Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
TLS Inspection in Microsoft Entra Internet Access Deep Dive | John Savill's Technical Training | YouTubeToText
YouTube Transcript: TLS Inspection in Microsoft Entra Internet Access Deep Dive
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
Entra Internet Access introduces TLS inspection to provide granular visibility and control over encrypted internet traffic, addressing the limitations of traditional firewalls in securing modern, encrypted web communications.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Hey everyone, in this video we're going
to look at the TLS inspection capability
of Entra Internet Access because
inspecting the internet traffic is super
important for any organization. It helps
protect the users from going to things
they don't mean to go to, from being
tricked, fished, but also the
organization from potential behavior you
don't want people doing on your network.
However, nearly all traffic today is
encrypted with TLS. So, we think HTTPS
in our browser is encrypted with TLS.
What that means is anything trying to
look at the network traffic between the
client and its
destination. Well, it will only be able
to see the fully qualified domain name,
The reason for this is if we think about
how TLS encryption works. Well, I have my
my
client where I'm running my web browser
and then I'm talking to some
destination. So, this is some website.
So, for example, it could be www.msn.com.
And what's happening here is
msn.com they have a certificate that
they make available that matches their
fully qualified domain name. So there is some
some
certificate that we get that has their
public key in it and they've safely
stored away their private key.
Now remember the way asymmetric
encryption works is whatever key does
the encryption the other key has to be
used to decrypt the
thing and so in this case this
certificate is used by the client to
talk to this website. So when they want
to go and stream their traffic over to
here, so hey, I want to go and talk to
msn.com. Well, they encrypt this in TLS
and it's encrypted using this
this
certificate, which means only that
target site has the private key to be
able to go and look at that actual traffic.
traffic.
So it means if anything is trying to sit
in the middle and look at this traffic.
So I've got a magnifying glass and I'm
inspecting what I can see over the wire.
The only thing given to me over the wire
is I can see the fully qualified domain
name. So I can see
www.msn.com. I the the first bit.
But very often today there'll be paths
and many sites like MSN have different
things. They have news, they have
gaming, they have social, there's all
these different elements to it. And it's
because of the fact that for TLS
encryption, all we can see is the fully
qualified domain name, the first bit of
the URL.
Most traditional firewalls, if they have
a categorization of allowing different
types of traffic through, well, all they
can do is base that on the fully
qualified domain name. We can't be super
granular. But really, we want to be able
to be more granular in that traffic. And
also, if maybe I wanted to add
additional capabilities, digital loss
protection, threat protection, I need to
be able to see the payload. But I need
to be able to see inside what is this encrypted
encrypted
connection that gives me no visibility
to the payload. And this is where TLS
inspection comes in. So with TLS
inspection, we place a component between
the client and the destination.
Now in a regular network, this could be
your edge firewall for example because
all of the the IP packets that flow as
part of our internal network
configuration, we tell it this is your
next hop or this is the hop to get to
the internet
0000. So it has to flow through and
that's I could look at it. When I think
about entra and specifically the
internet access component, what's now
going to happen
is we have our
entra. So we have our particular remember
tenant and with entra internet access
remember what happens is on the client
we have that global
secure access. So we have the global
secure access client that tells it
different types of profile private
access internet access it's office
access what it should do with the
traffic there are policies that get sent
and plumbed in by entra to the client
that go into the network stack that tell
it hey what traffic do we want to
inspect at what is the entra edge. So in
this case what it's going to tell it to
do is for the inscope traffic I that
internet traffic it's now going to say
instead of sending it directly to the
destination well where I want you to
send that traffic is to the entra edge
and then entra will perform that TLS
inspection at its edge and then it will
forward it on its way to the
destination. So now it will be able to
inspect basic things like categorization
can now see the full path. So I could be
more granular in what I see. But I could
also plum in threat protection, DLP and
everything else. So that sounds fantastic
fantastic
except I don't have this private key.
The whole point of TLS is even if you
send me the traffic, I have no way of
cracking that open. That's fundamental
to the point of TLS and the whole
internet security is based on the fact
that I can't break that. That's why
everyone is scared of quantum
computing. So what do we do? The reality
is most organizations
today you actually have an internal
public key infrastructure. You have
certificate authorities within your
organization. So this client is part of
my organization and my
organization I have my own public key
infrastructure. Maybe it's based on the
Windows server active directory
certificate services. Maybe it's based
on something else. Does not matter. But
you're going to have a root certificate
authority. That root certificate
authority will then sign
sign
intermediary certificate authorities.
you know probably several of these
because this root CA will be locked away
super securely and these then go and
sign various certificates for things you
use internally within your
organization and for example if you are
using the active directory one it
integrates with active directory domain
services and will automatically
automatically
plum this root certificate authority for
your internal into your operating system
your for example Windows and all
operating systems have a list of trusted
root authorities. These are the big
organizations on the internet that do
all the signing of other people that
sign things that we trust to make our
web-based certificates and anything we
need to be trusted publicly. So on our
client what we're going to do is our
organization's root
CA gets added as a trusted
trusted
root certificate authority and we can
actually see this. So if I jump over for a
a
second. So this is my client that we're
going to do this demo from. And all I've
done is I've opened up my
machine certificates and we see we have
this trusted root certification
authorities. And you'll see all of the
big people. Baltimore, Digiert, DST,
Global Sign, GoDaddy, Microsoft's got
some ones in there. There's a whole
bunch of them. But what's going to
happen is your
organization's root CA will be added in
there as well. So in my case I can see
my Saviletech is my company's root
certificate authority is in there. So
this client trusts all of the big
internet people but it's also going to
trust certificates that have been issued
by my organization. And that's really
useful for many kind of internal purposes.
purposes.
So we build on that. So now what's
required for entra to be able to see the
traffic? It's it's going to sit in the
middle. It is going to act as an
intermediary CA for my organization. So
it's going to be part of my certificate
chain. So then it can create
certificates for any destination. I'll
trust it and then it will be able to
decrypt it and view the traffic. So the
way this is going to work if we think of
the certificates here,
Entra is going to go ahead and create a
organizational for my organizations's
intermediary certificate that it wants
me to sign. So it's going to go ahead
and for my
organization, it's going to create that
intermediary certificate authority and
it's going to create a certificate signing
signing
request. So it keeps it's got the
private key. So remember this has the
public key material in it and it's
safely keeping the equivalent private
key material nicely kept away in a key
vault. It's completely protected.
And then what will happen
is your organizations it's going to give
you this certificate signing request
your organizations one of its
hey I'm going to sign
it I will now sign
that because I've signed it from my
certificate authority chain any
certificate that is now created with
this will be trusted by any client that
trusts my organization. So by doing this
client now
trusts anything that that
signs and that's now key to everything
because what it enables me to now do is
anytime I want to go to a site let's say that
that
msn.com GSA will send my request to
enter ID at this coin entra will
generate a certificate for
own for
msn.com and send it to me. I will then
certificate to encrypt the connection to
enter entra because it has the private
key will be able to decrypt look at the
traffic and then once it's inspected it
and assigns it came forward on it would
then use the
MSN's proper certificate to re-encrypt
the traffic and send it on its way TLS
encrypted again. So you can see by
having Entra have that ability to create
certificates that my organization will
trust when I try and access any site using
using
TLS Entra because it's in the path of
the communication will generate a cert
using its signing certificate that is
trusted by my org for that site that
will let it terminate the TLS connection
at this point decrypt it cuz it has the
private key for theert that it's
generated. Check the traffic. If it's
allowed to forward on, it now encrypts
it with the proper certificate that MSN
expects to be able to use
that. And the sum of this means it can
encrypt for any site and then view
anything. Now, it will decrypt
everything except for four categories.
Health and medicine, finance,
government, and education. So it will
not encrypt those
things. So how is all this actually
working? So let's actually interesting
enough we'll walk through this so we can
see all these different bits in
action. So Entra has to get and generate
that certificate signing request. Now
I've already done it and today I can
only have one so I can't show it to you
exactly. But what I would do is I would
go to GSA
GSA
secure TLS inspection
policies. Within there I go to TLS
inspection settings and I would have the
option not grayed out to create
certificate. Now at this point when I say
say
that all I have to do is give it a few
bits of detail. So I would give it a
certificate name, a common name, and my
organization's name. For example, in my
case, it would be
Saviletech. The certificate name and the
common name, they honestly don't really
matter. Just make sure the certificate
name you enter is 12 characters or less.
And if you play around with it and you
recreate it multiple times, then make
sure you use a different name each time.
Now, when I create this request, what
it's actually going to do is create a
CSR file. This is the thing it wants you
to go and
sign. Now again, today I can only have
one at a time. That's going to change
before GA. So I can at least have one
other one so I can do rollovers of
updating the SER before it expires.
That's obviously a super important
thing. Now once it generates the CSR
file, I would then just jump over to my
domain controller or whatever your
certificate services component is. In my
case, I am using Active Directory
certificate services. So, all I had to
do was say request a certificate down over
over
here. I then just said I want to do an
advanced certificate request. Super
easy. And then the file it
generates, you can open that up and it
will have a begin and end. So, all I do
is I copy the content. I remove the
begin and end part of the file. In fact,
if we jump over super quickly, let's see
if I can find my file. So, you had this
request.csr. So, I would take the
content of it. I don't include the begin
or the end. So, I would take this part
of the
file. I would paste it
in. I would set the certificate template
to a subordinate certification
authority. I would click submit. And
then I would just download it as base
64. So it would give me my file and I
would just rename it to uh
PM. And then also it wants a certificate
chain which is just available to
download a CA certificate chain. And you
can go and grab it from here. And again
you'd want B 64. And then you would
rename that to PM as well. So I would
end up with two PEM files. And then once
I've got those two PEM files, I just go
back to my TLS inspection
policy and I'll have the option to
upload certificate. I give it the two
files and then it will look like this
status done. And you can actually see in my
my
environment this was where I did that
signing and you can see I called it
enter TLSert 2 for my
organization and as part of that now the certification
certification
path thatert that I signed for
enter has been signed by my root CA
which means now it's trusted and will be
able to be used by any client that trusts
trusts my
my
organization. So that intermediary CA
and all the keys they will be stored in
memory on the entra side.
side.
Now the next part of this is remember
the way we use these things in
entra is let's move this around a little
bit. So remember yes I have the private
key stored away safely over here for
that certificate.
What I need to now do on the entry side
as part of this solution is I'm going to
create a TLS inspection policy. So I'm
policy. Now today at time of recording I
don't have any granularity in the
traffic. It's all traffic. But in the
future you'll be able to be more
specific and granular around categories
and fully qualified domain names. But as
part of that you you would put in okay
what is it applying to and then do I
want to inspect the traffic or bypass
the traffic. So again today bypass would
make no sense because it has to be for
all of it. So I'm going to do inspect
but in the future I'll be able to be
Now if you had pinning i.e. certificate
pinning which is where I have some
client application that is hardcoded
with what the certificate should be.
Things like um device management
solutions use this a lot like in tune.
Well, this is going to fail because when
the Intune client tried to talk and the
traffic's being sent via Entra and Entra
creates its own certificate of Intune,
it's going to throw it out that
someone's trying to hack it because it's been
been
hardcoded. So, what happens today is
Entra just by default excludes
excludes
wellknown pinning sites. That includes
things like in tune, but there's other
ones that it knows use pinning as well as
as
automatic. If you had another
site that um does use theert pinning,
what you would have to do
today is just exclude the traffic. So,
as part of my connect traffic
forwarding, my internet access
profiles, and then under here, I've got
policies because we don't have the
granularity today in the TLS inspection,
but again, you're going to I would just
add it as a bypass. I could just add the traffic
traffic
here, but once again, that shouldn't be
needed long term once we have the granularity.
granularity.
So now I would go and create a TLS
inspection policy. Just give it a name,
description, and the
action. And then the rules. Now I've
mine. So mine action is to
inspect. And then the rules today,
again, I don't have any
granularity. It's all destinations. But
it is telling you, hey, I'm not looking
at these sites. I'm going to look at
everything except these. So now I have
great I have my TLS inspection
capability and also just as normal you
have all your web content filtering
policies. These are based on uh FQDNs
and categories. And what's happened now
is these categories have been enhanced
for actually the full path URL. And the
one we're going to care about here is
I've got one called block gaming.
And then as normal you place all of
these in a security
profile. So if I look at this, you have
your TLS inspection policy, you have your
your web
web
policies, and then all you're going to
do is you take
those and as always, you create them in
So, if we go back over and
look, what I can see here is I've got my security
security
profile where you link
policies and you can see I've got my TLS
inspection policy as the first one, but
I don't actually have to do that. And
then down here, I've got block gaming.
Now, the reason I said you don't have to
do that is the way it actually will work
is all of the TLS inspection policies
get evaluated first in order and then
all of the web content filtering. So, I
have to know like am I inspecting it
first before I try and do any of the web
content filtering. So, even if the TLS
inspection was lower down in priority,
it will actually still get evaluated
first. So they're always going to get processed
processed
first. And then I just link this to a
conditional access policy. And remember
because conditional access policy is a
core part of everything we do in entra
and it applies here. So I use the
conditional access
policy to then go and
apply this security profile. So if I
look at my protection conditional access
myself. So I've got an internet
access for
me. There we go. Internet access for
John. And I'm assigning it
for all internet resources via global
secure access. And then I specify the
policy as part of the session
control. And sure enough, down here, use
GSA security profile. And there's the
profile. So at this point, it's all been
linked. It's all running
there. And so now it would just be on my
client. So my client
machine, remember, I'm running the GSA client.
client.
So I'm running it's a V2 version of the
client which is out there now. And I
would now try and go to a
site. Now if I just go to
to
msn.com, this should be allowed. This is
a more general site. I'm not blocking
msn.com. And what's interesting here, we
can see we have the little padlock. If I
select the padlock, we can see the
certificate that it's using. So I'm
going to select that
padlock. I can see connection is secure.
I want to view the certificate. And this
is where we'll see the certificate has
not been issued by
MSN. The certificate has been
issued by Microsoft GSA Intermediate CA2.
CA2.
So what Microsoft have done and we can
check the chain in the details. What
they did is that CA request that I
signed from my
organization they then
use to sign for an actual issuing CA.
But you can see the complete chain
there. And the reason my client is okay
with this is because remember my client
trusts this root CA. it's in its list of
trusted roots. So that's how all these
certificates are coming together and is
working. So now as the client I'm like
oh I want to play. So there's games down
here. So here I'll click the play
button. I want to play some cool
games and it's denied. You cannot access
this destination. There's more info. And
it's telling
me games.
That's the category of why this has been
blocked and it's been blocked by
Microsoft Entra Internet Access. So, no
uh game playing for me. So, that's all
of those
things here working together. So I can
see all of those different components
have come together to let
me send the traffic to entra trust the
certificate and then it can inspect and
decide whether it allows that traffic to
flow through or not. Now if we actually
jump back over for a second I do have
some visibility into this. So back in
GSA, if I go to
monitor traffic
logs, I look at my transactions. I'm
going to change the columns. So one of
the things I can now add is we normally
have destination
FQDN, but instead of that, I'm going to
look at the destination URL because I
should be able to see the full URL, but
then we'll also light up a whole bunch
of TLS
things. And so that should look good.
We'll save that. And I'm going to add a
filter. And I want the destination fully
ones. And I can see a whole bunch of
URL,
notice where it's just a regular
homepage, we can see the full URL. It's
allowing it through where it was
play, it blocked it, which is exactly
the behavior we saw. And I can scroll
along and see the details of all the TLS
policy names, the status, the action, it
was intercepted. So I get full
visibility into all of those various
aspects. And that's really a huge
feature. This ability to see the full
URL and then inspect the actual payload
of the traffic opens up a massive number of
of
opportunities. And that's what this
feature is really. It's closing a gap in
the fact that nearly all traffic is
encrypted. So if I can't look
inside, it really defeats most of what
we want to do with a solution that's
inspecting internet traffic. So think of
this as a building block. So yes, the
the built-in capabilities now have for
example the path as part of many of the
common categories, I'll be able to enter
my own paths, but now I can go and
hooking third parties that may want to
be able to inspect the content of the
packets. So, if I want to be able to add
in from the marketplace something that
does data loss prevention, something
that's doing a more advanced threat
protection, and there's a bunch of these
in the marketplace already, well, now I
can do this through the entra internet
access and its TLS inspection
capabilities. So, I hope that was
useful. I mean, I tried to show all of
the details, but it really isn't very
complicated. it generates uh a
certificate that it asks me to sign from
something that's going to be trusted by
my clients. Once I've done that, all I
do is I create a TLS inspection policy
say, "Hey, inspect the traffic." And
then I just use that with the now
expanded web content filtering policies.
I apply it as I always did before and
the GSA client will route all the
traffic through. It can inspect on its
own. Now the categories can use the full
URL. I can use my own full URLs, but
third parties will be able to go and
plug in and add a lot more
functionality. I hope that was useful.
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
