All posts tagged Entra ID

Preventing Port Exhaustion on Entra Private Network Connector Servers

Microsoft Entra Private Access is a powerful zero-trust network access solution that is remarkably simple to install and configure. Administrators can quickly install the Global Secure Access (GSA) agent on their endpoints, then install the Entra Private Network Connector to enable secure remote access to private, internal resources. However, the ease with which Entra Private Access can be configured can potentially lead to connectivity issues in some scenarios. This post demonstrates how to diagnose port exhaustion issues and expand the available port range to address them.

Entra Private Network Connector

The Entra Private Network Connector is a key component of the Entra Private Access solution. The Private Network Connector is essentially the old Azure Application Proxy, enhanced to support TCP and UDP applications in addition to HTTP-based web applications. It is installed on an on-premises Windows server to provide GSA clients with access to internal data and applications.

Network Connectivity

The GSA client is not a virtual network adapter like most traditional VPN clients. Instead, the GSA client installed on the client operates as a filter driver in the network stack, selectively intercepting traffic and tunneling it over the GSA tunnel based on configured policy. As such, it does not appear as a network adapter in the operating system and does not have its own IP address.

Translation

When traffic from the GSA client is routed over the Entra Private Network Connector, the traffic egressing from the connector server to the internal network is effectively translated. That is, the source IP address of traffic destined for an internal resource is the connector server’s IP address, not the client’s original source IP address.

Port Exhaustion

The ephemeral port range on Windows servers spans from 49152 to 65535, leaving only 16,384 ports available. This can easily be exhausted when many clients are connected to a single Entra Private Network Connector server. This pool can also be depleted by poorly written or badly behaving applications that needlessly open many socket connections to internal resources.

Troubleshooting

Administrators can view the ephemeral port configuration for both TCP and UDP by running the following commands.

netsh.exe interface ipv4 show dynamicportrange protocol=tcp

netsh.exe interface ipv4 show dynamicportrange protocol=udp

To determine if port exhaustion is an issue, open an elevated PowerShell command window and run the following command.

Get-NetTcpConnection | Where-Object State -match ‘established’ | Measure-Object

Next, run the following PowerShell command to identify the number of ports consumed exclusively by the Entra Private Network Connector.

$ProcessId = Get-CimInstance -ClassName win32_service | Where-Object Name -eq ‘WAPCSvc’ | Select-Object -ExpandProperty ProcessID

Get-NetTCPConnection | Where-Object { $_.State -match ‘established’ -and $_.OwningProcess -eq $ProcessId } | Measure-Object

If the number of ports consumed by the Entra Private Network Connector approaches the upper limit of available ports, administrators should increase the ephemeral port range to ensure the connector server operates reliably.

Note: Use the Get-NetUdpEndpoint PowerShell command to monitor UDP port consumption on Entra Private Network Connector servers.

Resolution

To increase the ephemeral port range on the Entra Private Network Connector server, open an elevated command window and run the following commands.

netsh.exe interface ipv4 set dynamicportrange protocol=tcp startport=10000 numberofports=55535
netsh.exe interface ipv4 set dynamicportrange protocol=udp startport=10000 numberofports=55535
netsh.exe interface ipv6 set dynamicportrange protocol=tcp startport=10000 numberofports=55535
netsh.exe interface ipv6 set dynamicportrange protocol=udp startport=10000 numberofports=55535

Running these commands will increase the number of available ephemeral ports on the server to more than 50,000, well above the default. In most cases, this should be sufficient to handle many GSA client connections. However, administrators are cautioned to monitor port usage on the Entra Private Network Connector servers to ensure continued reliable operation. It may be necessary to deploy additional connector servers to process the existing workload.

Summary

Entra Private Network Connectors can exhaust the default 16,384-port ephemeral range when many GSA clients access internal TCP/UDP resources. Administrators can diagnose the issue by filtering Get-NetTCPConnection results by the WAPCSvc process, then expanding the range to over 50,000 ports using netsh.exe, as shown above. Monitor usage continuously in high-load environments to ensure consistent and stable access. And if you find you need more than 50,000 ports per server, it’s probably time to deploy additional connector servers. 😊

Additional Information

Microsoft Entra Private Access

Entra Private Access Channels are Unreachable

Microsoft Entra private network connectors

Leave a comment
by Richard M. Hicks on November 11, 2025  •  Permalink
Posted in Entra Global Secure Access, Entra Private Access, Entra Private Network Connector, Global Secure Access, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, Private Network Connector, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 11, 2025

https://directaccess.richardhicks.com/2025/11/11/preventing-port-exhaustion-on-entra-private-network-connector-servers/

Workplace Ninjas Conference U.S. 2025

I’m excited to announce I’ll be presenting at the inaugural U.S. Workplace Ninjas Conference! This two-day event takes place December 9-10, 2025, in Dallas, Texas. Much like the popular Workplace Ninjas Conference held in Switzerland, this event focuses on systems management and endpoint security with Microsoft technologies. It features an impressive lineup of speakers from around the world.

Session Topics

The conference will feature more than 50 deep-dive sessions on a variety of topics, including:

  • Microsoft Intune
  • Microsoft Entra
  • Microsoft Security
  • Windows 11
  • Cloud Security
  • Automation

Why You Should Attend

The Workplace Ninja Conference is a must-attend event for IT pros to dive into endpoint management, cybersecurity, and Microsoft innovations through expert sessions and networking. Attendees will benefit from the following:

  • Practical Learning: Engage in over 50 expert-led sessions, hands-on labs, and real-world demos focused on Microsoft Intune, Entra, Windows 11, and more.
  • Networking Opportunities: Connect with Microsoft MVPs, peers, and top vendors in a collaborative environment, including the Expo Hall.
  • Specialized Tracks: Benefit from dedicated sessions on Women-In-Tech and Neurodiversity-In-Tech, alongside core topics like cybersecurity and automation.

Register Now

Registration for this two-day event is open now. Be sure to reserve your spot today. I look forward to seeing you there!

Leave a comment
by Richard M. Hicks on September 11, 2025  •  Permalink
Posted in Conference, education, Endpoint Manager, Entra, Entra ID, InTune, learning, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, SCCM, Training
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on September 11, 2025

https://directaccess.richardhicks.com/2025/09/11/workplace-ninjas-conference-u-s-2025/

Configure Entra Conditional Access for Always On VPN

Recently, I wrote about Microsoft Always On VPN and Entra Conditional Access and how conditional access improves your organization’s security posture by making policy-based access decisions based on various signals such as user identity, location, device compliance, platform, sign-in risk, and more. In this post, I’ll provide step-by-step instructions for integrating Entra Conditional Access with existing Always On VPN deployments.

Requirements

To use Microsoft Entra Conditional Access with Always On VPN you must have Entra ID P1 at a minimum. To use advanced features such as risk-based policy assessment, you must have Entra ID P2. In addition, all endpoints must be under Intune management; either native Entra ID joined, or hybrid Entra ID joined.

Enable VPN Support

To begin, open the Microsoft Entra admin center (https://entra.microsoft.com/), navigate to Identity > Protection > Conditional Access, and perform the following steps.

  1. Click VPN Connectivity.
  2. Click New certificate.
  3. From the Select duration drop-down list, choose an appropriate certificate validity period.
  4. Click Create.

Once complete, click Download certificate and copy the certificate file to a domain-joined system on-premises.

Publish Certificate

Next, administrators must publish the Entra VPN root certificate in Active Directory to support domain authentication. Open an elevated PowerShell or command window and run the following commands.

certutil.exe -dspublish -f <path to certificate file> RootCA

certutil.exe -dspublish -f <path to certificate file> NtAuthCA

Note: You must be a domain administrator to perform this task.

Conditional Access Policy

Navigate to Identity > Protection > Conditional Access and click Policies, then perform the following steps to create a conditional access policy for VPN access.

  1. Click New Policy.
  2. Enter a descriptive name for the new policy.
  3. Click the link in the Target resources section.
  4. From the Select what this policy applies to drop-down list, select Resources (formerly cloud apps).
  5. In the Include section, choose Select resources.
  6. Click the link in the Select section.
  7. Enter VPN in the search field.
  8. Check the box next to VPN Server.
  9. Click Select.
  10. Click the link in the Grant section.
  11. Select Grant access.
  12. Check the box next to Require device to be marked as compliant.
  13. Click Select.
  14. On the Enable policy slider, select On.
  15. Click Create.

NPS

Changes to Network Policy Server (NPS) policy and configuration are required to support Always On VPN with Entra Conditional Access.

NPS Policy

To update the Always On VPN network policy to support Entra Conditional Access, open the NPS management console (nps.msc), expand Policies, then select Network Policies and perform the following steps.

  1. Right-click on the Always On VPN policy and choose Properties.
  2. Select the Settings tab.
  3. Select Vendor Specific in the RADIUS Attributes section.
  4. Click Add.
  5. Select the Allowed-Certificate-OID attribute.
  6. Click Add.
  7. Click Add.
  8. Enter 1.3.6.1.4.1.311.87 in the Attribute value field.
  9. Click Ok.
  10. Click Ok.
  11. Click Close.
  12. Click Ok.

Important Note: This change will block new Always On VPN user tunnel connections until you update the client configuration. When integrating an existing Always On VPN implementation with Entra Conditional Access, consider creating a new NPS policy and corresponding security group to migrate users to conditional access seamlessly.

NPS Configuration

By default, NPS will perform revocation checks for certificates used for domain authentication. However, Entra Conditional Access uses short-lived certificates (one-hour lifetime) that do not include CRL Distribution Point (CDP) information. Therefore, administrators must change the NPS server configuration to disable revocation checking for certificates lacking this information.

To do this, open the registry editor (regedit.exe) and create a new registry key with the following settings.

Key: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name: IgnoreNoRevocationCheck
Type: DWORD
Value: 1

You can also run the following PowerShell command to implement this change.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\’ -Name IgnoreNoRevocationCheck -PropertyType DWORD -Value 1 -Force

Once complete, the server must be rebooted for the change to take effect.

Client Configuration

After making all required changes to the supporting infrastructure, you must also update the  Always On VPN client configuration to leverage Entra Conditional Access. Changes to client configuration vary depending on the method used to deploy and manage Always On VPN client configuration settings.

Intune

When using Microsoft Intune and the native VPN policy type to deploy and manage Always On VPN client configuration settings, perform the following steps to update the VPN configuration to include Entra Conditional Access support.

  1. Open the Microsoft Intune admin center (https://intune.microsoft.com/) and navigate to Devices > Configuration.
  2. Click on the Always On VPN policy.
  3. Click Edit next to Configuration settings.
  4. Expand the Conditional Access section.
  5. Click Enable next to Conditional access for this VPN connection.
  6. Click Enable next to Single sign-on (SSO) with alternate certificate.
  7. Enter Client Authentication in the Name field.
  8. Enter 1.3.6.1.5.5.7.3.2 in the Object Identifier field.
  9. Enter the organization’s root certification authority (CA) certificate thumbprint in the Issuer hash field.

XML

When using a custom XML configuration file for Always On VPN client configuration settings deployed using Intune or PowerShell, edit the XML file, remove the existing <TLSExtensions></TLSExtensions> section, and replace it with the following.

In addition, add the following code between the <VPNProfile></VPNProfile> tags after <TrustedNetworkDetection>.

Note: You will find a sample XML configuration file you can copy and paste from on GitHub here.

DPC

When using Always On VPN Dynamic Profile Configurator (DPC) for managing Always On VPN client configuration settings, open the DPC group policy and navigate to Computer Configuration > Policies > Administrative Templates > DPC Client > User Tunnel Settings > Advanced and perform the following steps.

  1. Double-click Optional – Device Compliance Settings.
  2. Select Enabled.
  3. Enter 1.3.6.1.5.5.7.3.2 in the Certificate EKU OID field.
  4. Enter the organization’s root certification authority (CA) certificate thumbprint in the Certificate Issuer Hash field.
  5. Click Ok.

Not using DPC? You’re missing out! Learn more about Always On VPN DPC here.

Video

I’ve published a demonstration video for enabling Microsoft Entra ID Conditional Access with Always On VPN on YouTube. You can find the video here.

Summary

Following the guidance in this post to integrate Entra Conditional Access with Always On VPN can significantly improve your organization’s security posture. In the example above, the conditional access policy is a basic one. Yet, it dramatically reduces the attack surface for your remote access infrastructure by ensuring only compliant devices can establish a VPN connection.

Administrators can use advanced conditional access policy settings to strengthen the VPN’s security further by performing additional checks, such as requiring strong, phishing-resistant credentials and requesting multifactor authentication (MFA) for risky sign-ins.

Additional Information

Always On VPN and Entra Conditional Access

Drawback of Multifactor Authentication

Understanding Enterprise Public Key Infrastructure (PKI)

Digital Certificates for Strong Authentication

Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN DPC Open Source

Leave a comment
by Richard M. Hicks on February 17, 2025  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, authentication, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, Azure MF, Azure MFA, Azure VPN, cloud, Cloud Service, Compliance, Conditional Access, Deployment, Device Management, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Entra, Entra Conditional Access, Entra ID, GitHub, Hybrid Azure AD Join, Hybrid Entra ID Join, Hybrid Entra Join, InTune, MDM, MFA, Microsoft, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, network policy server, NPS, Operational Support, PowerShell, public cloud, Remote Access, routing and remote access service, RRAS, Security, systems management, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 17, 2025

https://directaccess.richardhicks.com/2025/02/17/configure-entra-conditional-access-for-always-on-vpn/

« Older Posts