The end of Point-to-Site VPNs as we know them might be already here, with Microsoft now providing not only a Windows, but also a Mac, Android and iOS client for their Entra Private Access, some of them still in Private Preview, and Cloudflare constantly improving their WARP Client, there is no real need anymore for VPN Access for your users.
Microsoft Global Secure Access
Well, this is a two tier topic. Why you might ask? Because Microsoft is fitting two products below the “Global Secure Access” umbrella.
Microsoft Entra Internet Access and Microsoft Entra Private Access.
Microsoft Entra Internet Access
I won’t go too much into details here, but let’s say, with Microsoft Entra Internet Access you’re able to establish a Site-to-Site VPN from your office locations directly to Microsoft and via a provided BGP peer, your office locations will route traffic that is intended for Microsoft services (Exchange, Intune, OneDrive, Sharepoint,…) directly over this tunnel. Microsoft then offers the option to not only inspect the traffic, but also to use Conditional Access to, for example, restrict the collaboration with certain tenants.
Needless to say, that I’ve already tried that out and locked myself out of my customer tenants, it took me a hot minute on a Monday until understood that I wasn’t able to access them because my home network was routing everything Microsoft related direct to Microsoft and associated it with my tenant – working as intended.
Entra Private Access
Entra Private Access on the other hand is, as the name suggests, your users access to all your onpremise resources and if I say all, I almost everything, RDP, SMB, SSH, FTP, … and everything with Conditional Access. YES Conditional Access on an SMB connection. Madness.
But how does it work? How can I use it? Well, currently it’s included in the Entra ID P1 license and the setup is quite simple, because if you already have an Entra ID Application Proxy Connector up and running, guess what, you also have a Entra Private Access Connector. Yes, they’re the same piece of software now.
If you don’t have an Entra ID Application Proxy Connector yet, you can just visit https://entra.microsoft.com/ navigate down to “Global Secure Access (Preview)”, “Connect” and “Connectors”
Once there, you need to activate the Private Network Connectors and download the connector service, you can install it on any Windows Server 2016 and upwards.
Once you’ve done so, your server will popup on the dashboard as “available”. One thing to note is, that you should make sure that this server can access all network resources that your users might need to access.
If you want redundancy, the you should obviously, as with the Application Proxy Connector, install more than one instance and if there are Network differences, you might want to consider grouping connectors.
From there on, you can just navigate to “Global Secure Access (Preview)” > “Applications” > Enterprise Applications. On this screen simpliy click, New application.
Here you can configure the needed access, meaning IPs or FQDNs, Ports (22 for ssh, 445 for SMB, 3389 for RDP and so on…)
These Enterprise Applications are usable in Conditional Access policies.
How does the end user now access my “Application”?
Well, here is one of the two caveats, for Windows, the end user needs an Entra ID joined device, may it be Hybrid (boo!) or not and for Android/iOS? Well, a configuration for the “Microsoft Defender” App is used, therefore it needs to be Intune managed, the second caveat is, that UDP is currently not supported.
On a Entra ID joined device, you can just install the Global Secure Access Client for Windows (e.g. deploy via Intune) and let SSO do the rest.
No more VPN Client, no Firewall rules or account management, may it be via LDAP, SAML or otherwise, just an Entra Global Secure Access Client and Conditional Access.
Leave a Comment