Entra Private Access

Entra Private Access

Comments 0 Comment

Entra Private link

Entra Private Link for the Remote workers a remote person to access a company resource without needing to connect via VPN. Access will be via the lobal Secure Access Client. Configuration can be carried out in Quick Access mode or Global Secure Access app.

Quick Access it’s the primary group of FQDNs and IP addresses that we want to secure. Before the configuration of the Global Secure Access deployment, it’s important to review the list of private resources and for which resources we want to configure Entra Private Link.

Quick access mode for Private Link

Global Secure Access app can be used for the followng scenarios

  • Different set of Conditional Access Policies must be apply
  • Few private ressources must be accessed through Entra Private link and different set of access policies must be used
Entra Private Link Global Secure Access

Licensing

Microsoft Entra Private Access offer few features. Microsoft Entra Internet Access permit to secure access to all internet and SAAS application. For Microsoft Entra Private Access elevates network security with a Zero Trust Network Access (ZTNA) solution. Microsoft Entra Internet Access for Microsoft services permit direct access to supported Microsoft services. Entra ID P1 or Microsoft Entra ID P2 license is needed for this features.

RBAC

Global Secure Access uses Role-Based Access Control (RBAC) must be used for delegate some permission.

  • Global Administrator : This role give full permissions. It’s possible to configure policy, manage settings and view logs.
  • Security Administrator : This role give the possibility to configure remote networks, set security profiles, manage traffic forwarding and viewing traffic logs. Configuration of the Private Access and enable Office 365 logging is not permitted
  • Global Secure Access Administrator : This role offer the same permission that the role Security Administrator. It also offers the possibility to enable alerts. Configure Private Access, create and manage Conditional access policies, manage assignments (users and groups) and configure Office 365 logging is not permitted
  • Conditional Access Administrator : With this role, you can create and manage Conditional access policies for Global Secure Access
  • Application Administrator : Private access can be configured. Quick access, private network, connectors, application segments and Enterprise applications is included
    • .
  • Security Reader and Global Reader : This role offer read only access to all Global Secure Access except traffic logs.
    • .

Configure Quick Access

You can use the link to have the list of the known limitations for the Quick Access. For production, it’s important to read it before implement the solution.

Install the connector

The Microsoft Entra private network connector must be installed on server running Windows Server 2012 R2 or later. It’s recommended having more than one server, for High availability reason. Some other prerequisites must be respected. Be careful ! The .Net v4.7.1 or later is required by the connector.

On Windows Server 2019 or later, HTTP 2.0 must be disable when Microsoft Entra private network connector it’s used with Microsoft Entra application proxy. From the server, open a regedit console and add the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Valeur Dword EnableDefaultHTTP2 = 0
EnableDefaultHTTP2 Registry Key

TLS1.2 must be created, the following key must be created. A restart must be performed.keyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

On the key Client and Server, add a dword DisabledByDefault and configure a value 0. Repeat the same action with a dword Enabled with value 1.

Enable TLS 1.2

ON the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, add dword SchUseStrongCrypto with value 1.

SchUseStrongCrypto enable TLS1.2

From the Entra Portal, extend Global Secure Access, click on Connect then on Connectors.

Click on Download connector service to download the setup file. The connector will be installed on the server OnPrem.

Download connector Service Entra private access

For download the Private Network Connector, click on Accept terms & Download.

accept terms & download

A setup file is downloaded. Run this file on the server for install the connector. The following registry key must be configured on the server before installing the connector.

Install Connector

A wizard appear, check the option I agree to the license terms and conditions then click on Install.

Check I agree to the license terms and conditions options and click on Install

Installation is in progress….

Installation of Entra Private Network is in progress

A windows appear. AUthentification is needed. Type the credentials of Entra Administrators

Type credentials of local administrators

The server appear in Private Network connectors.The status is Active, it’s recommended to have two servers minimum.

Server is installed and appear in Private network connectors

On the server, verify if the Microsoft Entra Private network connector have the state Running.

Microsoft Entra Private Network Connector Services

Create new connector group

From the Entra portal, extend Connect menu and click on Connectors. Click on New Connector Group on the central blade. If there is only one connector group, the default connector group must be used In this case, the creation of other connector group is not needed.

Create new connector group for private network connectors

Type the name of the connector group and select the desired connectors.

Create new connector group

The connector is now created and the server is added.

The connector group is created

Add server on another connector group

It’s possible to move the server to another connector group. To perform this action, click on the server, and select the desired connector group (Default for me). Click on Save.

Move server to another connector group

Add server on another connector group

From the Entral portal, click on Global Secure Access then on Application. Click on Quick Access to create new quick access. Type the desired name and select the connector group (if there is few connector group.

Configure quick access on private link

Segment application must be configured. We defined which application (RDP, …) the user can access through the connector.

Add Application segment on Private link

Select the Destination type, in the following example I would like access my hyper-v server via remote desktop. For that I choose IP address on Destination type. The IP address must be added. If there is two servers, two applications segments must be created. Enter the ports and protocol (TCP 3389 for the RDP).

Add application segment

Add the application segment, the status in Pending during few minutes. Check that the status changes to Success

Application segment is created and status pending
Application segment is created and status pending

Private DNS can be configured. The feature is in Preview and permit to add private suffix DNS§. Select Private DNS and click on Add DNS suffix.

Add Private DNS Suffix

Type the desired DNS suffix then click on Add.

Add Suffix DNS

Configure Entra Application

From the Entra portal, extend Applications then click on Enterprise applications. The application for quick access is been created. Click on it.

Entra application for quick access is been created.

Click on Users and groups then on Add user/group for allow users to use this application. In production is recommended to use a group.

allow use application at user or groups

Configure Traffic fowarding

From the Entra portal, extend Connect then click on Traffic Fowarding. Few profiles are present. We want access to the private ressources (RDP connection to a server), so the Private access profile must be configured, click on View.

Click on View on Private access profile

Select the desired users or groups, in production is recommended to use group. If the profile must be apply to all users, click on Assign to all users.

Assign user or groups at the profile private link

Enable the profile Private access profile. This operation permit at the user to access at the private r ressource (server on our case).

Download and install client

The client must be installed on the computer on which the user must access the application. From the Entra portal, extend Global Secure Access then click on Client download. It’s possible to use the Entra feature on different platform. Extend Windows 10 and click on Download Client.

Download private link client for window s10

Run the file downloaded. A wizard appear, check I agree to the license terms and conditions then click on Install.

Run the GlobalSecureAccessClient.exe Global Secure Access Client exe
Accept the license terms and conditions

When the client is installed, click on Close.

Click close when is installed

Test connection

The client is been installed and connected. We can now open a rdp session on the server. Check that the server has the green tick. If not, the connection to the internal resource is not possible.

Verify the connection of the client

The connection at the Hyper-V server is now possible.Open a Remote Desktop console and connect to the server (Hyper-V) on my case.

Open a RDP session to the server

We can see that the server has a private IP address. It is therefore not possible to connect to the server without a VPN connection or without the Entra Private Access feature.

THe server have a ip address

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.