cloudflare · abracchi-tw · Jan 8, 2021 · Jan 8, 2021 · Jan 8, 2021
@@ -6,13 +6,13 @@ hideChildren: true
 
 <ContentColumn>
 
-# Add applications
+# Web applications
 
-With Cloudflare for Teams, you can protect two types of applications: SaaS and self-hosted.
+You can protect two types of web applications: SaaS and self-hosted.
 
-**SaaS applications** include applications your team relies on that are not hosted by your organization, such as Slack or Airtable.
+**SaaS applications** consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
 
-**Self-hosted applications** include your internal tools and applications, such as Jira or Grafana. You must secure self-hosted applications with Cloudflare's authoritative DNS to use Cloudflare Access.
+**Self-hosted applications** consist of internal applications that you host in your own environment. These can the data center versions of tools like the Atlassian suite or applications created by your own team. To secure self-hosted applications, you must use Cloudflare's authoritative DNS and [connect the application](/connections/connect-apps) to Cloudflare.
 
 <ButtonGroup>
   <Button type="primary" href="/applications/configure-apps/saas-apps/">SaaS applications</Button>

@@ -2,13 +2,13 @@
 order: 1
 ---
 
-# Add applications
+# Web applications
 
-With Cloudflare for Teams, you can protect two types of applications: SaaS and self-hosted.
+You can protect two types of web applications: SaaS and self-hosted.
 
-**SaaS applications** include applications your team relies on that are not hosted by your organization, such as Slack or Airtable.
+**SaaS applications** consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
 
-**Self-hosted applications** include your internal tools and applications, such as Jira or Grafana. You must secure self-hosted applications with Cloudflare's authoritative DNS to use Cloudflare Access.
+**Self-hosted applications** consist of internal applications that you host in your own environment. These can the data center versions of tools like the Atlassian suite or applications created by your own team. To secure self-hosted applications, you must use Cloudflare's authoritative DNS and [connect the application](/connections/connect-apps) to Cloudflare.
 
 <ButtonGroup>
   <Button type="primary" href="/applications/configure-apps/saas-apps/">SaaS applications</Button>

@@ -2,13 +2,13 @@
 order: 1
 ---
 
-# Add applications
+# Web applications
 
-With Cloudflare for Teams, you can protect two types of applications: SaaS and self-hosted.
+You can protect two types of web applications: SaaS and self-hosted.
 
-**SaaS applications** include applications your team relies on that are not hosted by your organization, such as Slack or Airtable.
+**SaaS applications** consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
 
-**Self-hosted applications** include your internal tools and applications, such as Jira or Grafana. You must secure self-hosted applications with Cloudflare's authoritative DNS to use Cloudflare Access.
+**Self-hosted applications** consist of internal applications that you host in your own environment. These can the data center versions of tools like the Atlassian suite or applications created by your own team. To secure self-hosted applications, you must use Cloudflare's authoritative DNS and [connect the application](/connections/connect-apps) to Cloudflare.
 
 <ButtonGroup>
   <Button type="primary" href="/applications/configure-apps/saas-apps/">SaaS applications</Button>
@@ -88,4 +88,4 @@ The **Setup section** allows you to configure a few advanced settings for your a
 
 1. Once you've configured the settings as needed, click **Add application**.
 
-Your application is now connected to Access, and will appear in your Applications list. You can proceed with connecting your origin to Cloudflare at this URL.
+Your application is now available in Cloudflare Access, and will appear in your Applications list. You can proceed with [connecting your origin](/connections/connect-apps) to Cloudflare using this address.
@@ -4,7 +4,7 @@ order: 5
 
 # Applications
 
-Cloudflare for Teams brings a consistent login experience to your internal and SaaS applications, and evaluates every request  for user identity and device context. 
+Cloudflare for Teams can secure self-hosted and SaaS applications with Zero Trust rules.
 
 Learn how to secure your applications, and how to configure one dashboard for your users to reach all the applications you've secured behind Teams:
 

@@ -4,4 +4,6 @@ order: 4
 
 # Non-HTTP
 
+You can use Cloudflare for Teams to secure non-HTTP resources like machines available over SSH or remote desktops.
+
 <DirectoryListing path="/applications/non-HTTP"/>
@@ -4,7 +4,7 @@ order: 0
 
 # Connect applications
 
-You can connect applications, servers, and other resources to Cloudflare's network using Argo Tunnel. 
+You can connect applications, servers, and other resources to Cloudflare's network using Cloudflare Argo Tunnel. When connected, Cloudflare can [apply Zero Trust policies](/policies/zero-trust) to determine who can reach the resource.
 
 Argo Tunnel runs a lightweight daemon (`cloudflared`) in your infrastructure that establishes outbound connections (Tunnels) between your web server and the Cloudflare edge. When Cloudflare receives a request for your chosen hostname, it proxies the request through those connections to `cloudflared`. In turn, `cloudflared` proxies the request to your applications.
 

@@ -2,7 +2,7 @@
 order: 0
 ---
 
-# Getting started
+# Install and enroll
 
 In order to create and manage Tunnels, you'll first need to install and authenticate `cloudflared` on your machine. `cloudflared` runs alongside origin servers to connect to Cloudflare's network, as well as client devices for non-HTTP traffic from user endpoints.
 

@@ -1,7 +1,9 @@
 ---
-order: 1
+order: 3
 ---
 
 # Connect devices
 
-<DirectoryListing path="/connections/connect-devices"/>
+You can configure devices to send DNS queries to Cloudflare or you can proxy all traffic leaving the device through Cloudflare's network.
+
+<DirectoryListing path="/connect-devices"/>
@@ -2,17 +2,14 @@
 order: 1
 ---
 
-# Getting started
+# Deployment
 
- <Aside>
+The Cloudflare WARP client can be deployed via a device management platform like JAMF or InTune or through end user self-enrollment.
 
- Before you start, make sure **Cloudflare Access** and **Cloudflare Gateway** are set up. 
-
- </Aside>
-
-To get started with the WARP client, you'll first need to create a **device enrollment policy** in your Teams dashboard. To do so:
+To get started, you'll first need to create a **device enrollment policy** in your Teams dashboard. The device enrollment policy will determine who can enroll a device into your organization. To do so:
 
 1. In your [Teams dashboard](https://dash.teams.cloudflare.com/), navigate to **My Teams** > **Devices**.
+
 1. Under **Device Settings**, create a [device enrollment policy](connections/connect-devices/warp/device-enrollment) to define who can connect a device to your organization.
 
 1. Once your device enrollment policy is set up, configure [filtering policies](/policies/filtering) for your organization. If you are configuring [HTTP policies](/policies/filtering/http-policies), make sure to deploy the [root certificate](/connections/connect-devices/install-cloudflare-cert.md) to your devices. 

@@ -4,23 +4,31 @@ order: 3
 
 # WARP client
 
-Teams customers can use the Cloudflare WARP application to connect corporate desktops to **Cloudflare Gateway** for advanced web filtering. The Gateway features rely on the same performance and security benefits of the underlying WARP technology, now with security filtering available to the connection.
+You can use Cloudflare WARP client to connect devices to Cloudflare for DNS filtering or Secure Web Gateway filtering. The WARP client can be deployed in the following modes:
 
-The result is a simple way for enterprises to protect their users wherever they are without requiring the backhaul of network traffic to a centralized security boundary. Instead, organizations can configure the WARP client application to securely and privately send remote users’ traffic through a Cloudflare data center near them. Gateway administrators apply policies to outbound Internet traffic proxied through the client, allowing organizations to protect users from threats on the Internet, and stop corporate data from leaving their organization.
+|Mode|Description|DNS Filtering|HTTP Filtering|
+|---|---|---|---|
+|DNS only|DoH-based filtering|Yes|No|
+|DNS with WARP+|DoH-based filtering with encrypted WARP+ traffic|Yes|No|
+|HTTP filtering|DoH-based filtering, HTTP filtering, and encrypted WARP+ traffic|Yes|Yes|
 
-Here is how the WARP client can help your organization:
+Cloudflare WARP is [available](/connections/warp/system-requirements) on iOS, Android, Mac, and Windows.
 
-* **Encryption of user traffic**  
- Regardless of your users’ location, all traffic from their device is encrypted with WARP and sent privately to the nearest WARP endpoint. Used in conjunction with Cloudflare Access, your applications are 10ms away from wherever your user is located, and VPNs are no longer needed.
+## DNS filtering
 
-* **Additional speed with WARP+**  
- Any Teams customer who deploys the Teams client applications will automatically receive the premium speed benefits of WARP+.
+The Cloudflare WARP client can be configured to send all DNS queries from roaming devices, on any network, to Cloudflare for DNS filtering. Deploying DNS filtering with WARP does not require your team to configure source or destination IPs. To begin, follow the steps below:
 
-* **Gateway Device Roaming**  
- With Gateway Device Roaming, you can enforce Cloudflare Gateway policies anywhere your users roam on any operating system supported by the Cloudflare WARP Client.
+1. Determine which devices can enroll.
+2. Create a DNS-over-HTTPS destination.
+3. [Deploy](/connections/warp/deployment) Cloudflare WARP to devices.
 
-* **L7 Firewall and user-based policies**  
- This allows your organization to enforce device authentication to your Teams account, enabling you to build user specific policies and force all traffic through the firewall.
+Alternatively, you can deploy Cloudflare DNS filtering on [networks](/connections/connect-networks) or [devices](connections/connect-devices/agentless) without the WARP client.
 
-* **Device and user auditing**  
- Administrators can audit specific user and device traffic. Used in conjunction with logpush, this will allow your organization to do detailed level tracing in case of a breach or audit. (Available with Enterprise Teams plan only)
+## Web proxying
+
+You can proxy all traffic leaving devices through Cloudflare for HTTP inspection and filtering using the Cloudflare WARP client. To begin, follow the steps below:
+
+1. Determine which devices can enroll.
+2. [Deploy](/connections/warp/deployment) Cloudflare WARP to devices.
+3. [Install](/connections/warp/install-cloudflare-cert) the Cloudflare root certificate on the devices.
+4. Enable web inspection in the Cloudflare for Teams dashboard.
@@ -0,0 +1,9 @@
+---
+order: 1
+---
+
+# Connect networks
+
+You can configure networks to send DNS queries to Cloudflare for filtering and logging.
+
+<DirectoryListing path="/connect-networks"/>
@@ -0,0 +1,37 @@
+---
+order: 1
+---
+
+# Configure a Location
+
+The only requirement for a location is its name. All other fields are optional if the location you are sending requests from is only using IPv6 or sending all DNS requests using DNS over HTTPS.
+
+<img src={gatewayCreateLocation} alt="Configuring a location" />
+
+## IPv4
+Gateway uses the public source IPv4 address of your network to identify your location, apply policies and log the DNS requests. When you go through onboarding or in our location tab, the dashboard automatically identifies the public source IP address.
+
+If you are using Gateway's paid plans, you can manually enter the IP address and netmask of your location. You can find out what public IP address you are using by connecting to the network of the location and then googling “What’s my IP address”.
+
+On your router or if you are using a device or a daemon, forward DNS queries to the following IP addresses:
+
+* **172.64.36.1**
+* **172.64.36.2**
+
+See how you can start sending DNS queries by visiting the [setup instructions](/locations/setup-instructions/)
+
+## IPv6
+When you create a location, your location will receive a unique IPv6 address. Cloudflare Gateway will identify your location based on this unique IPv6 address.
+
+On your router/device/forwarder/daemon forward DNS queries to the corresponding IPv6 address for the location.
+
+See how you can start sending DNS queries by visiting the [setup instructions](/locations/setup-instructions/)
+
+## DNS over HTTPS
+Each location has a unique hostname for DNS over HTTPS.
+
+Cloudflare Gateway will identify your location based on the DNS over HTTPS hostname.
+
+![DNS over HTTPS hostname](../static/location-with-dns-over-https-hostname.png)
+
+See how you can start sending DNS queries over HTTPS using [Firefox.](/locations/setup-instructions/firefox).
@@ -0,0 +1,18 @@
+---
+order: 2
+hidden: true
+---
+
+# Locations
+
+Locations are usually physical entities like offices, homes, retail stores, movie theatres or a data centers. The fastest way to start sending DNS queries from a location and protect it from security threats is by changing the DNS resolvers at the router to the dedicated IPv6 addresses for those locations.
+
+If you don’t have IPv6 network, you can set up a location by adding the source IP for the location and changing the DNS resolvers to
+
+* **172.64.36.1**
+* **172.64.36.2**
+
+If you want to send your DNS queries over an encrypted connection, you can use the hostname that we provide in the dashboard to send queries using DNS over HTTPS.
+
+* [Configuring a location](/locations/configuring-a-location)
+* [Setup instructions](/locations/setup-instructions)
@@ -0,0 +1,23 @@
+---
+order: 3
+---
+
+# Determining a location
+
+Gateway uses different ways to match a DNS query to [locations](/locations) depending on the type of request and network. This is how Gateway determines the location of a DNS query:
+
+![Determine location](../static/gateway-determine-location-dns.png)
+
+Here is a step by step flow of how Gateway determines the location for an incoming DNS query:
+
+## Step 1: DNS over HTTPS check and lookup based on hostname
+
+Check if the DNS query is using DNS over HTTPS. If yes, lookup location by the unique hostname. If not, go to step 2.
+
+## Step 2: IPv4 check and lookup based on source IPv4 address
+
+Check if the DNS query is sent over IPv4. If yes, lookup location by the source IPv4 address. If no, go to step 3.
+
+## Step 3: Lookup based on IPv6
+
+If the query is in this step, it means that the DNS query is using IPv6. Gateway will lookup the location associated with the DNS query based on the destination IPv6 address.
@@ -0,0 +1,8 @@
+---
+order: 3
+---
+
+# Android Setup Instructions
+
+* [Setup Gateway on Android](/locations/setup-instructions/android/manual)
+* [Setup Gateway on Android using an MDM](/locations/setup-instructions/android/mdm)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,4 +4,6 @@ order: 4

		# Non-HTTP

		You can use Cloudflare for Teams to secure non-HTTP resources like machines available over SSH or remote desktops.

		<DirectoryListing path="/applications/non-HTTP"/>