Rubix

View Original

Goodbye, VPN: Part 1 - This is private

Recently, I released a guided walkthrough of setting up Entra Private Access for cloud native PCs connecting to on-premises file shares. In addition to a tremendously positive response (thank you), I also received many requests for a written guide. It then got me thinking... "could some of my videos benefit from a written companion?"

Instead of sitting around thinking about the pros and cons, I decided it doesn't matter and began to make one anyway. Perhaps it will catch on.

What is Entra Private Access

According to Microsoft, Entra Private access is defined like this:

> Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.

In other words, it is a proxy-based system that allows a remote endpoint with the Global Secure Access Client to communicate with an on-premises resource through a proxy-connector. It supports common protocols like HTTP, RDP, and SMB and uses Entra Identity for authentication. This is powerful security boon as you can mix in conditional access policy, identity protection, and Defender for Identity telemetry; all adhering to a Zero Trust framework.

Requirements

This is still an 'in-preview' product, which means like all Microsoft previews, it is very much subject to change in terms of features and, more important, pricing.

License

As of right now, the preview is included in the Entra ID P1 or P2 license, which should allow for most organizations to be able to get this up and running.

Server

The application proxy connector needs to be installed on a Windows Server. Here are those requirements:

  • 2012 R2 or higher
  • minimum .NET version 4.7.1

Roles

In order to follow this setup guide, you'll need to be either a Global Administrator or have all of the following role assignments:

  • Global Secure Access Administrator
  • Application Administrator
  • Conditional Access Administrator

Setup guide

Turning it on

  • Start by logging into Microsoft Entra admin center at entra.microsoft.com and navigate to Global Secure Access (Preview) -> Connect -> Traffic forwarding
  • In the Traffic forwarding menu, enable Private access profile alt text
  • Next to User and group assignments, click View
  • These are the users the profile will apply to. Either choose specific users and groups or select Assign to all users

Making an app

With private access, an Application Segment is an on premises resource you want to provide access to via the proxy connector.

  • In the main blade, click Applications -> Quick Access alt text
  • Under Application Segment, click + Add Quick Access application segment
  • On the Create application segment page, define the following settings:
    • Destination type: Fully qualified domain name
    • Fully qualified domain name: Name of the server your file share is on
    • Ports: Port you're providing access on

      Remember, because we're choosing these setting to provide access to an SMB file share. Other components will require different options such as RDP or IIS.

Click Apply when finished.

The application is now visible in Enterprise applications, just like any other Entra app. Let's add our users.

  • Select the name of your app from Enterprise applications
  • On the application page, navigate to Users and groups and click + Add user/group
  • Select the users or groups you'd like to be able to access the resource.

The Connector

We have to download the proxy connector and install it on the server we intend to access.

  • In the main blade, click Connect -> Connectors
  • On the Private Network connectors page, click Download connector service
  • On the Private Network Connector Download page, click the Accept terms & Download button.

The connector needs to be on your Windows Server. If you cannot add the setup.exe, then repeat the above steps to download the connector > directly> to the Windows Server.

  • Double click the MicrosoftEntraPrivateNetworkConnectorInstaller.exe file to begin the installation.
  • Agree to the terms and click Install
  • You'll then be prompted to authenticate with your Entra ID

Once the installation is complete, you will see the active connector on the Private Network connectors page.

Deploy the client

Windows PCs will need the Global Secure Access Client installed on them in order to access the proxy service. We will deploy this with Intune.

  • Navigate to Connect -> Client download and click on the Download Client button for Windows 10/11
  • Use the Microsoft-Win32-Content-Prep-Tool to create an .intunewin file
  • Head over to intune.microsoft.com and navigate to Apps -> Windows -> +Add
  • In the App type drop-down menu, select Windows app (Win32)
  • Click Select app package file and navigate to the GlobalSecureAccess.intunewin file we just created.
  • Fill out the Name, Description, and Publisher fields.
  • Configure the remaining options as follows:
    • Program
      • Install command: GlobalSecureAccessClient.exe /install /quiet
      • Uninstall command: GlobalSecureAccessClient.exe /uninstall /quiet
      • Install behavior: System
    • Requirements
      • Operating system architecture: 64-bit
      • Minimum operating system: Windows 10 22H2
    • Detection rules
      • Rule type: File
      • Path: C:\Program Files\Global Secure Access Client
      • File or folder: GlobalSecureAccessClientChecker.exe
      • Detection method: File or folder exists
      • Associated with a 32-bit app on 64-bit clients: No
  • For Assignments, I have chosen to make the app available to all users to download from the Company Portal.

Deployed!

There we go; we now have the Global Secure Access Client app deployed to our PCs with Intune, ready to authenticate to our on-premises file share via the proxy connector.

In part 2, we'll go over the user experience and some advanced security options to further protect our app.