0:01 in this video we review and configure
0:03 entro private [Music]
0:03 [Music] [Applause]
0:09 access hello everyone I'm Travis and
0:11 this isalos entra private access
0:13 provides connectivity to internal
0:16 applications and resources when users
0:18 are remote it's not a traditional VPN
0:21 it's what Microsoft calls zero trust
0:24 network access or ztna in this video we
0:26 look at what enter private access is and
0:29 how to deploy it before that please like
0:30 subscribe and share with friend click
0:32 the Bell icon for notifications of new
0:34 content and check out my courses on
0:37 Azure virtual Desktop Windows 365 and
0:39 InTune management hybrid identities with
0:41 Windows ad and enter ID and my latest
0:44 course a beginner's guide to the a900
0:47 available at ud.com links are below and
0:48 thank you channel members your support
0:50 is appreciated entra private access is
0:53 an alternative to traditional vpns for
0:55 accessing resources on an internal
0:58 private Network it supports zero trust
1:00 single sign on conditional access
1:02 policies and multiactor authentication
1:04 coming up we'll review the private
1:06 access architecture and deploy it in the
1:08 lab and stick around to the end where we
1:11 go over some basic troubleshooting steps
1:13 let's start with licensing entra private
1:15 access requires a license this can be
1:17 purchased as part of the Microsoft entra
1:20 Suite or as a standalone product the
1:23 entra suite is an add-on to an entra P1
1:26 or P2 license an entra P1 or P2 license
1:29 is also required to use entra private
1:31 access a the trial is available for most
1:33 tenants there are three main components
1:35 to private access the portal the
1:37 connector and the client all
1:39 configuration of the private access
1:41 service is done through the portal this
1:43 is where we configure networks and
1:46 applications the users's access security
1:48 including conditional access policies
1:50 and connector groups a connector is a
1:52 lightweight agent that installs inside
1:54 the private Network it's the same agent
1:56 used for the entra application proxy
1:59 service once installed it establishes an
2:01 outbound connection to the ENT private
2:04 access service the connector requires
2:06 outbound access over web ports ad and
2:09 443 there's no need to open inbound
2:11 ports for private access the connector
2:13 service runs on a Windows server with
2:16 connectivity to the resources users will
2:18 access it's best to have multiple
2:20 connectors in each Network for high
2:22 availability the connector service
2:25 supports Server 2012 R2 and newer it
2:28 requires net version 4.7.1 or above
2:31 server 2019 comes with net
2:34 4.7.2 there are a few settings that need
2:36 to be configured on the connector server
2:39 including disabling http2 for ceros
2:41 constrained delegation to work we'll
2:44 review those settings in the demo also
2:46 install a connector on a standalone
2:48 server don't add the connector to a
2:50 server that host Services the users will
2:53 access and don't add it to the same
2:54 server used for entro password
2:57 protection just a small dedicated server
2:59 for the connector if there are services
3:01 or applic ations on multiple networks we
3:03 can group connectors in what's called a
3:05 connector group so for example if we
3:07 have two applications on isolated
3:09 networks we could deploy one or more
3:11 connectors to each Network and then add
3:13 them to separate connector groups a
3:16 connector group represents a private
3:18 Network boundary next we have the client
3:20 the global secure access client is used
3:23 to connect to entro private access
3:25 there's support for Windows and Android
3:26 and at the time of recording there's
3:30 also a Mac OS and iOS client and preview
3:32 the windows client requires the device
3:34 to be joined to the tenant either entra
3:38 ID joined or entra hybrid joined entra
3:39 registered Windows devices are not
3:43 supported the Mac OS IOS and Android
3:45 client must be registered with the ENT
3:47 tenant the windows multisession OS is
3:50 not supported private access will work
3:53 with Windows 365 and avd with a single
3:56 user OS local admin privileges are
3:58 required to install and configure the
4:00 global secure access client of course
4:02 you can deploy within tune there are two
4:04 ways to configure applications the first
4:07 is with quick access quick access is a
4:09 preconfigured group of application
4:12 segments an application segment is one
4:15 or more distinct internal applications
4:17 with quick access we have one location
4:19 to add multiple application segments and
4:21 configure access for users and groups
4:24 and set conditional access policies
4:26 however all users have access to the
4:28 same applications with the same
4:30 conditional access policies and we can
4:33 only specify one connector group so all
4:35 applications must be on the same network
4:37 we can also create Global secure access
4:39 applications that provide per
4:41 application access if we need different
4:43 conditional access policies or connector
4:46 groups for example we can create a new
4:48 Global secure access app with different
4:50 settings coming up we'll configure the
4:53 quick access application we configur the
4:55 application by specifying the fully
4:58 qualified domain name IP address range
5:00 of IP addresses or block for the
5:03 application we also specify the ports
5:05 for the application the ports could
5:08 include 80 and 443 for web applications
5:13 3389 for RDP 445 for SNB file shares and
5:15 ports for other applications this is one
5:17 way private access is different from
5:20 entra App proxy app proxy is limited to
5:22 web apps private access will work with
5:25 other applications one word of caution
5:28 avoid using DNS Port 53 and let the
5:30 connector handle DNS track traffic the
5:32 client will redirect any IP address we
5:35 specify in the application segment to
5:37 the connector if we specify a fully
5:40 qualified domain name any client traffic
5:42 going to that fqdn will be resolved
5:44 using the DNS configuration on the
5:46 connector there's also a preview option
5:48 for the quick access application where
5:51 we can specify a private DNS suffix this
5:54 acts as a domain Wild Card any traffic
5:56 with that suffix will get sent to the
5:59 connector let's review a handful of FYI
6:00 and recommend commendations for
6:02 deploying private access in no
6:04 particular order locate the connector
6:06 servers close to the application to
6:08 avoid latency if you have applications
6:10 across multiple networks or locations
6:12 use multiple connectors and connector
6:15 groups use multiple connectors in a
6:17 group for high availability and make
6:19 sure all servers in a connector group
6:21 are on the same network and joined to
6:23 the same domain an application redirects
6:26 traffic to a connector group not an
6:27 individual connector it's important
6:29 they're as similar as possible if you
6:32 intend to use SSO with private access be
6:34 sure to put the connector server and
6:35 applications in the same domain or
6:38 trusting domain the connector service
6:40 needs outbound access over Port 80 and
6:43 443 if URL filtering is in place make
6:45 sure to exclude all urls required for
6:48 the connector a link to that list is
6:51 below and exclude connector traffic from
6:54 SSL inspection if that's in place before
6:56 we jump in let's review the lab setup
6:58 the demo lab has a virtual Network in
6:59 Azure that's not paired with with any
7:02 other network there are three servers in
7:04 that network two are running IIs with a
7:07 static web page those are the target
7:09 applications the client will access
7:10 there's also a single server used for
7:12 the connector all servers are running
7:15 Windows Server 2019 and there's a
7:17 Windows 11 client computer that's entra
7:20 hybrid join to the tenant with the
7:22 global secure access client installed
7:23 coming up we're going to configure the
7:26 prerequisites for the connector and then
7:28 install the connector service after that
7:30 we'll create and conf configure a
7:32 connector group and then create quick
7:34 access applications including adding
7:37 users and a conditional access policy
7:39 then we'll test connectivity by
7:41 accessing the resources with a client
7:43 and review the private DNS configuration
7:45 in preview at the time of recording
7:47 finally we'll review some
7:49 troubleshooting steps to take if you run
7:51 into issues let's jump into the enter
7:53 portal to get started here we are logged
7:55 into the entra admin Center at ent.
7:57 microsoft.com from here we'll go to
8:00 Global secure access and
8:03 connect and finally
8:05 connectors if accessing Global secure
8:07 access for the first time you may get a
8:09 message that you have to activate it on
8:12 the tenant click activate activating it
8:14 onboards the tenant and may take a few
8:16 minutes for this example it's already
8:19 been activated also if you see a message
8:20 like the one on the screen that the
8:22 private network is currently disabled on
8:24 your tenant select the enable private
8:26 network connection option that will
8:30 enable enter private Network and now
8:31 there's an option to disable it if
8:33 needed next we need to install the
8:36 connector on the connector server for
8:38 this example I'll log into the connector
8:45 Bastion let's make it full screen that
8:46 makes it a little easier to see this is
8:49 a new server 2019 install there are a
8:51 couple of registry settings that need to
8:53 be applied I have some commands on the
8:55 screen that will help configure them and
8:57 this block of code will be available on
9:00 my blog check the link below the first
9:04 one disables HTTP 2.0 this is required
9:06 for keros constrain delegation to work
9:08 properly it needs to be disabled on
9:15 newer we'll select it and run that block
9:18 of code that sets the registry key and
9:21 value next we need to enable TLS 1.2 for
9:23 the private Network
9:25 connector the set of commands will check
9:28 for the TLs 1.2 key and add the keys and
9:30 values if it's not not there let's run
9:31 this group of
9:34 commands it's a good idea to check the
9:36 registry to verify all these values have been
9:37 been
9:44 refresh and there they are next we need
9:46 to reboot this computer for the changes
9:48 to take effect the video will pause here
9:56 in next we'll download and install the
9:59 connector we'll go to ent. microsoft.com
10:02 and go to Global secure access connect
10:05 and then two connectors from private
10:07 Network connectors we have the option to
10:09 download the connector service let's
10:17 download and now it's in our download
10:19 folder the setup process uses a
10:23 web-based login if using an OS that has
10:25 Internet Explorer installed you need to
10:27 disable IE enhanced security
10:29 configuration or you'll get a message
10:32 like the one on the screen let's go to
10:40 server select IE enhanced security
10:43 configuration and disable it we'll click
10:46 okay keep in mind you're disabling a
10:48 security feature you may want to
10:49 reenable it once the installation is
10:52 finished once IE is squared away we'll
10:54 run the executable to install the connector
11:05 next we have to sign in to set up the
11:07 connector in entra sign in with an
11:09 account that has application
11:11 administrator privileges or hire this
11:14 step registers the application proxy to
11:24 tenant once finished we get the setup
11:26 successful message shown on the screen
11:29 we can close that and now we have a
11:31 connector on the tenant let's go back to
11:34 enter ID to configure the connector if
11:37 we go to Global secure access connect we
11:38 can see the new connector under the
11:41 default connector group from private
11:42 Network connectors we can add a new
11:45 connector group let's add
11:48 one we can give it a name let's call
11:50 this one quick access
11:53 group let's select the connector we just
11:56 added and under advanced settings we can
11:58 select a country or region change that
12:00 if needed and and click
12:02 create any new connectors will get added
12:04 to the default group we'll leave the
12:07 default group unassociated with any
12:09 applications so we can move newly added
12:12 connectors to the correct group next
12:14 we'll configure a couple applications
12:16 for quick access in the lab there are
12:18 two servers on the same network as the
12:20 connector each is hosting a different
12:22 website we'll use those as our test
12:25 applications go to Applications then quick
12:26 quick
12:29 access there's only one quick access ACC
12:31 group all applications in the quick
12:33 access group share the same security
12:36 settings and network connectors first
12:38 let's set the name quick access for this
12:41 example and we'll change the group
12:43 select quick access group the one we
12:45 just created we do get a message that
12:47 there should be at least two active
12:49 connectors this provides some high
12:51 avilability but for this lab we'll just
12:53 have the one then we'll
12:56 save that saves the quick access group
12:58 next we'll add an application segment
13:00 this def finds the applications we allow
13:03 through the connector select add quick
13:06 access application
13:08 segment here we can set the destination
13:11 type we can add a single IP address a
13:13 fully qualified domain name a site
13:16 arrange or an IP address range let's
13:18 select an IP address there are two
13:21 servers hosting static websites for this
13:23 example there's also a DNS server on one
13:26 of them with the private Zone private
13:28 access. looc let's start by adding the
13:30 first sech server's IP address 172.16.0.0
13:32 172.16.0.0
13:36 for ports this example we'll just use 80
13:39 and 443 web ports we're not limited to
13:42 just web apps we could add 3389 for RDP
13:46 445 for a file share or 22 for a secure
13:48 shell example or you can add custom
13:50 ports if you have an app that runs on
13:53 non-standard ports we can select the
13:55 protocol or use
13:59 both once set click apply
14:01 let's add a second application
14:04 segment this time we'll select fully
14:05 qualified domain
14:08 name and for this example We'll add the
14:12 DNS name for web2 web 2. private access.
14:19 ports and
14:21 apply once we have those set don't
14:23 forget to save the changes for the new app
14:24 app
14:27 segments next we need to add users and
14:29 groups for Access we can do that right
14:31 from users and
14:34 groups let's add users or groups for quick
14:35 quick
14:38 access we'll select a
14:41 group for this example I'll use a group
14:44 that I use also for avd testing never
14:45 mind the name this just happens to be
14:47 the group that contains the user I'm testing
14:48 testing
14:52 with notice the note on the screen if we
14:54 are using groups only users added
14:57 directly to the group will get access it
15:00 does not recognize nested groups so if
15:02 you have a group with some users and
15:04 another group The nested group won't
15:06 have access let's
15:08 assign next we can add a conditional
15:10 access policy and we'll cover this kind
15:12 of quick for the video conditional
15:14 access policies is a big topic and
15:17 slightly out of scope for this video so
15:18 let's go to conditional
15:22 access the policies listed already apply
15:24 to the quick access application we can
15:27 open and review them if we need
15:30 to let's add a new
15:33 policy give it a name quick access MFA
15:36 for this example next we'll select the
15:39 users we could assign all users or
15:42 selected users for this example the same
15:44 user group will be
15:46 added we'll go users and
15:49 groups we'll find the same group and
15:52 we'll add that let's go to Target
15:55 resources it uses select resources and
15:58 that resource is the quick access app so
16:00 this policy will apply to the groups we
16:03 targeted when accessing the quick access
16:06 application let's go to access
16:10 control and select require
16:12 MFA and you can leave it as report only
16:15 or turn it on and save for this example
16:17 I'll turn it on and
16:20 create now we have a conditional access
16:23 policy for the quick access app we're
16:25 getting close I promise next we have to
16:27 enable enter private access go to
16:30 traffic forwarding under
16:38 profile next we get a prompt to assign
16:40 users and groups to the policy there's
16:43 an option to assign all users for this
16:47 example We'll add the same test
16:49 group let's click on the link under
16:53 assigned We'll add users or
16:56 groups we'll search for that group
17:00 again and add our test group grou
17:04 assign and close this window now we have
17:06 one group assigned that enables the
17:09 private access traffic forwarding policy
17:11 now that we have private access
17:13 configured in entra let's log into the
17:15 client and set up Global secure access
17:16 and test
17:18 connectivity here we are logged into a
17:21 Windows 11 client that's entra hybrid
17:23 joined this would also work with a
17:27 computer that's entra ID joined I logged
17:29 into this computer with a user that's a
17:31 member of the test group we added to
17:34 quick access and the traffic forwarding
17:36 profile if the user is not a member of
17:38 those groups private access won't work
17:40 for them this computer also has the
17:43 global secure access client for windows
17:45 installed you can get the client from
17:48 client download under connect in the entra
17:50 entra
17:52 portal there's an option for Windows
17:55 Android iOS and Mac OS are both in
17:59 preview at the time of this recording
18:01 or you can download the client directly from
18:03 from
18:11 Windows when you install the client it
18:14 has to be ran with elevated privileges
18:16 you should also restart the client
18:19 computer after you install the client
18:21 once Global secure access is installed
18:23 and the client has been restarted go to
18:26 Global secure access and verify it's
18:29 connected it should have the green check
18:31 also right click on the global secure
18:33 access client and select Advanced
18:36 Diagnostics your client may not have the
18:39 same options you see here we'll review that
18:40 that
18:43 later Advanced Diagnostics requires elevated
18:48 privileges from Advanced Diagnostics go
18:50 to health
18:52 check make sure all checks are
18:54 successful if not there's a link to
18:57 information on health checks with more
18:59 information I'll cover a couple issues I
19:02 ran into at the end of this video the
19:04 health check looks good let's take a
19:07 look at the computer's IP
19:10 address it's on a 10.1.0 network the
19:12 computer running the private access
19:14 connector and the web servers are on
19:17 another Azure virtual Network that's not
19:19 peered with a client Network that's a 172.16.0.0
19:33 21604 and that worked great now let's
19:35 try the second fully qualified domain
19:45 looc that worked as well that works
19:47 because we added that fully qualified
19:49 domain name as an application segment
19:51 the client passes the request to the
19:53 connector and that connector is on the
19:56 network with a DNS server that has the
19:59 private access. looc Zone let's try to
20:08 looc that fails because we didn't add
20:10 the fully qualified domain name to the
20:12 application segment but what if we don't
20:15 want to add each host in our domain we
20:17 can add an entire private DNS Zone to
20:19 the quick access application let's take
20:22 a look at that we'll go back to quick
20:25 access we can specify what DNS zones are
20:27 getting passed to the connector by going
20:29 back into the quick access this app and
20:32 from here we'll select private DNS let's
20:33 enable private
20:36 DNS and add a
20:38 suffix for this example we'll use
20:41 private access. local again there's a
20:43 DNS server in the connector Network that
20:47 has the private access. looc Zone We'll
20:49 add and
20:53 save now let's go back to the client we
20:54 need to restart the client computer or
20:57 the global secure access client on this
20:59 computer to get the new set settings let's
21:00 let's
21:03 restart let's pause here and come back
21:05 once we're logged back
21:08 in the client has been restarted let's
21:09 open the web
21:12 browser previously we couldn't get to
21:15 web 1. privata access. looc by host name
21:16 because we didn't add it as an
21:19 application segment but now any traffic
21:21 going to private access. local should
21:23 get redirected to the connector so let's
21:28 again and that works now any web
21:30 application in that zone can be accessed
21:33 through the connector as we've logged in
21:34 we haven't had to authenticate because
21:37 we signed in to a hybrid joined computer
21:39 let's revoke all sessions on the user so
21:42 we can force an MFA prompt this is just
21:44 to see what the users will experience if
21:46 they get an MFA prompt let's go to the
21:50 user in enter ID here's the user I'm
21:53 testing with and from here if we revoke all
21:55 all
21:58 sessions that will log the user out now
22:00 let's go go back to the web browser and
22:03 we're going to clear
22:24 prompt that logs Us in let's
22:26 refresh and now we get access we now
22:28 have a working example of private access
22:30 access using an IP address and fully
22:33 qualified domain name as well as a
22:36 private DNS Zone as promised let's talk
22:38 about troubleshooting and to be honest
22:41 setting up this demo didn't go smoothly
22:42 coming up are a few items I had to
22:45 address on the client to get private
22:47 access to work first restart the client
22:50 computer after installing Global secure
22:52 access and restart the computer or just
22:55 the client after making changes then
22:57 check the client status a yellow
23:00 triangle indicates a problem on the
23:02 screen are some client statuses that we
23:04 can see in the system tray if the client
23:06 indicates a problem open Advance
23:16 check this will give you an indication
23:18 of any potential problems the first
23:20 problem I ran into was the client wasn't
23:24 set to prefer ipv4 the global secure
23:26 access client doesn't support
23:29 IPv6 I Ed the registry setting provided
23:32 in the Microsoft doc and restarted the
23:34 computer that cleared the first issue
23:37 the next problem I had was resolved by
23:40 disabling quic in Microsoft
23:43 Edge once I disabled quic I was able to
23:46 connect I also found it helpful to
23:48 enable the sign out button on the
23:50 client that allowed me to sign out the
23:53 client and disable for testing I'll
23:54 leave a link to all the documents
23:56 referenced in this video below that is
23:58 how to configure entra private access
24:00 ACC and connect with the global secure
24:03 access client I hope that helps you
24:04 better understand what enter private
24:07 access is and how to deploy and use it
24:08 please don't forget to like And
