All posts in category Windows Server 2022

Preventing Port Exhaustion on Entra Private Network Connector Servers

Microsoft Entra Private Access is a powerful zero-trust network access solution that is remarkably simple to install and configure. Administrators can quickly install the Global Secure Access (GSA) agent on their endpoints, then install the Entra Private Network Connector to enable secure remote access to private, internal resources. However, the ease with which Entra Private Access can be configured can potentially lead to connectivity issues in some scenarios. This post demonstrates how to diagnose port exhaustion issues and expand the available port range to address them.

Entra Private Network Connector

The Entra Private Network Connector is a key component of the Entra Private Access solution. The Private Network Connector is essentially the old Azure Application Proxy, enhanced to support TCP and UDP applications in addition to HTTP-based web applications. It is installed on an on-premises Windows server to provide GSA clients with access to internal data and applications.

Network Connectivity

The GSA client is not a virtual network adapter like most traditional VPN clients. Instead, the GSA client installed on the client operates as a filter driver in the network stack, selectively intercepting traffic and tunneling it over the GSA tunnel based on configured policy. As such, it does not appear as a network adapter in the operating system and does not have its own IP address.

Translation

When traffic from the GSA client is routed over the Entra Private Network Connector, the traffic egressing from the connector server to the internal network is effectively translated. That is, the source IP address of traffic destined for an internal resource is the connector server’s IP address, not the client’s original source IP address.

Port Exhaustion

The ephemeral port range on Windows servers spans from 49152 to 65535, leaving only 16,384 ports available. This can easily be exhausted when many clients are connected to a single Entra Private Network Connector server. This pool can also be depleted by poorly written or badly behaving applications that needlessly open many socket connections to internal resources.

Troubleshooting

Administrators can view the ephemeral port configuration for both TCP and UDP by running the following commands.

netsh.exe interface ipv4 show dynamicportrange protocol=tcp

netsh.exe interface ipv4 show dynamicportrange protocol=udp

To determine if port exhaustion is an issue, open an elevated PowerShell command window and run the following command.

Get-NetTcpConnection | Where-Object State -match ‘established’ | Measure-Object

Next, run the following PowerShell command to identify the number of ports consumed exclusively by the Entra Private Network Connector.

$ProcessId = Get-CimInstance -ClassName win32_service | Where-Object Name -eq ‘WAPCSvc’ | Select-Object -ExpandProperty ProcessID

Get-NetTCPConnection | Where-Object { $_.State -match ‘established’ -and $_.OwningProcess -eq $ProcessId } | Measure-Object

If the number of ports consumed by the Entra Private Network Connector approaches the upper limit of available ports, administrators should increase the ephemeral port range to ensure the connector server operates reliably.

Note: Use the Get-NetUdpEndpoint PowerShell command to monitor UDP port consumption on Entra Private Network Connector servers.

Resolution

To increase the ephemeral port range on the Entra Private Network Connector server, open an elevated command window and run the following commands.

netsh.exe interface ipv4 set dynamicportrange protocol=tcp startport=10000 numberofports=55535
netsh.exe interface ipv4 set dynamicportrange protocol=udp startport=10000 numberofports=55535
netsh.exe interface ipv6 set dynamicportrange protocol=tcp startport=10000 numberofports=55535
netsh.exe interface ipv6 set dynamicportrange protocol=udp startport=10000 numberofports=55535

Running these commands will increase the number of available ephemeral ports on the server to more than 50,000, well above the default. In most cases, this should be sufficient to handle many GSA client connections. However, administrators are cautioned to monitor port usage on the Entra Private Network Connector servers to ensure continued reliable operation. It may be necessary to deploy additional connector servers to process the existing workload.

Summary

Entra Private Network Connectors can exhaust the default 16,384-port ephemeral range when many GSA clients access internal TCP/UDP resources. Administrators can diagnose the issue by filtering Get-NetTCPConnection results by the WAPCSvc process, then expanding the range to over 50,000 ports using netsh.exe, as shown above. Monitor usage continuously in high-load environments to ensure consistent and stable access. And if you find you need more than 50,000 ports per server, it’s probably time to deploy additional connector servers. 😊

Additional Information

Microsoft Entra Private Access

Entra Private Access Channels are Unreachable

Microsoft Entra private network connectors

Leave a comment
by Richard M. Hicks on November 11, 2025  •  Permalink
Posted in Entra Global Secure Access, Entra Private Access, Entra Private Network Connector, Global Secure Access, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, Private Network Connector, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 11, 2025

https://directaccess.richardhicks.com/2025/11/11/preventing-port-exhaustion-on-entra-private-network-connector-servers/

PKI Fundamentals with Microsoft AD CS Training Course

I’m excited to announce that I’ve partnered once again with the fine folks at the ViaMonstra Online Academy to deliver a new live training course entitled PKI Fundamentals with Microsoft Active Directory Certificate Services (AD CS). The event consists of six weekly live webinars beginning on Thursday, January 15, 2026, at 3:00 PM CST.

Why AD CS Training?

Digital certificates are strong, phishing-resistant credentials that are an excellent choice for authentication to critical workloads like Always On VPN and enterprise Wi-Fi. However, managing certificate services infrastructure can be daunting. This course provides administrators with a fundamental understanding of enterprise PKI with Microsoft AD CS.

Course Overview

The event format for this course consists of six weekly live sessions on Thursdays starting on January 15, 2026. The classes are two hours long, running from 3:00 PM CST to 5:00 PM CST each day. During the course, we’ll cover the following topics.

  • PKI concepts and certificate use cases
  • Designing and deploying certificate authorities (CAs)
  • Configuring templates and enrollment
  • Managing revocation and maintenance

Who Should Attend

Organizations planning to use certificate authentication for enterprise VPN and Wi-Fi workloads will benefit from this training course. Also, those considering a new AD CS deployment will find this training beneficial. In addition, administrators managing an existing production AD CS environment will gain valuable insight.

Enroll Now

Registration for this training class is available now. The cost is $295.00—an incredible bargain! Don’t miss out on this fantastic opportunity to gain foundational AD CS skills. Click the registration link below and reserve your spot today!

Additional Information

Public Key Infrastructure (PKI)

Enterprise PKI

Cloud PKI for Microsoft Intune

Leave a comment
by Richard M. Hicks on November 6, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, authentication, Certificate Authentication, Certificate Authority, Certificate Services, Certificate-Based Authentication, certificates, education, Enterprise, Infrastructure, learning, Microsoft, PKI, public key infrastructure, Security, SSL, SSL and TLS, TLS, Transport Layer Security, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 6, 2025

https://directaccess.richardhicks.com/2025/11/06/pki-fundamentals-with-microsoft-ad-cs-training-course/

Application Compatibility Feature on Demand for Server Core

If you know me, you know that I’m a big fan of Windows Server Core. Server Core is a refactored and streamlined version of Windows Server that offers a smaller attack surface and reduced maintenance requirements. It’s ideally suited for roles like domain controllers (DCs), certification authority servers (CAs), DHCP and DNS servers, and file servers that can easily be managed remotely. Server Core lacks a Graphical User Interface (GUI), which can make administrative tasks more difficult. To support Server Core, administrators must have a firm grasp of the command line and PowerShell. Many organizations are reluctant to deploy Windows Server Core for this reason. For example, network interface configuration and disk management are common pain points for command-line administration. However, I’ve recently discovered something that might reduce this barrier to adoption.

GUI for Server Core?

I honestly don’t know how I missed this, but recently I learned of the Application Compatibility Feature on Demand for Windows Server Core. First introduced in October 2018 for Windows Server 2019 Core and supported through Windows Server 2025, the Application Compatibility Feature on Demand enables important GUI management consoles that help administrators configure and deploy Windows Server Core. It does not add the entire Windows Desktop Experience, of course, but it does introduce support for some critical GUI tools that administrators will find very helpful for installing and configuring various workloads on Server Core. Here are some examples.

Installation

To install the Application Compatibility Feature on Demand for Windows Server Core, open an elevated PowerShell command window and run the following PowerShell command.

Add-WindowsCapability -Online -Name ServerCore.AppCompatibility~~~~0.0.1.0

After running the command, restart the server to complete the installation.

Features and Capabilities

After installing the Application Compatibility Feature on Demand for Windows Server Core, administrators can perform local administration using many GUI tools they are already experienced with. Here are a few examples.

Network Control Panel

Having a GUI for network interface configuration is arguably the most essential benefit of this feature. Many administrators struggle with assigning IP addresses, DNS servers, DNS suffixes, and other network configuration-related tasks using the command line. Here, the classic Network Control Panel applet (ncpa.cpl) gives administrators the familiar GUI experience for managing network settings in Windows Server Core.

Disk Management

Right behind network configuration, disk configuration in Windows Server Core is one of the most challenging administrative tasks using the command line. The Application Compatibility Feature on Demand for Windows Server Core adds support for the well-known Disk Management GUI (diskmgmt.msc), which many administrators have used before.

Event Viewer

While using PowerShell is effective for parsing event log information on Windows Server Core, it’s sometimes easier to view event log information using the GUI (eventvwr.msc).

File Explorer

Copying files to and from a Windows Server Core instance is much easier with the Application Compatibility Feature on Demand for Windows Server Core installed. To perform file operations on Windows Server Core, simply open the Windows File Explorer (explorer.exe) as you would on Windows Server GUI.

Device Manager

Working with device drivers on Windows Server Core can be challenging even for the most experienced command-line administrators. Thankfully, the Application Compatibility Feature on Demand for Windows Server Core adds support for the Device Manager GUI (devmgmt.msc), which significantly simplifies this task.

Task Scheduler

Creating basic scheduled tasks using PowerShell isn’t terribly difficult. However, things become much more difficult when creating tasks with complicated requirements, such as odd schedules, and when using event-based triggers. The familiar Task Scheduler GUI (taskschd.msc) reduces this complexity, allowing administrators to use the GUI they are likely already experienced with.

Resource and Performance Monitor

Both the Resource Monitor (resmon.exe) and Performance Monitor (perfmon.exe) are essential tools for troubleshooting resource consumption and performance bottleneck issues on Windows Server. Both tools are included with this feature.

Resource Monitor (resmon.exe)

Performance Monitor (perfmon.exe)

What’s Missing

Sadly, installing the Application Compatibility Feature on Demand for Windows Server Core does not add GUI support for user and device certificate stores (certmgr.msc and certlm.msc, respectively). Administrators must continue to use certutil.exe or PowerShell to manage certificate stores on Windows Server Core. Alternatively, administrators can use a remote management workstation to perform these tasks using the GUI. However, even with this limitation, the Application Compatibility Feature on Demand greatly improves the Server Core administration experience.

Additional Tools

This feature update includes many other GUI tools in addition to the popular administrative GUI tools listed above. These are available ad hoc using the generic Microsoft Management Console (mmc.exe). Here are a few more GUI tools you might find helpful.

Routing and Remote Access Management Console – This will be especially helpful for Always On VPN administrators using RRAS in their environments.

Windows Firewall with Advanced Security – Managing Windows Firewall and IPsec Connection Security policies is now much easier using the same GUI included with Windows Server Desktop Experience.

Local Users and Groups – Local user and group administration tasks can now be performed using the same GUI that administrators are already comfortable with.

Group Policy, Security Policy, and Resultant Set of Policy (RSoP) – GUI management tools are now available for common local group and security policy administration. In addition, administrators have access to the RSoP policy GUI for GPO troubleshooting.

Other Tools – Administrators will also find the Hyper-V Manager and Failover Cluster Manager GUI consoles are included with this feature update.

Run mmc.exe at the command line and choose File > Add/Remove Snap-in to access these GUI tools.

Summary

Don’t let the lack of a full GUI stop you from deploying Server Core! The Application Compatibility Feature on Demand makes Server Core accessible without sacrificing its core benefits. If command-line concerns have held you back from deploying Server Core, this feature removes that barrier. Start with a test deployment on a non-critical server and experience how Server Core’s reduced attack surface and lower maintenance overhead can work in your environment—without abandoning the GUI tools you rely on.

Additional Information

Application Compatibility Feature on Demand for Windows Server Core

Always On VPN and RRAS on Windows Server Core

10 PowerShell Commands Always On VPN Administrators Should Know

Leave a comment
by Richard M. Hicks on October 14, 2025  •  Permalink
Posted in administration, Microsoft, Server Core, systems management, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , ,

Posted by Richard M. Hicks on October 14, 2025

https://directaccess.richardhicks.com/2025/10/14/application-compatibility-feature-on-demand-for-server-core/

« Older Posts