คำบรรยาย YouTube:
TLS Inspection in Microsoft Entra Internet Access Deep Dive

ไม่ต้องนั่งดูวิดีโอทั้งหมด — รับคำบรรยายฉบับเต็ม ค้นหาคีย์เวิร์ด และคัดลอกด้วยคลิกเดียว

แชร์:

AutoDub

เข้าใจวิดีโอ YouTube ภาษาต่างประเทศ

พากย์ YouTube เป็นภาษาไทยแบบอิมเมอร์ซีฟ

ทลายกำแพงภาษา เปิดรับเนื้อหาคุณภาพจากทั่วโลก

ใช้ฟรี

คำบรรยายวิดีโอ

สรุปวิดีโอ

Summary

Core Theme

Entra Internet Access introduces TLS inspection to provide granular visibility and control over encrypted internet traffic, addressing the limitations of traditional firewalls in securing modern, encrypted web communications.

Mind Map

คลิกเพื่อขยาย

คลิกเพื่อสำรวจ Mind Map แบบอินเตอร์แอคทีฟฉบับเต็ม

Hey everyone, in this video we're going

to look at the TLS inspection capability

of Entra Internet Access because

inspecting the internet traffic is super

important for any organization. It helps

protect the users from going to things

they don't mean to go to, from being

tricked, fished, but also the

organization from potential behavior you

don't want people doing on your network.

However, nearly all traffic today is

encrypted with TLS. So, we think HTTPS

in our browser is encrypted with TLS.

What that means is anything trying to

look at the network traffic between the

client and its

destination. Well, it will only be able

to see the fully qualified domain name,

The reason for this is if we think about

how TLS encryption works. Well, I have my

client where I'm running my web browser

and then I'm talking to some

destination. So, this is some website.

So, for example, it could be www.msn.com.

And what's happening here is

msn.com they have a certificate that

they make available that matches their

fully qualified domain name. So there is some

some

certificate that we get that has their

public key in it and they've safely

stored away their private key.

Now remember the way asymmetric

encryption works is whatever key does

the encryption the other key has to be

used to decrypt the

thing and so in this case this

certificate is used by the client to

talk to this website. So when they want

to go and stream their traffic over to

here, so hey, I want to go and talk to

msn.com. Well, they encrypt this in TLS

and it's encrypted using this

this

certificate, which means only that

target site has the private key to be

able to go and look at that actual traffic.

traffic.

So it means if anything is trying to sit

in the middle and look at this traffic.

So I've got a magnifying glass and I'm

inspecting what I can see over the wire.

The only thing given to me over the wire

is I can see the fully qualified domain

name. So I can see

www.msn.com. I the the first bit.

But very often today there'll be paths

and many sites like MSN have different

things. They have news, they have

gaming, they have social, there's all

these different elements to it. And it's

because of the fact that for TLS

encryption, all we can see is the fully

qualified domain name, the first bit of

the URL.

Most traditional firewalls, if they have

a categorization of allowing different

types of traffic through, well, all they

can do is base that on the fully

qualified domain name. We can't be super

granular. But really, we want to be able

to be more granular in that traffic. And

also, if maybe I wanted to add

additional capabilities, digital loss

protection, threat protection, I need to

be able to see the payload. But I need

to be able to see inside what is this encrypted

encrypted

connection that gives me no visibility

to the payload. And this is where TLS

inspection comes in. So with TLS

inspection, we place a component between

the client and the destination.

Now in a regular network, this could be

your edge firewall for example because

all of the the IP packets that flow as

part of our internal network

configuration, we tell it this is your

next hop or this is the hop to get to

the internet

0000. So it has to flow through and

that's I could look at it. When I think

about entra and specifically the

internet access component, what's now

going to happen

is we have our

entra. So we have our particular remember

tenant and with entra internet access

remember what happens is on the client

we have that global

secure access. So we have the global

secure access client that tells it

different types of profile private

access internet access it's office

access what it should do with the

traffic there are policies that get sent

and plumbed in by entra to the client

that go into the network stack that tell

it hey what traffic do we want to

inspect at what is the entra edge. So in

this case what it's going to tell it to

do is for the inscope traffic I that

internet traffic it's now going to say

instead of sending it directly to the

destination well where I want you to

send that traffic is to the entra edge

and then entra will perform that TLS

inspection at its edge and then it will

forward it on its way to the

destination. So now it will be able to

inspect basic things like categorization

can now see the full path. So I could be

more granular in what I see. But I could

also plum in threat protection, DLP and

everything else. So that sounds fantastic

fantastic

except I don't have this private key.

The whole point of TLS is even if you

send me the traffic, I have no way of

cracking that open. That's fundamental

to the point of TLS and the whole

internet security is based on the fact

that I can't break that. That's why

everyone is scared of quantum

computing. So what do we do? The reality

is most organizations

today you actually have an internal

public key infrastructure. You have

certificate authorities within your

organization. So this client is part of

my organization and my

organization I have my own public key

infrastructure. Maybe it's based on the

Windows server active directory

certificate services. Maybe it's based

on something else. Does not matter. But

you're going to have a root certificate

authority. That root certificate

authority will then sign

sign

intermediary certificate authorities.

you know probably several of these

because this root CA will be locked away

super securely and these then go and

sign various certificates for things you

use internally within your

organization and for example if you are

using the active directory one it

integrates with active directory domain

services and will automatically

automatically

plum this root certificate authority for

your internal into your operating system

your for example Windows and all

operating systems have a list of trusted

root authorities. These are the big

organizations on the internet that do

all the signing of other people that

sign things that we trust to make our

web-based certificates and anything we

need to be trusted publicly. So on our

client what we're going to do is our

organization's root

CA gets added as a trusted

trusted

root certificate authority and we can

actually see this. So if I jump over for a

second. So this is my client that we're

going to do this demo from. And all I've

done is I've opened up my

machine certificates and we see we have

this trusted root certification

authorities. And you'll see all of the

big people. Baltimore, Digiert, DST,

Global Sign, GoDaddy, Microsoft's got

some ones in there. There's a whole

bunch of them. But what's going to

happen is your

organization's root CA will be added in

there as well. So in my case I can see

my Saviletech is my company's root

certificate authority is in there. So

this client trusts all of the big

internet people but it's also going to

trust certificates that have been issued

by my organization. And that's really

useful for many kind of internal purposes.

purposes.

So we build on that. So now what's

required for entra to be able to see the

traffic? It's it's going to sit in the

middle. It is going to act as an

intermediary CA for my organization. So

it's going to be part of my certificate

chain. So then it can create

certificates for any destination. I'll

trust it and then it will be able to

decrypt it and view the traffic. So the

way this is going to work if we think of

the certificates here,

Entra is going to go ahead and create a

organizational for my organizations's

intermediary certificate that it wants

me to sign. So it's going to go ahead

and for my

organization, it's going to create that

intermediary certificate authority and

it's going to create a certificate signing

signing

request. So it keeps it's got the

private key. So remember this has the

public key material in it and it's

safely keeping the equivalent private

key material nicely kept away in a key

vault. It's completely protected.

And then what will happen

is your organizations it's going to give

you this certificate signing request

your organizations one of its

hey I'm going to sign

it I will now sign

that because I've signed it from my

certificate authority chain any

certificate that is now created with

this will be trusted by any client that

trusts my organization. So by doing this

client now

trusts anything that that

signs and that's now key to everything

because what it enables me to now do is

anytime I want to go to a site let's say that

that

msn.com GSA will send my request to

enter ID at this coin entra will

generate a certificate for

own for

msn.com and send it to me. I will then

certificate to encrypt the connection to

enter entra because it has the private

key will be able to decrypt look at the

traffic and then once it's inspected it

and assigns it came forward on it would

then use the

MSN's proper certificate to re-encrypt

the traffic and send it on its way TLS

encrypted again. So you can see by

having Entra have that ability to create

certificates that my organization will

trust when I try and access any site using

using

TLS Entra because it's in the path of

the communication will generate a cert

using its signing certificate that is

trusted by my org for that site that

will let it terminate the TLS connection

at this point decrypt it cuz it has the

private key for theert that it's

generated. Check the traffic. If it's

allowed to forward on, it now encrypts

it with the proper certificate that MSN

expects to be able to use

that. And the sum of this means it can

encrypt for any site and then view

anything. Now, it will decrypt

everything except for four categories.

Health and medicine, finance,

government, and education. So it will

not encrypt those

things. So how is all this actually

working? So let's actually interesting

enough we'll walk through this so we can

see all these different bits in

action. So Entra has to get and generate

that certificate signing request. Now

I've already done it and today I can

only have one so I can't show it to you

exactly. But what I would do is I would

go to GSA

GSA

secure TLS inspection

policies. Within there I go to TLS

inspection settings and I would have the

option not grayed out to create

certificate. Now at this point when I say

say

that all I have to do is give it a few

bits of detail. So I would give it a

certificate name, a common name, and my

organization's name. For example, in my

case, it would be

Saviletech. The certificate name and the

common name, they honestly don't really

matter. Just make sure the certificate

name you enter is 12 characters or less.

And if you play around with it and you

recreate it multiple times, then make

sure you use a different name each time.

Now, when I create this request, what

it's actually going to do is create a

CSR file. This is the thing it wants you

to go and

sign. Now again, today I can only have

one at a time. That's going to change

before GA. So I can at least have one

other one so I can do rollovers of

updating the SER before it expires.

That's obviously a super important

thing. Now once it generates the CSR

file, I would then just jump over to my

domain controller or whatever your

certificate services component is. In my

case, I am using Active Directory

certificate services. So, all I had to

do was say request a certificate down over

over

here. I then just said I want to do an

advanced certificate request. Super

easy. And then the file it

generates, you can open that up and it

will have a begin and end. So, all I do

is I copy the content. I remove the

begin and end part of the file. In fact,

if we jump over super quickly, let's see

if I can find my file. So, you had this

request.csr. So, I would take the

content of it. I don't include the begin

or the end. So, I would take this part

of the

file. I would paste it

in. I would set the certificate template

to a subordinate certification

authority. I would click submit. And

then I would just download it as base

64. So it would give me my file and I

would just rename it to uh

PM. And then also it wants a certificate

chain which is just available to

download a CA certificate chain. And you

can go and grab it from here. And again

you'd want B 64. And then you would

rename that to PM as well. So I would

end up with two PEM files. And then once

I've got those two PEM files, I just go

back to my TLS inspection

policy and I'll have the option to

upload certificate. I give it the two

files and then it will look like this

status done. And you can actually see in my

environment this was where I did that

signing and you can see I called it

enter TLSert 2 for my

organization and as part of that now the certification

certification

path thatert that I signed for

enter has been signed by my root CA

which means now it's trusted and will be

able to be used by any client that trusts

trusts my

organization. So that intermediary CA

and all the keys they will be stored in

memory on the entra side.

side.

Now the next part of this is remember

the way we use these things in

entra is let's move this around a little

bit. So remember yes I have the private

key stored away safely over here for

that certificate.

What I need to now do on the entry side

as part of this solution is I'm going to

create a TLS inspection policy. So I'm

policy. Now today at time of recording I

don't have any granularity in the

traffic. It's all traffic. But in the

future you'll be able to be more

specific and granular around categories

and fully qualified domain names. But as

part of that you you would put in okay

what is it applying to and then do I

want to inspect the traffic or bypass

the traffic. So again today bypass would

make no sense because it has to be for

all of it. So I'm going to do inspect

but in the future I'll be able to be

Now if you had pinning i.e. certificate

pinning which is where I have some

client application that is hardcoded

with what the certificate should be.

Things like um device management

solutions use this a lot like in tune.

Well, this is going to fail because when

the Intune client tried to talk and the

traffic's being sent via Entra and Entra

creates its own certificate of Intune,

it's going to throw it out that

someone's trying to hack it because it's been

been

hardcoded. So, what happens today is

Entra just by default excludes

excludes

wellknown pinning sites. That includes

things like in tune, but there's other

ones that it knows use pinning as well as

automatic. If you had another

site that um does use theert pinning,

what you would have to do

today is just exclude the traffic. So,

as part of my connect traffic

forwarding, my internet access

profiles, and then under here, I've got

policies because we don't have the

granularity today in the TLS inspection,

but again, you're going to I would just

add it as a bypass. I could just add the traffic

traffic

here, but once again, that shouldn't be

needed long term once we have the granularity.

granularity.

So now I would go and create a TLS

inspection policy. Just give it a name,

description, and the

action. And then the rules. Now I've

mine. So mine action is to

inspect. And then the rules today,

again, I don't have any

granularity. It's all destinations. But

it is telling you, hey, I'm not looking

at these sites. I'm going to look at

everything except these. So now I have

great I have my TLS inspection

capability and also just as normal you

have all your web content filtering

policies. These are based on uh FQDNs

and categories. And what's happened now

is these categories have been enhanced

for actually the full path URL. And the

one we're going to care about here is

I've got one called block gaming.

And then as normal you place all of

these in a security

profile. So if I look at this, you have

your TLS inspection policy, you have your

your web

web

policies, and then all you're going to

do is you take

those and as always, you create them in

So, if we go back over and

look, what I can see here is I've got my security

security

profile where you link

policies and you can see I've got my TLS

inspection policy as the first one, but

I don't actually have to do that. And

then down here, I've got block gaming.

Now, the reason I said you don't have to

do that is the way it actually will work

is all of the TLS inspection policies

get evaluated first in order and then

all of the web content filtering. So, I

have to know like am I inspecting it

first before I try and do any of the web

content filtering. So, even if the TLS

inspection was lower down in priority,

it will actually still get evaluated

first. So they're always going to get processed

processed

first. And then I just link this to a

conditional access policy. And remember

because conditional access policy is a

core part of everything we do in entra

and it applies here. So I use the

conditional access

policy to then go and

apply this security profile. So if I

look at my protection conditional access

myself. So I've got an internet

access for

me. There we go. Internet access for

John. And I'm assigning it

for all internet resources via global

secure access. And then I specify the

policy as part of the session

control. And sure enough, down here, use

GSA security profile. And there's the

profile. So at this point, it's all been

linked. It's all running

there. And so now it would just be on my

client. So my client

machine, remember, I'm running the GSA client.

client.

So I'm running it's a V2 version of the

client which is out there now. And I

would now try and go to a

site. Now if I just go to

msn.com, this should be allowed. This is

a more general site. I'm not blocking

msn.com. And what's interesting here, we

can see we have the little padlock. If I

select the padlock, we can see the

certificate that it's using. So I'm

going to select that

padlock. I can see connection is secure.

I want to view the certificate. And this

is where we'll see the certificate has

not been issued by

MSN. The certificate has been

issued by Microsoft GSA Intermediate CA2.

CA2.

So what Microsoft have done and we can

check the chain in the details. What

they did is that CA request that I

signed from my

organization they then

use to sign for an actual issuing CA.

But you can see the complete chain

there. And the reason my client is okay

with this is because remember my client

trusts this root CA. it's in its list of

trusted roots. So that's how all these

certificates are coming together and is

working. So now as the client I'm like

oh I want to play. So there's games down

here. So here I'll click the play

button. I want to play some cool

games and it's denied. You cannot access

this destination. There's more info. And

it's telling

me games.

That's the category of why this has been

blocked and it's been blocked by

Microsoft Entra Internet Access. So, no

uh game playing for me. So, that's all

of those

things here working together. So I can

see all of those different components

have come together to let

me send the traffic to entra trust the

certificate and then it can inspect and

decide whether it allows that traffic to

flow through or not. Now if we actually

jump back over for a second I do have

some visibility into this. So back in

GSA, if I go to

monitor traffic

logs, I look at my transactions. I'm

going to change the columns. So one of

the things I can now add is we normally

have destination

FQDN, but instead of that, I'm going to

look at the destination URL because I

should be able to see the full URL, but

then we'll also light up a whole bunch

of TLS

things. And so that should look good.

We'll save that. And I'm going to add a

filter. And I want the destination fully

ones. And I can see a whole bunch of

URL,

notice where it's just a regular

homepage, we can see the full URL. It's

allowing it through where it was

play, it blocked it, which is exactly

the behavior we saw. And I can scroll

along and see the details of all the TLS

policy names, the status, the action, it

was intercepted. So I get full

visibility into all of those various

aspects. And that's really a huge

feature. This ability to see the full

URL and then inspect the actual payload

of the traffic opens up a massive number of

opportunities. And that's what this

feature is really. It's closing a gap in

the fact that nearly all traffic is

encrypted. So if I can't look

inside, it really defeats most of what

we want to do with a solution that's

inspecting internet traffic. So think of

this as a building block. So yes, the

the built-in capabilities now have for

example the path as part of many of the

common categories, I'll be able to enter

my own paths, but now I can go and

hooking third parties that may want to

be able to inspect the content of the

packets. So, if I want to be able to add

in from the marketplace something that

does data loss prevention, something

that's doing a more advanced threat

protection, and there's a bunch of these

in the marketplace already, well, now I

can do this through the entra internet

access and its TLS inspection

capabilities. So, I hope that was

useful. I mean, I tried to show all of

the details, but it really isn't very

complicated. it generates uh a

certificate that it asks me to sign from

something that's going to be trusted by

my clients. Once I've done that, all I

do is I create a TLS inspection policy

say, "Hey, inspect the traffic." And

then I just use that with the now

expanded web content filtering policies.

I apply it as I always did before and

the GSA client will route all the

traffic through. It can inspect on its

own. Now the categories can use the full

URL. I can use my own full URLs, but

third parties will be able to go and

plug in and add a lot more

functionality. I hope that was useful.

คลิกที่ข้อความหรือไทม์สแตมป์ใดก็ได้เพื่อข้ามไปยังช่วงเวลานั้นในวิดีโอ

แชร์:

คำบรรยายส่วนใหญ่พร้อมภายใน 5 วินาที

คัดลอกด้วยคลิกเดียว125+ ภาษาค้นหาเนื้อหาข้ามไปยังไทม์สแตมป์

วาง YouTube URL

ใส่ลิงก์วิดีโอ YouTube ใดก็ได้เพื่อรับคำบรรยายฉบับเต็ม

คำบรรยายส่วนใหญ่พร้อมภายใน 5 วินาที

ติดตั้ง Chrome Extension ของเรา

ดึงคำบรรยายได้ทันทีโดยไม่ต้องออกจาก YouTube ติดตั้ง Chrome Extension เพื่อเข้าถึงคำบรรยายวิดีโอใดก็ได้ด้วยคลิกเดียวบนหน้าวิดีโอโดยตรง

เพิ่มลงใน Chrome — ฟรี

รองรับ YouTube, Coursera, Udemy และแพลตฟอร์มการเรียนรู้อื่นๆ อีกมากมาย

รับคำบรรยายทันที: แก้ไขโดเมนในแถบที่อยู่ของคุณได้เลย!

YouTube

←

→

↻

https://www.youtube.com/watch?v=UF8uR6Z6KLc

YoutubeToText

←

→

↻

https://youtubetotext.net/watch?v=UF8uR6Z6KLc

คำบรรยาย YouTubeกำลังเตรียมผลลัพธ์ให้คุณ…

คำบรรยาย YouTube:TLS Inspection in Microsoft Entra Internet Access Deep Dive