Scenario 1

We will define two groups that only admin group members will reach the test-dns service

Let's start

• Create a custom dns service (select Tcp/Udp or Dns) that targets 8.8.8.8 with udp port 53
• Note assigned ip, we will use it for checking
• Create an admin group
• Create an remote group
• Add your user to admin group
• Create a user with named remoteuser and add to remote group
• Create a policy authentication rule for accessing my network, select admin group and remote group
• Create a policy authorization rule for access custom dns service to access admin group

Client Install

Install a client with following clients document

Check

Open client, and connect to zero trust, with admin user first and follow below

• Get custom dns service assigned ip address, from above

• Then on bash or powershell

    nslookup
    server **custom dns service** ip
    www.google.com

Reconnect again with remoteuser and check it again

Example