Off-corporate network
This graphic is an example of how ETP Client functions when it’s running off the corporate network.

When the ETP Client is on a visiting network or off the corporate network, a
similar network topology applies:
- Off-network requests are directed to ETP DNS. If DNS over TLS is enabled, requests are encrypted with TLS.
- If a threat is detected, ETP Client handles the request based on the policy configuration. For example, if a threat category is assigned the block action with a refused response as the response to users, the request is blocked and a browser-specific error page appears.
- If no threat is detected, requests are forwarded to the local DNS resolver for resolution. Requests to websites in the internal network are resolved by the local resolver. If a domain is not resolved by the local resolver, it is resolved by ETP.
Note: If a user is visiting a network, ETP Client applies the policy of the user’s corporate
network. It does not apply the policy of the visiting network. In this case, the policy
associated with the Off Network ETP Clients location in the user’s corporate network
takes effect.