I have been working on long time in the SASE space, and wrote a blog post about this back in 2021 about the differences between the different vendors in this landscape (which you can read here –> SASE – The next generation of services we need to protect the mobile workspace? – msandbu.org) and today was a bit suprised when Microsoft introduced their new capabilities in Entra called Clobal Secure Access which was their move into the SASE ecosystem.
So what did Microsoft actually introduce? well it was two new products, Entra Private Access and Entra Internet Access. You can access the preview from the Entra Portal here https://entra.microsoft.com/ but if you want to gain access to private access as well you need to sign-up on this Microsoft forms here Microsoft Entra Internet Access Private Preview Interest Form (office.com)
This has also introduced some new core capabilities into Azure AD…errr I mean Entra ID. One of these new core features is Universal Conditinal Access.
Where we now have the option to utilize Conditional Access policies for securing traffic profiles. This enables us to customize and combine controls beyond cloud applications to encompass network traffic as well. At the moment, this feature is not supported for private access nor Internet access (only for M365 traffic policies)
While much of the capabilities are still in early preview there are some “wierd” limitations at the moment that I wanted to mention.
- The Global Secure Access Client currently only supports TCP traffic (traffic over UDP or QUIC cannot be handled)
- To tunnel network traffic based on rules of FQDNs (in the forwarding profile), DNS over HTTPS (Secure DNS) needs to be disabled.
- Tunneling IPv6 traffic isn’t currently supported.
- Tunneling traffic to Private Access destinations by IP address is supported only for IP ranges outside of the end-user device local subnet.
So what are the capabilities of the different features introduced?
Entra Private Access
With Entra Private Access it allows us to access on-premises resources without the need of a VPN client. You can view this as an extension of the App Proxy capabilities that have been a part of Azure AD for long time now. However now with the introduction of Private Access we can now tunnel other “non web-based” services as well, such as RDP, SSH, SMB to name a few. Previosly app proxy has only supported web applications. NB: The App proxy still requires a Windows Server to run and the The minimum version of connector required for Private Access is 1.5.3417.0, you can download the latest version here https://download.msappproxy.net/subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/connector/download
To make this feature work you need to configure something called traffic forward policies.
Traffic forwarding allows you to define the network traffic that will be routed through the Microsoft Entra Private Access and Microsoft Entra Internet Access services. By creating profiles, you can control the management of specific types of traffic.
When traffic enters the Global Secure Access, it undergoes evaluation based on the Microsoft 365 profile followed by the Private access profile. If the traffic does not match either of these profiles, it will not be forwarded to the Global Secure Access.
Each traffic forwarding profile can be customized with three main settings:
- Selection of traffic to be routed through the service.
- Application of Conditional Access policies to the selected traffic.
- Configuration of end-user connections to the service.
So it essentially allows the client to determine if the specific traffic should go trough the client or not. Firstly I need to enable traffic forwarding on my Microsoft 365 tenant.
I also need to download the Global Secure Access client on an endpoint, which at the monent supports the following.
- Operating Systems
- Windows 10/11 Enterprise
- The device must be Azure AD joined or Hybrid Azure AD joined to a tenant that has onboarded to Global Secure Access.
- Internet connection to Azure AD and the Global Secure Access service.
- Local administrator permissions during the installation.
Download the client from here –> https://aka.ms/GSAClientDownload The client is currently available for Windows. Client versions for Android, iOS, and macOS will be released in the coming months.
So lets say that I want to publish an internal service running SMB which I want to access via the Private Access Service, I would then need to add a quick access which defined a traffic policy to route traffic to a specified IP via an app proxy connector and also adds it as an enterprise application which I then can define user/groups that should have access and also conditional access policies that should apply.
NOTE: I can add dedicated IP addresses, or subnets, IP Ranges or even FQDNs which are accessable from the App Proxy component.
So I define a internal server which is available from that specific application proxy server. Then I go into application settings and define a user that should have access to the application
So now when I try to access that specific IP address from an endpoint that has the client installed the following will happen.
1: The client will check if the IP addresses is part of a forward traffic policy
2: If part of a policy, it will route the traffic to the designated application proxy service
3: The application proxy will check for access control based upon user/groups and conditional access policies
4: If all checks are successfull it will tunnel the traffic to the designated backend service
Which we can see in the screenshot below. The picture on the left side is from the log service from the agent, which can be accessed by click on the log button on the icon in the task tray.
If you are having some issues with traffic not flowing, please check the event viewer where you have the agent installed, since I did troubleshoot a bit earlier and noticied that it does generate some actual good logs.
Some quick FAQ:
– What does the service cost? At the moment the services are in preview, prices of the services have not be published yet.
– Can I use this to publish any internal application? Yes and no, at the moment it only supports TCP based service, and secondly it is wrapping all TCP based connetions in a Reverse-TCP based tunnel, so expect a bit sluggish performance
– What kind of clients/endpoints are supported? At the moment only Windows
– Where are the Secure Web Gateway features? They are not in public preview yet, so to be continued
– What kind of other features have been introduced? One of the new features is Source IP restoration, which means that the endpoint which has the client installed will always shows its own IP. This ensure the ongoing implementation of Source IP-based location policies across both Conditional Access and continuous access evaluation. This will enable Identity Protection risk detections to have a reliable and unified perspective on the original user’s Source IP address, allowing for accurate assessment of risk scores. Additionally, the Microsoft Entra ID sign-in logs now provide access to the original user Source IP information.