A Guide to Microsoft Entra Private Access for On-Premise Servers

Azure 14 Minutes

image

Microsoft Entra Private Access offers a modern, secure way to connect your users to on-premise applications and resources without the need for traditional VPNs. This service, part of Microsoft’s Security Service Edge (SSE) solution, Global Secure Access, allows you to grant granular access based on identity and context, enhancing your security posture.

Here’s a comprehensive guide to setting up and configuring Microsoft Entra Private Access to connect back to your on-premise servers:

I. Understanding the Core Components:

Before diving into the setup, it’s essential to understand the key elements involved:

  • Microsoft Entra ID: Your cloud-based identity and access management service. It will handle user authentication and authorization.

  • Global Secure Access (SSE): The overarching service in Microsoft Entra that includes Private Access and Internet Access. You’ll configure Private Access settings within this portal.

  • Microsoft Entra Private Network Connector: Lightweight agents installed on your on-premise Windows servers. These connectors establish a secure outbound connection to the Microsoft Entra Private Access service, acting as a reverse proxy to your internal applications. They do not require inbound firewall rules, enhancing security.

  • Connector Groups: Logical groupings of connectors. You can assign specific applications to particular connector groups for better organization, resilience, and traffic management.

  • Enterprise Applications in Entra ID: You will register your on-premise applications as Enterprise Applications in Entra ID. This allows you to configure Single Sign-On (SSO), assign users and groups, and apply Conditional Access policies.

  • Traffic Forwarding Profiles: Part of Global Secure Access, these profiles ensure that traffic destined for your private, on-premise resources is correctly routed through the Private Access service.

II. Prerequisites:

Ensure you have the following before you begin the configuration:

  • Licensing:
  • Microsoft Entra ID Premium P1 or P2 licenses are required for users accessing applications through Private Access.
  • Global Secure Access (preview) might have specific trial or preview licensing requirements. Check the latest Microsoft documentation.
  • Permissions:
  • Global Administrator or Private Access Administrator role in Microsoft Entra ID to configure Global Secure Access and Private Access settings.
  • Application Administrator role if you need to configure Enterprise Applications (if not a Global Administrator).
  • Local Administrator rights on the on-premise Windows servers where you will install the Private Network Connectors.
  • On-Premise Server Requirements for Connectors:
  • A Windows Server (check Microsoft documentation for supported versions, typically Windows Server 2012 R2 or later). The server must have .NET Framework (usually 4.7.2 or later) installed.
  • The server must have outbound connectivity to specific Microsoft URLs and ports. Refer to the official Microsoft documentation for the most up-to-date list of required URLs and ports. Proxies, if used, must be configured appropriately.
  • The server should have network connectivity to the on-premise applications you intend to publish.
  • TLS 1.2 should be enabled on the connector server.
  • Network Considerations:
  • Ensure your on-premise network allows outbound HTTPS (TCP port 443) traffic from the connector servers to the Microsoft Entra Private Access service endpoints.
  • Internal DNS resolution must be working correctly for the connector servers to find your on-premise applications.

III. Step-by-Step Configuration Guide:

Step 1: Prepare Your On-Premise Environment

  1. Identify Connector Servers: Choose at least two Windows servers for installing the Private Network Connectors to ensure high availability. These servers should be dedicated to this role or have sufficient resources if shared.

  2. Verify Network Connectivity: Confirm the chosen servers can reach your internal applications and have the necessary outbound internet access as per Microsoft’s requirements.

  3. Disable IE Enhanced Security Configuration (Recommended during setup): This can sometimes interfere with the connector registration process. You can re-enable it afterward.

Step 2: Install and Register the Microsoft Entra Private Network Connector(s)

  1. Access the Global Secure Access Portal:
  • Navigate to the Microsoft Entra admin center (entra.microsoft.com).
  • Go to Global Secure Access (Preview) > Connect > Connectors.

2. Download the Connector: Click on “Download connector service” and accept the terms.

3. Install the Connector:

  • Copy the downloaded installer to your chosen on-premise server(s).
  • Run the installer as a local administrator.
  • Follow the on-screen prompts.

4. Register the Connector:

  • During the installation, a pop-up window will prompt you to sign in to your Microsoft Entra ID. Use an account with Global Administrator or Private Access Administrator privileges.
  • Upon successful authentication, the connector will register with your Entra ID tenant and appear in the “Connectors” list in the Global Secure Access portal.

5. Repeat for High Availability: Install and register the connector on at least one more server for redundancy.

Step 3: Create and Configure Connector Groups (Recommended)

  1. Navigate to Connector Groups: In the Global Secure Access portal, go to Connect > Connector groups.

  2. Create a New Connector Group:
  • Click “+ Create connector group”.
  • Give the group a descriptive name (e.g., “OnPrem-App-Group”).
  • Assign the newly installed connectors to this group.
  • Click “Save”.

3. Purpose: Connector groups allow you to dedicate specific sets of connectors to particular applications, which is useful for large environments or if you need to isolate traffic. If you don’t create one, your connectors will reside in a “Default” group.

Step 4: Configure Quick Access or Global Secure Access Apps for Your On-Premise Application

This is where you define how users will access your on-premise resources. You have two main approaches within Global Secure Access:

  • Quick Access: This is the simplest way to enable access to all on-premise resources or a broad set of FQDNs/IP addresses.
  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Applications > Quick access.

  2. Click on “+ Add Quick Access app”.

  3. Select the Connector group you created earlier.

  4. Under Application segment, click “+ Add application segment”.

  5. Choose the Destination type:
  • IP address: For specific server IPs.
  • Fully qualified domain name (FQDN): For accessing applications by their DNS names (e.g., sharepoint.internal.contoso.com). This is generally preferred.
  • IP address range: For a subnet.

6. Enter the Destination(s) and the Port(s) your application uses (e.g., intranet.mycompany.local on port 80 or 443).

7. Click “Apply” and then “Save”.

  • Global Secure Access App (Enterprise Application): This method involves creating or using an existing Enterprise Application in Entra ID for more granular control, including SSO and Conditional Access policies.
  1. Create/Configure the Enterprise Application:
  • In the Microsoft Entra admin center, navigate to Identity > Applications > Enterprise applications.
  • Click “+ New application”.
  • Choose “Create your own application” (for non-gallery, on-premise apps).
  • Give your application a name (e.g., “OnPrem SharePoint”).
  • Select “Integrate any other application you don’t find in the gallery (Non-gallery)”.
  • Click “Create”.

2. Configure Private Access for the Enterprise App:

  • Once the application is created, go to its Properties.
  • Set Assignment required? to “Yes” if you want to control who can access it.
  • Configure Single sign-on (SSO) if desired (e.g., Kerberos Constrained Delegation, SAML, or password-based). Header-based SSO is also a common option for on-premise web apps. The specifics depend heavily on your on-premise application’s authentication capabilities.
  • Assign Users and groups who should have access to this application.

3. Link the Enterprise Application in Global Secure Access:

  • Go to Global Secure Access (Preview) > Applications > Enterprise applications.
  • Click “+ Add app”.
  • Search for and select the Enterprise Application you configured.
  • Select the Connector group.
  • Under Application segment, click “+ Add application segment”.
  • Enter the Internal FQDN or IP address and Port of your on-premise application as it’s accessible from the connector servers.
  • Click “Apply” and then “Save”.

Step 5: Configure Traffic Forwarding Profile

You need to ensure that traffic to your private resources is forwarded to the Global Secure Access service.

  1. Go to Global Secure Access (Preview) > Connect > Traffic forwarding.

  2. Ensure the Private access profile is enabled. This profile will automatically include the destinations you configured in Quick Access or your Global Secure Access Apps.

Step 6: Install and Configure the Global Secure Access Client (on end-user devices)

For users to access the on-premise applications through Entra Private Access, they need the Global Secure Access Client installed on their Windows devices.

  1. Download the Client:
  • In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Connect > Client download.
  • Download the client.

2. Deploy the Client: Deploy the client to your end-user devices using methods like Intune, SCCM, or manual installation.

3. Client Behavior: Once installed and the user is signed in, the client will route traffic for the configured private resources through the Microsoft Entra Private Access service based on the traffic forwarding profiles.

Step 7: Configure Conditional Access Policies (Highly Recommended)

Enhance security by applying Conditional Access policies to your newly published on-premise applications.

  1. Go to Protection > Conditional Access in the Microsoft Entra admin center.

  2. Create a new policy.

  3. Under Assignments, select the users and groups you want this policy to apply to.

  4. Under Cloud apps or actions, select your Enterprise Application (if using that method) or all traffic profiles if using Quick Access more broadly.

  5. Define Conditions (e.g., device compliance, location, sign-in risk).

  6. Under Access controls, configure Grant controls (e.g., require multi-factor authentication, require compliant device).

Step 8: Test Access

  1. From a client device with the Global Secure Access Client installed and a user assigned the necessary permissions:
  • Try accessing the on-premise application using its external FQDN (if you configured one) or the internal FQDN/IP address you specified in the Quick Access or Enterprise Application configuration.
  • The traffic should be transparently routed through the Private Access service to your on-premise application.
  • Verify SSO functionality if configured.

IV. Important Considerations and Best Practices:

  • High Availability for Connectors: Always deploy at least two connectors in a connector group, installed on different servers, to avoid a single point of failure.

  • Connector Server Sizing: Ensure the connector servers have adequate CPU, memory, and network capacity based on the expected load.

  • Network Segmentation: Place connector servers in a network segment that has access to the required applications but is otherwise appropriately secured.

  • Least Privilege:
  • When configuring applications, only publish the specific FQDNs and ports required. Avoid overly broad rules.
  • Grant users the minimum necessary permissions to the applications.
  • Monitoring:
  • Monitor the status of your connectors in the Global Secure Access portal.
  • Review sign-in logs and audit logs in Microsoft Entra ID for access to these applications.
  • Utilize the Global Secure Access traffic logs.
  • Updates: Keep the Private Network Connector software and the Global Secure Access Client updated to the latest versions.

  • DNS: Ensure that the FQDNs of your on-premise applications are resolvable by the Private Network Connectors. If you are using private DNS names, these must be resolvable by your internal DNS servers that the connectors use. External users will typically access the application via a URL provided by Entra ID, which then proxies the connection.

  • SSL/TLS Certificates: For applications published with SSL, ensure the certificates are valid and trusted by the connector servers and, if applicable, by the end-user browsers (though typically the Private Access service handles the external SSL termination).

  • Application Compatibility: While Entra Private Access supports a wide range of TCP-based applications (and UDP in preview for some scenarios), thoroughly test your specific applications for compatibility.

By following these steps, you can effectively leverage Microsoft Entra Private Access to provide secure, modern access to your on-premise resources, simplifying user experience and strengthening your overall security infrastructure. Always refer to the latest official Microsoft documentation for any changes or more detailed guidance, especially as Global Secure Access services continue to evolve.

Setting Up Entra ID Secure Private Access for On-Premise Servers

Microsoft Entra Private Access offers a modern, secure way to connect users to your on-premise applications and resources without the need for traditional VPNs. This solution, part of Microsoft’s Global Secure Access (GSA) services, leverages the principles of Zero Trust Network Access (ZTNA) to provide granular, identity-centric access controls.

Here’s a comprehensive guide to setting up and configuring Entra ID Secure Private Access for your on-premise servers:

I. Prerequisites:

Before you begin, ensure you have the following:

  • Licensing: A Microsoft Entra ID Premium P1 or P2 license is required. Entra Private Access is often included in suites like the Microsoft Entra Suite.

  • Administrative Roles: You’ll need appropriate administrative roles in Microsoft Entra ID, such as Global Secure Access Administrator and Application Administrator.

  • On-Premise Server(s) for Connectors:
  • Operating System: Windows Server 2012 R2 or later.
  • .NET Framework: Version 4.7.1 or higher (latest recommended).
  • TLS 1.2: Must be enabled on the server.
  • Outbound Connectivity: Ports 80 and 443 must be open for outbound connections to Microsoft Entra services and other required URLs. Ensure your firewall or proxy allows this traffic.
  • No Inbound Ports Required: The connectors use outbound connections, enhancing security.
  • Server Resources: Allocate sufficient CPU and memory (e.g., 4+ cores, 8GB+ RAM recommended per connector for optimal performance, though minimums may be lower).
  • Domain Join (Recommended for Kerberos SSO): For Single Sign-On with Integrated Windows Authentication (IWA) or Kerberos Constrained Delegation (KCD), the connector server(s) should be in the same Active Directory domain as the application servers or in a trusting domain.
  • Client Devices:
  • Operating System: Windows 10/11 (64-bit).
  • Entra ID Status: Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined (not just registered).
  • Global Secure Access (GSA) Client: This client software needs to be installed on user devices to direct traffic to the GSA service.
  • Network Configuration:
  • Ensure your internal DNS can resolve the on-premise resources you intend to publish.
  • If using firewalls, ensure they don’t block traffic to the necessary Microsoft URLs and that TLS inspection is not performed on traffic from the connectors to the Microsoft services, as this can interfere with the mutual TLS authentication.

II. Core Setup Steps:

  1. Activate Global Secure Access (GSA):
  • Under the “Global Secure Access (Preview)” section, go to the “Dashboard.”
  • If not already activated, click the “Activate” button to begin using Global Secure Access services, which include Entra Private Access.

2. Install and Configure Microsoft Entra Private Network Connector(s):

  • Download the Connector: In the Entra admin center, go to Global Secure Access (SSE) > Connect > Connectors. Select “Download connector service.” Accept the terms and download the installer.
  • Install on On-Premise Server(s):
  • Copy the installer to your designated on-premise Windows Server(s).
  • Run the MicrosoftEntraPrivateNetworkConnectorInstaller.exe as an administrator.
  • Follow the wizard. You will be prompted to authenticate with your Entra ID Application Administrator credentials.
  • Important for Windows Server 2019 and later: You might need to disable HTTP/2 in WinHttp for Kerberos Constrained Delegation to function correctly if you plan to use it. This can be done via a registry setting or PowerShell command:
    PowerShell
    Set-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\’ -Name EnableDefaultHTTP2 -Value 0
    A server restart might be required after this change.
  • High Availability: Install at least two connectors on different servers for redundancy and load balancing.
  • Connector Groups:
  • Connectors are automatically assigned to a default group. You can create custom connector groups for better organization and to assign specific applications to specific sets of connectors. This is useful for isolating traffic or managing access to applications in different network segments.
  • Navigate to Global Secure Access (SSE) > Connect > Connectors. Select “New connector group” to create and assign connectors.
  • Verify Installation: After installation, check the “Connectors” page in the Entra admin center to ensure your connectors are listed and show an “Active” (green) status. Also, verify that the “Microsoft Entra private network connector” and “Microsoft Entra private network connector updater” services are running on the connector servers.

3. Configure Traffic Forwarding for Private Access:

  • In the Entra admin center, go to Global Secure Access (SSE) > Connect > Traffic forwarding.
  • Ensure the “Private access profile” is enabled. This tells the GSA client on end-user devices to forward traffic destined for your private resources through the Entra Private Access service.

III. Publishing On-Premise Applications:

You have two main approaches to publishing your on-premise applications:

  1. Quick Access (Broad Network Access):
  • This method allows you to quickly provide access to entire network segments (IP ranges, FQDNs) rather than individual applications. It’s a simpler way to start, especially when migrating from traditional VPNs.
  • Configuration:
  • Navigate to Global Secure Access (SSE) > Applications > Quick Access.
  • Provide a name for your Quick Access configuration.
  • Click “+ Add Quick Access application segment.”
  • Define the destination type (IP address, FQDN, IP range, or Subnet).
  • Enter the details (e.g., IP address and port(s) like 192.168.1.10:3389 for RDP or fileserver.corp.local:445 for SMB).
  • Assign users or groups who should have access to this Quick Access application.
  • Use Case: Useful for scenarios like accessing internal file shares, RDP to servers, or internal websites where per-app granularity isn’t immediately required.

2. Per-App Access (Enterprise Applications – Zero Trust Approach):

  • This is the recommended approach for a Zero Trust security posture, providing granular access control to specific applications. This method is similar to the traditional Entra Application Proxy setup but integrated within the Global Secure Access framework.
  • Configuration:
  • Navigate to Global Secure Access (SSE) > Applications > Enterprise applications.
  • Click “+ New application.”
  • Select “Add an on-premises application” (or “Create your own application” if it’s not a pre-integrated template).
  • Basic Settings:
  • Name: A user-friendly name for the application.
  • Internal URL: The URL or FQDN/IP address used to access the application on your internal network (e.g., http://intranet.corp.local or 10.0.0.50:8080).
  • External URL: This will be automatically generated (usually https://<yourtenant>-<appname&gt;.msappproxy.net) or you can configure a custom domain. This is the URL users will access from the internet.
  • Pre-Authentication: Choose “Microsoft Entra ID” to enforce authentication before users reach the application. “Passthrough” is an option but less secure.
  • Connector Group: Assign the application to a specific connector group (or the default).
  • Additional Settings (Optional but Recommended):
  • Single Sign-On (SSO): Configure SSO (e.g., Kerberos, SAML, header-based, password-based) for a seamless user experience. This might require additional configuration on your on-premise application and in Entra ID.
  • Backend Application Timeout.
  • Translate URLs in Headers/Application Body (for web apps): Useful if your application has hardcoded internal links.
  • Assign Users and Groups: After creating the application, assign users or groups who are permitted to access it.
  • Use Case: Ideal for publishing web applications, APIs, and even non-HTTP applications (by specifying TCP/UDP ports) with fine-grained access control.

IV. Client-Side Setup (Global Secure Access Client):

  • Download and Deploy: The Global Secure Access client needs to be installed on end-user Windows devices. You can find the client download in the Entra admin center under Global Secure Access (SSE) > Connect > Client download.

  • Installation: Install the client. Users will typically need local admin rights for installation.

  • Sign-in: Users sign into the GSA client with their Entra ID credentials.

  • Connectivity: Once signed in and the traffic forwarding profiles are active, the client will automatically route traffic destined for the configured private resources through the Entra Private Access service. Users should then be able to access the on-premise applications using their internal FQDNs or IPs (for Quick Access) or the External URL (for Enterprise Applications).

V. Security and Management:

  • Conditional Access Policies:
  • Leverage Entra ID Conditional Access policies to enforce additional security controls for accessing your on-premise applications.
  • You can require Multi-Factor Authentication (MFA), compliant devices, specific locations, or limit session risk before granting access.
  • Enable “Global Secure Access signaling in Conditional Access” under Global Secure Access (SSE) > Global settings > Session management > Adaptive Access to use GSA-specific conditions in your policies.
  • Monitoring and Logging:
  • Utilize Entra ID sign-in logs and audit logs to monitor access attempts.
  • Global Secure Access provides its own traffic logs (NetworkAccessTraffic table) which can be ingested into Log Analytics/Azure Sentinel for detailed analysis and reporting.
  • Privileged Identity Management (PIM): For highly sensitive applications, integrate with Entra ID PIM to provide just-in-time (JIT) access.

  • Regularly Update Connectors: The connector updater service should keep your connectors up-to-date automatically. However, monitor their status and version.

  • DNS Configuration for FQDNs in App Segments: For Entra Private Access app segments configured with FQDNs, name resolution is typically redirected to the connector, allowing internal DNS resolution.

VI. Key Differences and Considerations (Entra Private Access vs. Entra Application Proxy):

  • Foundation: Entra Private Access is built upon the foundation of Entra Application Proxy but is part of the broader Security Service Edge (SSE) solution, Global Secure Access.

  • Protocols: While Application Proxy traditionally focused on web applications (HTTP/S), Entra Private Access is designed to be more protocol-agnostic, tunneling TCP/UDP traffic. This makes it suitable for a wider range of applications, including RDP, SMB, and other client-server applications.

  • Client Requirement: Entra Private Access generally requires the Global Secure Access client on end-user devices. Traditional Application Proxy for web apps might not always require a dedicated client beyond a web browser (though the GSA client enhances this).

  • Access Model: Entra Private Access strongly aligns with ZTNA principles, allowing for both broad “Quick Access” and granular “Per-App Access.”

  • B2B/BYOD: Historically, Application Proxy had more established support for B2B guest users. Entra Private Access capabilities for these scenarios are evolving. For now, accessing devices typically need to be Entra ID joined/hybrid joined.

Troubleshooting:

  • Connector Status: Always check the connector status in the Entra admin center and the services on the connector server.

  • Logs: Review Entra ID logs, GSA traffic logs, and event logs on the connector server (e.g., MicrosoftEntraPrivateNetworkConnectorService.exe.config can be modified for more detailed connector logging).

  • Network Connectivity: Verify outbound connectivity from connector servers to Microsoft services and from connector servers to the internal application servers.

  • Client Health: Check the GSA client status on the end-user device.

By following these steps, you can effectively set up and configure Microsoft Entra Private Access to provide secure, modern access to your on-premise servers and applications, reducing reliance on traditional VPNs and strengthening your overall security posture. Remember to consult the latest Microsoft documentation for any updates or changes to the service.

Sources

1. https://github.com/changeworld/azure-docs.pt-br

Unknown's avatar

Published by directorcia

Published

One thought on “A Guide to Microsoft Entra Private Access for On-Premise Servers

  1. Pingback: [m365weekly] #194 – M365 Weekly Newsletter

Leave a comment