules.

Cloud-ready reliability

Maintain consistent access to applications hosted behind CDNs, load balancers, and failover systems — even as underlying IP addresses change.

How to get started

Before using domain routing, you must enable Access Server to act as a DNS proxy for clients:

Step 1: Enabling DNS proxy

1. Log in to the Admin Web UI for your Access Server.
2. Go to Access Controls > Internet Access and DNS tab > DNS Server Proxy.
3. Click Auto (to act as a DNS proxy only when domain-based rules are used) or Always Proxy.
4. Click Save and then Restart.

Step 2: Configuring a global domain routing rule

1. Log in to the Admin Web UI.
2. Go to Access Controls > Global Access Rules tab > Domains section.
3. Select NAT.
4. Click Add new domain and specify a domain or wildcard domain.
5. Click Save and then Restart.

Step 3: Configuring a group- or user-based domain routing rule

1. Log in to the Admin Web UI.
2. Go to Access Controls > Group and User Access Rules tab.
3. Click New Access Rule.
4. Toggle to either Group or User.
5. Select your user group or user.
6. Specify your domain and select NAT as the destination type.
   (NOTE: ensure Protocol and Port fields are disabled.)
7. Click Save rule and Restart.

For detailed examples, see:

• Tutorial: Step-by-Step Examples for Split Tunnel and Role-Based Access Using Domain Routing
• Access Server and DNS Configuration Guide

Why it matters

Modern SaaS and cloud applications require modern access controls.

Domain routing in Access Server 3.1.0 reduces operational overhead, strengthens least-privilege policies, simplifies SaaS protection, and aligns VPN access with how distributed infrastructure actually works.

Upgrade to Access Server 3.1.0, and define secure access the way modern infrastructure demands — by domain name.

Bonus: native Let’s Encrypt support via ACME

Access Server 3.1.0 also introduces early-stage support for native Let’s Encrypt integration via ACME to automate SSL certificate issuance and renewal.

Learn more in our tutorial here.