This first week is all about the Global Secure Access client for Windows. Global Secure Access is the Security Service Edge (SSE) solution of Microsoft. Gartner defines SSE as a solution that secures access to the web, cloud services and private applications regardless of the location of the user or the device they are using or where that application is hosted. Within Global Secure Access, Microsoft introduced the (Microsoft Entra) Internet Access and (Microsoft Entra) Private Access products to provide that functionality. Of these products Internet Access is focused on secured access to Microsoft 365, SaaS, and public apps, while Private Access is focused on secured access to private or internal resources. The Global Secure Access client can be used to connect to the Global Secure Access solution. This post will focus on deploying that client and making sure that the client is required for accessing corporate resources. This post will end with the user experience.
Important: At the moment of writing Global Secure Access is still in preview and not feature complete yet.
Deploying the Global Secure Access client for Windows
When looking at the deployment of the Global Secure Access client for Windows, it starts with downloading the installer for that client. That installer is available for download in the Microsoft Entra admin center portal, by navigating to Global Secure Access > Connect > Client download. The best method for deploying that client is as a Win32 app via Microsoft Intune. That method enables the creation of a flexible installation method for making the Global Secure Access client available on Windows devices.
Before creating the app within Microsoft Intune, the Microsoft Intune Win32 App Packaging Tool should be used to wrap the installation file (GlobalSecureAccessClient.exe) in an .intunewin file. Those steps are pretty straight forward when starting the app packaging tool. Once the wrapping was successful, the app can be added to Microsoft Intune. However, before doing that, make sure to be familiar with the installation parameters. Simply run GlobalSecureAccessClient.exe /? to get an overview of the available parameters. Besides that, also make sure to verify the installation process, to understand the information that can be used to detect the installation and to verify the installation. Think about the uninstall information in the registry, for example.
When the all the information is available, the following twelve steps can be used to walk through the process of adding the app to Microsoft. The focus in those steps is on the Global Secure Access client installation specifics.
- Open the Microsoft Intune admin center portal and navigate to Apps > Windows > Windows apps
- On the Windows | Windows apps page, click Add > Windows app (Win32) and click Select
- On the App information page, select the just created .intunewin file and click Next
- On the expanded App information page, specify at least a Name, Description and Publisher and click Next
- On the Program page, as shown below in Figure 1, specify at least the following information and click Next
- Install command (1): Specify GlobalSecureAccessClient.exe /install /quiet /norestart as the installation command
- Uninstall command (2): Specify GlobalSecureAccessClient.exe /uninstall /quiet /norestart as the uninstall command
Note: It’s also possible to use msiexec /x "{77B52C97-C5B2-44DE-A544-D75513DE6FDA}" /qn to uninstall the Global Secure Access client, but that more often resulted in a not fully removed client.
- On the Requirements page, specify at least an Operating system architecture and Minimum operating system and click Next
- On the Detection rules page, as shown below in Figure 2, select Manually configure detection rules, specify the following rule and click Next
- Rule type (1): Select MSI as the rule type
- MSI product code (2): Specify {77B52C97-C5B2-44DE-A544-D75513DE6FDA} as the product code to detect the installation
- MSI product version check: Select No to not specifically check the version
- On the Dependencies page, (optionally) configure any dependencies for the app and click Next
- On the Supersedence page, (optionally) configure any supersedence relations to older versions and click Next
- On the Scope tages page, (optionally) configure any required scope tags and click Next
- On the Assignments page, configure the assignment to deploy the Global Secure Access client and click Next
- On the Review + create page, verify the provided configuration and click Create
Note: The information in these steps is based on the Global Secure Access client, version 1.7376.1214.
Enabling Global Secure Access signaling
When looking at using the Global Secure Access solution to prevent different types of attacks (like for example AiTM), or just for accessing specific resources, it all comes down to making sure that the solution is used for accessing the different resources. That can be achieved by using the compliant network check with Conditional Access. That check ensures that a users connects from a verified network that is specific to the tenant of the user. To use that check, Global Secure Access must be signaling network location information to Conditional Access. That can be achieved by going through the following two steps.
- Open the Microsoft Entra admin center portal, navigate to Global Secure Access > Global Settings > Session management and select Adaptive Access
- On the Adaptive Access tab, as shown below in Figure 3, switch the slider with Global Secure Access signaling in Conditional Access to the right
Note: To verify a successful configuration, check that All Compliant Network Locations is added as a named location.
Enforcing the Global Secure Access client for Windows
When Global Secure Access signaling is configured, that information can be used to require the user to come from a compliant network location. And that indirectly enforces the user to have the Global Secure Access client installed. Without that client, it won’t be possible for the user to come from a compliant network location. That configuration can be enforced by using Conditional Access. Conditional Access can be used to enforce a compliant network location. The following six steps can be used to create a Conditional Access policy that will block access when a not compliant network location is used.
- Open the Microsoft Intune admin center portal navigate to Endpoint security > Conditional Access, or open the Microsoft Entra admin center portal and navigate to Protection > Conditional Access > Policies
- On the Conditional Access | Policies blade, click New policy
- On the Assignments section, as shown below in Figure 3, configure the following for the different assignments sections
- Users and groups: Select the users that should be assigned with this policy
- Cloud apps or actions: Select Office 365 Exchange Online and/or Office 365 SharePoint Online and/or any other required third-party SaaS app, as the app that should be assigned with this policy
Note: At this moment the Office 365 app is not supported.
- Conditions: Select an include of all locations and an excluded of the All Compliant Network locations location (2) as additional filters for the assignment of this policy
- On the Access controls section, configure the following for the grant control
- Grant: Select Block access (1) as the access enforcement for this policy
- Session: Not applicable for this configuration
- Select Enable policy > On to enable this policy
- Select Create to create this policy
Note: At this moment the compliant network check is not supported for Private Access.
Experiencing the Global Secure Access client for Windows
When the Conditional Access policy is configured, it’s relatively easy to experience the behavior. When the Global Connect Access client is not installed, not configured, or not connected, the user will receive the message You cannot access this right now (as shown below in Figure 5).
When the Global Connect Access client is installed, configured, and connected, the user will receive access to the specific cloud app (as shown below in Figure 6). Besides that, the Global Secure Access client will provide insights about the traffic and the configuration that is applied. That includes the traffic that will be sent through the tunnel.
More information
For more information about the Global Secure Access client for Windows, refer to the following docs.
Thanks for the write up Peter (oh and gelukkig nieuwjaar). Did you already had the chance to test the throughput for SMB/fileshare compared to a VPN?
Hi Rkast,
No, I haven’t had the time yet to compare the throughput.
Regards, Peter
Good stuff, testing now – cheers, Peter!
This worked great for me. Thanks
Good to hear, Chris!
Nice write up Peter,
We too are Piloting the Global Secure Access client for Windows at the moment, but we have discovered that the current build of the software has a very old version of .NET runtime v6.0.11 (November 2022) bundled with the installer which includes 27 security vulnerabilities.
Just for others knowledge it might be worth including the latest .NET runtime (v6.0.28 as of March 2024) as a dependency for this install to ensure you are delivering the most upto date / secure software versions.
Adrian
Thank you for sharing, Adrian. Which version of the agent are you using.
Regards, Peter
I have a question, I don’t know if you’ve tried it Peter. I’m trying Global Secure Access in my environment, but I also have a point to site vpn in my environment. It turns out that when Global Secure Access is installed on my computer and active, even without any security rules, it is blocking my connection to the VPN. When I disable it, I can connect to the VPN normally. It seems that it’s kind of being a “firewall” and blocking this VPN traffic. Have you ever seen anything like this?
Hi Luan,
I indeed haven’t tested that specific scenario, as the idea is to get rid of the VPN. I have seen other traffic break.
Regards, Peter
Hey Peter,
thanks for the write up. We have a frustrating problem with GSA, somehow the client will not build a tunnel again after a restart. If you reinstall all works again, until next restart. All checks are green except the tunnel. Wonder if you might have an idea, we are at a loss and MS isnt helpfull 🙁 hopefully you have an idea as our network is exhausted at the moment.
Best regards
Benny
Hi Benjamin,
I don’t have a real suggestion, besides that I would start with looking for more details in the client logs (see also: https://learn.microsoft.com/en-us/troubleshoot/azure/entra-id/dir-dmns-obj/troubleshoot-global-secure-access-client-windows-issues).
Regards, Peter
I am having the same issue. I can’t work it out at all other than it seems unable to contact the edge server. It was working fine until this morning, I had to reboot for updates (now rolledback) and then this started.
Hello Peter,
Nice work. We are testing GSA. Do you know if there is any way to avoid automatic rise of the private tunnel or automatic start of the GSA client ?
Is there any way to avoid that local traffic is sent to the cloud ?
We are experiencing some problem with pribvate traffic that’s always routed through the tunnel when a PC is connected to our lan.
Hi Piero,
Can you provide me with some more information about your scenario? Are you only using private access, or also Internet access?
Regards, Peter
I would recommend to use the latest client 2.0.0 version. https://aka.ms/GSAClientDownload
It seems to solve some issues.
I can access fileshares by UNC path, but not through Network Drive Mappings. Anyone else have the same problem?
Thank you for that information, Robert. I personally haven’t experienced that behavior yet.
Regards, Peter
It seems to work now after I added Kerberos to QuickAccess. I get an Windows prompt before access now, but after that it works.
Ah, that is good to hear Robert! And thank you for sharing.
Regards, Peter