All posts by Richard M. Hicks

Always On VPN and Azure VPN Gateway SSTP Protocol Retirement

The Azure VPN gateway has been an option for supporting Microsoft Always On VPN client connections for organizations moving resources to the cloud. Today, Azure VPN gateway supports Internet Key Exchange version 2 (IKEv2), OpenVPN, and Secure Socket Tunneling Protocol (SSTP), although SSTP support has long been limited in scope and scalability. However, Microsoft recently indicated that some important changes are coming soon that will affect VPN protocol support on the Azure VPN gateway.

SSTP and Azure VPN Gateway

Microsoft has announced plans to deprecate and eventually remove support for SSTP on the Azure VPN gateway.

Key Dates

Here is Microsoft’s timeline for retiring SSTP for VPN connections.

  • March 31, 2026 – SSTP can no longer be enabled on new or existing gateways
  • March 31, 2027 – Existing SSTP connections will stop functioning

SSTP: Second Class Citizen

The retirement of SSTP for Azure VPN gateway should not have a significant impact on Always On VPN deployments. Support for SSTP on Azure VPN gateway has always been limited, making it a less viable option for most Always On VPN deployments. SSTP connections are capped at 128 concurrent connections (256 in active-active mode), regardless of gateway SKU. Additionally, Azure VPN gateway does not support simultaneous user and device tunnels, further limiting its usefulness in modern Always On VPN designs.

Plan Migration Now

If you are using Azure VPN gateway to support Always On VPN client connections, now is the time to begin planning a migration to IKEv2, which offers better scalability and native Always On VPN support. Alternatively, consider Windows Server RRAS in Azure, a third-party VPN solution, or Entra Private Access if Azure VPN gateway no longer meets your requirements.

More Information

For official guidance, see SSTP Protocol Retirement and Connections Migration. If you’re unsure how this change affects your Always On VPN deployment, or you would like help planning a migration, this is a good time to review your design and roadmap. Fill out the form below, and I’ll provide you with more information.

Additional Information

SSTP Protocol Retirement and Connections Migration

Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN

Windows Server RRAS in Microsoft Azure

Microsoft Entra Private Access

Leave a comment
by Richard M. Hicks on January 26, 2026  •  Permalink
Posted in administration, Always On VPN, AOVPN, Azure, Azure VPN, Azure VPN Gateway, cloud, Deployment, device tunnel, end of life, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, OpenVPN, public cloud, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSTP, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 26, 2026

https://directaccess.richardhicks.com/2026/01/26/always-on-vpn-and-azure-vpn-gateway-sstp-protocol-retirement/

Microsoft Entra Private Network Connector Overview and Deployment Strategies

When deploying Microsoft Entra Private Access, administrators must install at least one Entra Private Network Connector to facilitate communication between Global Secure Access clients and on-premises resources. The Entra Private Network connector is a software agent that communicates outbound only. It requires no inbound connectivity, reducing public network exposure and minimizing the organization’s attack surface.

Entra Private Network Connector

The Entra Private Network connector is essentially the old Azure Application Proxy, updated to support all TCP and UDP-based communication. You can download the connector by opening the Entra admin center, navigating to Global Secure Access > Connect > Connectors, and clicking the Download connector service link.

Cloud Appliances

To enable access to cloud-hosted resources, the Entra Private Network connector can be installed on a VM in those environments. However, the Entra Private Network connector is also available as an appliance in public preview for the following cloud providers.

Resource Requirements

The following recommendations pertain to VM resources for the Entra Private Network connector server.

  • Windows Server 2016 or later. However, Windows Server 2016 reaches end of life in January 2027, so Windows Server 2022 and later are recommended. The Desktop edition is required, but it can technically be installed on Server Core with the Application Compatibility Feature on Demand for Server Core. However, Microsoft may not formally support this option.
  • Minimum 4 CPU cores and 8GB RAM. Monitor resource utilization during migration. Provision additional CPU and/or memory when utilization consistently exceeds 70% during peak times. Scaling out (adding servers) is preferred over scaling up (adding CPU and RAM).
  • Domain Join. Domain join is optional but recommended. Domain join is required to support single sign-on (SSO).

Connector Groups

A Connector Group is a logical grouping of Entra Private Network connectors. A Connector Group functions as a single unit for high availability and load balancing. Connectors are deployed in the same region as the tenant by default.

Default Group

When you install the Entra Private Network connector, it is placed into the Default connector group. However, this may not always be desirable. For example, the organization may have multiple data centers in different geographies. They may also have resources hosted in different Active Directory forests or perhaps located in isolated network locations. Using a common connector group may be suboptimal or not work at all.

Custom Groups

Administrators can define custom connector groups as needed. Custom connector groups ensure that connectors always have access to the resources nearest to them. They can be deployed in different locations and assigned to other Azure regions to ensure optimal traffic routing and reduced latency. Today, administrators can create connector groups in the North America, Europe, Australia, Asia, and Japan regions.

Create a Connector Group

Open the Microsoft Entra admin center and perform the following steps to create a new Entra Private Network connector group.

  1. Navigate to Global Secure Access > Connect > Connectors and Sensors.
  2. Click on New Connector Group.
  3. In the Name field, enter a descriptive name for the connector group.
  4. From the Connectors drop-down list, select one or more Entra Private Network connectors to assign to the group. Optionally, you can leave this field blank and assign connectors later.
  5. Click Save.

Connector Group Assignment

Once you have created a new connector group, you can assign Quick Access or individual Enterprise applications to it as follows.

Quick Access

To assign a new connector group to the Quick Access application, open the Entra admin console, navigate to Global Secure Access > Applications > Quick Access, and select the Network access properties tab. Select the new connector group from the Connector Group drop-down list.

Enterprise Applications

To assign a new connector group to an individual Enterprise application, navigate to Global Secure Access > Applications > Enterprise applications. Select an application, then select Network access properties. Select the new connector group from the Connector Group drop-down list.

Deployment Strategy

The following are best practices for deploying the Entra Private Network connector.

Redundancy

Always deploy at least two Entra Private Network connectors to ensure high availability and eliminate single points of failure.

Location

Install the Entra Private Network connector on servers closest to the applications they serve. Deploy connectors in all locations where applications are accessed, including on-premises networks and Infrastructure-as-a-Service (IaaS) resources.

Default Connector Group

Avoid using the default connector group for application assignment. Always use custom connector groups for application access. This ensures that new connectors do not process production traffic immediately after installation, which can cause unexpected behavior if the connector is not optimally deployed for the published resource or is not connected to the back-end application.

Deleting Connectors

Entra Private Network connectors cannot be removed from the management console. If you uninstall a connector, its status will show as inactive. After 10 days of inactivity, it will be automatically removed.

Reassigning Connectors

Administrators can reassign connectors to different connector groups at any time. However, existing connections on that connector server from the prior group assignment will remain until they age out. Administrators can restart the connector service or reboot the server to address this issue.

Restart-Service -Name WAPCSvc -PassThru

Connector Updates

The Entra Private Network connector will automatically install major updates when they become available. However, not all updates are applied automatically. Don’t be alarmed if you see discrepancies between release versions across multiple connector servers in the admin console. Administrators can always perform software updates manually to ensure uniform connector versions in their environment, if desired.

Diagnostics

Beginning with Entra Private Network connector v1.5.4287.0, the agent installation also includes the diagnostic utility ConnectorDiagnosticsTool.exe, which is in the C:\Program Files\Microsoft Entra Private Network Connector\ folder on the connector server. Running the tool initiates a series of tests to perform a health check of the connector service, including certificate status, connectivity, enabled TLS versions, service status, and more.

Note: Entra Private Network connector v1.5.4522.0 and later includes a graphical output, as shown above. Previous versions featured text-based output only.

Summary

Microsoft Entra Private Network Connectors are lightweight, outbound-only agents that enable secure access to on-premises and cloud resources through Entra Private Access. Best practices emphasize deploying at least two connectors per location for redundancy, placing them close to target applications, using custom connector groups for high availability, load balancing, and optimal routing, and assigning them to Quick Access or enterprise applications while avoiding the default group. Ensure that VMs are appropriately sized for the expected connector traffic, and consider using marketplace appliances for Azure, AWS, and GCP. If you’ve previously deployed the Entra Private Network connector, ensure that it is running the latest release to take advantage of new diagnostics for troubleshooting.

Additional Information

Microsoft Entra Private Network Connectors

Microsoft Entra Private Network Connector groups

Preventing Port Exhaustion on Entra Private Network Connector Servers

Microsoft Entra Private Access Intelligent Local Access

Always On VPN vs. Entra Private Access: Choosing the Right Access Model for Your Organization

Leave a comment
by Richard M. Hicks on January 19, 2026  •  Permalink
Posted in Amazon Web Services, AWS, Azure, Azure App Proxy, Azure Application Proxy, cloud, Cloud Service, Deployment, Enterprise, enterprise mobility, Entra, Entra Global Secure Access, Entra ID, Entra Private Access, Entra Private Network Connector, Global Secure Access, GSA, Infrastructure, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Private Access, Mobility, Private Network Connector, public cloud, Remote Access, SASE, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows Server 2025, Zero Trust, Zero Trust Network Access
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 19, 2026

https://directaccess.richardhicks.com/2026/01/19/microsoft-entra-private-network-connector-overview-and-deployment-strategies/

What’s New in Entra Global Secure Access Client v2.24.117

In early December 2025, Microsoft announced an update for the Entra Global Secure Access client. This latest release, v2.24.117, includes important changes that administrators will find helpful for efficient connectivity and enhanced troubleshooting.

Intelligent Local Access

The latest release of the Microsoft Entra Global Secure Access client adds support for Intelligent Local Access (ILA). ILA ensures optimal network connectivity when accessing published resources. ILA can detect when it is on a trusted network and send traffic directly to the resource, bypassing the cloud gateway to improve performance. Authentication and authorization are still required for application access regardless of location.

B2B Guest Access

B2B Guest Access, now in public preview, enables external partners to securely access an organization’s private resources using their own devices and home Microsoft Entra ID credentials, without credential duplication. Partners install the Global Secure Access client, sign in, and switch to the resource tenant, routing traffic via Private Access profiles for Conditional Access, MFA, and continuous evaluation. It supports BYOD and multitenant switching, requires guest user setup and specific client configurations in the resource tenant, and needs licensing only in the resource tenant. However, B2B Guest Access does not support Kerberos-based on-premises resources. More details here.

Traceroute

This latest release of the Entra Global Secure Access client also includes a new traceroute tool. GsaTracert.exe, located in the C:\Program Files\Global Secure Access Client\GSATracert\ folder, allows administrators to test connectivity to published resources and evaluate network response time and performance.

FQDN

Administrators can use GsaTracert.exe to validate connectivity to a resource using its fully qualified domain name (FQDN). When running the command, GsaTracert.exe reports the round-trip time (RTT) in milliseconds for each hop along the path, including the target resource. It will also indicate which point of presence (PoP) the client is currently connected to. The syntax to perform this test is:

.\GsaTracert.exe --host <fqdn:port>

For example:

.\GsaTracert.exe --host app1.lab.richardhicks.net:443

IP:Host

In addition to testing an FQDN, administrators can test individual resources using a combination of IP address and port number. The syntax to perform this test is:

.\GsaTracert.exe --host <ip:port>

For example:

.\GsaTracert.exe --host 172.16.0.254:22

Application ID

In addition to FQDN and IP:Port, administrators can also supply the application ID to test. However, since an application can include multiple IP addresses and/or ports, the measurement for backend resources is omitted when using this option. The syntax to perform this test is:

.\GsaTracert.exe --app-id <app ID>

For example:

.\GsaTracert.exe --app-id a8b914b-4143-4901-9fbb-09b61319d5a6

Note: You can find the application ID for a published application by opening the Entra admin center and navigating to Global Secure Access > Applications > Enterprise Applications. The application ID will be displayed on the Overview page of the published Enterprise application.

Speedtest

Administrators can use the –speedtest switch with any of the combinations above to test the endpoint’s Internet performance. The results are for the connection to the public Internet, not to the published resource.

Additional Features

The following new features are designed to improve the user experience for Global Secure Access users.

Disable Private Access

Administrators can now use a registry setting to show the Disable button, allowing users to disable Entra Private Access. Disabling Private Access is helpful when a device is on the internal network, and the user prefers to access resources directly rather than through Global Secure Access.

View Account

The new Global Secure Access client now includes a View Account link to the user’s Microsoft Entra My Account website.

Summary

The Microsoft Entra Global Secure Access Client v2.24.117 introduces several valuable enhancements for administrators and users alike. Key highlights include Intelligent Local Access for optimized performance on trusted networks, public preview support for B2B Guest Access enabling secure external collaboration without credential duplication, and the new GsaTracert.exe traceroute tool for detailed network diagnostics. Additional improvements, such as the ability to disable Private Access via registry settings and quick access to the My Account portal, further streamline management and troubleshooting. These updates reinforce Microsoft Entra Global Secure Access as a robust solution for secure, efficient resource connectivity.

Additional Information

Microsoft Entra Global Secure Access client v.2.24.117

Install the Entra Global Secure Access client for Microsoft Windows

Microsoft Entra Private Access Intelligent Local Access (ILA)

Preventing Port Exhaustion on Entra Private Network Connector Servers

Always On VPN vs. Entra Private Access: Choosing the Right Access Model for Your Organization

Leave a comment
by Richard M. Hicks on January 5, 2026  •  Permalink
Posted in Entra, Entra Global Secure Access, Entra ID, Entra Internet Access, Entra Private Access, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, Security, Security Service Edge, SSE, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 5, 2026

https://directaccess.richardhicks.com/2026/01/05/whats-new-in-entra-global-secure-access-client-v2-24-117/

« Older Posts
Newer Posts »