Rubix

View Original

Goodbye, VPN: Part 2 - The public access user experience

I’m often asked questions after I upload my videos, but some of the most interesting are:

  • “Hey, Steve; what’s with all the nonsense ranting in the beginning of your videos?”

  • “Who do you talk to off to the side of your desk; the Koo-Aid Man, Snoopy, yourself?”

  • “Is it a real basement, or perhaps a very realistic movie set on a sound stage that coincidentally has sub-par audio and video quality compared to other big-budget Hollywood projects?”

  • “This is a Best Buy- why are you trying to return those pants?”

Looks real, but you never know…

The point is, engaging with people is fun.

On that note, let’s move on by looking at the Entra Private Access user experience with the Global Secure Access Client on Windows.

End-user setup

For our “testing”, we took a brand-new Windows 11 PC and went through the standard Autopilot setup. A few things to note about this setup.

  • PC will be Entra ID joined only (cloud native)

  • Our user, Morty Smith is synced from on-premises Active Directory and has access to file shares on the RBXDV-DC-01 server

  • We are 100% remote, with absolutely no line-of-sight to our domain

We start by powering on the PC and going through Autopilot sign-in.

When the provisioning is complete, you can see we’re signed in as Morty Smith, and the Intune Company Portal app has been deployed to our machine.

After clicking on the Company Portal, we see the Global Secure Access Client app. Let’s select it and click Install.

For this demo, we made the app available from Intune, but there’s no reason why we can’t push the client as required, so it is automatically present.

Connected like magic

Once the installation is complete, the Global Secure Access Client prompts Morty to authenticate. This is where you have the opportunity to enforce MFA with conditional access if you’d like (more on that in a future post).

After the sign-in, Morty can connect to his usual file shares on the domain server as if he was on the network.

Aaaaaaaaand done!

That’s it! Nothing else needs to be done on Morty’s part, and his device is not actually on the corporate network, nor is there a VPN client running. If you want to see the traffic in action, you can see it in the Entra portal.

  • Sign in to entra.microsoft.com and navigate to Global Secure Access -> Monitor -> Traffic logs

  • You can see the session info including source IP address, username, and the destination FQDN

While in this example we’re using this for file shares, we can extend this to Remote Desktop, mapped drives, and on-premises application authentication.

In the next part, we’ll discuss using conditional access, MFA, and even Cloud PKI to protect our private resources.