Last week Microsoft introduced new Security Service Edge (SSE) capabilities as part of the Microsoft Entra suite of technologies. Included in these announcements, Microsoft introduced the public preview of two new secure remote access technologies – Microsoft Entra Internet Access and Microsoft Entra Private Access. The latter of these will particularly interest Microsoft Always On VPN administrators in some deployment scenarios.
Microsoft Entra Internet Access
Microsoft Entra Internet Access is a new Secure Web Gateway (SWG) cloud service solution designed to protect users from threats on the public Internet. Features include web content filtering, malware inspection, TLS inspection, and more. In addition, Entra Internet Access can protect Microsoft 365 applications. Azure Conditional Access policies can be enforced for Internet traffic. Network conditions are now included with Azure Conditional Access, which can further protect against attacks by requiring access from specific trusted or compliant networks. Today, the public preview is available for Microsoft 365 scenarios only. Internet traffic and other SaaS applications will be available later this year.
Microsoft Entra Private Access
Microsoft Entra Private Access is a Zero Trust Network Access (ZTNA) cloud service solution that leverages the Azure Application Proxy access model. With Azure App Proxy, administrators can easily publish private, on-premises web applications by installing the connector on an on-premises server. Administrators can leverage Azure AD authentication and conditional access policies to ensure device compliance or enforce multifactor authentication (MFA), if required. Microsoft Entra Private Access extends the capabilities of the Azure Application Proxy to support TCP and UDP-based applications.
Private Access vs. Always On VPN
Microsoft Entra Private Access will be a compelling alternative to Always On VPN in the future. Specifically, organizations using native Azure AD join devices could benefit tremendously from this technology. Microsoft Entra Private Access is much simpler to implement than Always On VPN and requires no on-premises infrastructure other than the Azure Application Proxy connector. Using Microsoft Entra Private Access also means that no inbound access from the Internet is required, making the solution inherently more secure and reducing the public attack surface. For organizations using hybrid Azure AD join, Always On VPN continues to be the best Microsoft solution for these scenarios.
References
Microsoft Entra Expands into Security Service Edge (SSE)
Microsoft Entra – Secure Access for a Connected World
Microsoft Entra Internet Access Preview
Microsoft Entra Private Access Preview
What is Zero Trust Network Access?
What is Security Service Edge (SSE)?
What is Secure Access Service Edge (SASE)?
What’s the Difference Between SSE and SASE?
Contact Us
I’ve had the privilege of participating in the private preview for Microsoft Entra Internet Access and Private Access. If you’d like to learn more about these technologies and how they can help your organization, fill out the form below, and I’ll provide more information.
Bald Eagle
/ July 17, 2023Having set it up, making a connector and testing; I have asked Microsoft some questions, and they answered:
1. Question: Is it correct that traffic is routed through the client even when I am in my office network? If yes, is there a way to build an exception?
Answer: Intelligent Local Access will enhance this so traffic, once authorized, will flow direct from client to app (when on corpnet) bypassing connector/edge. Intelligent local access is planned for when we GA (Nov 23). Currently all traffic flows via connectors/edge even when you are on corpnet.
2, Question: when a new App is registered, or when a change is made to an app, how much time does it take to be available on the client?
Answer: It should take 1-2 hours normally however we have implemented throttling on backend due to recent demand from Public Preview. If you want to speed things up for testing, stop client, wait 10 seconds, resume client. Don’t use the Restart client function. Repeat this twice and your client should immediately do a policy refresh and update its local policy – I just tested this in my lab it works.
3. Question: when will we have the option to define port ranges?
Answer: 1-2 months away from today
4. Question: Regarding the limitation of the client to only run on hybrid-joined or Azure AD joined devices, will that be changed? I mean, can we use it to give it to external consultant as a replacement for VPN? These external consultants usually have no hybrid-joined or Azure AD joined devices from us. They will use their own laptops or computers.
Answer: External access is planned for V2 so around about 6 months to 1 year from November 23.
You don’t have to post as me feel free to use the info as you see fit.
Richard M. Hicks
/ July 19, 2023Thanks for sharing. Good stuff! No doubt it’s incomplete now, but it will get better as the solution matures. 🙂
Jethro Morais
/ July 17, 2023You misspelled 365 😉 “Entra Internet Access can protect Microsoft 635 applications.”
Richard M. Hicks
/ July 19, 2023Thanks for catching that and bringing it to my attention! Fixed now. 🙂
Dave
/ August 24, 2023We agree that in the future, the “remote networks” will allow private traffic to transit, right (the options are grayed out for now.)? Today, I configured the 2 IPSec VPNs (US only), and I’m receiving the O365 routes via BGP. I can connect to Microsoft servers through these tunnels.
But in the future, I would like a GSA Client to be able to use internal resources of my company via these two tunnels. That’s what’s planned, correct? Because Application Proxy works well, but I won’t be publishing hundreds of applications… especially considering it’s only compatible with HTTP/HTTPS, not RDP, SMB, SSH, etc…
The goal is, of course, to replace AOVPN by GSA.
Richard M. Hicks
/ August 24, 2023That’s correct. Essentially Entra Private Access extends the functionality of the existing Azure Application Proxy to include TCP and UDP applications. So, in addition to the web applications you might be publishing today with the Azure App Proxy, you will also be able to publish things like SMB shares, RDP, SQL, SSH, etc. with the app proxy.
Today GSA supports only TCP, though. UDP connectivity is forthcoming.