I stumbled upon this little treat of a solution when looking for options to replace an aging VPN solution for a client with laptop users across the country all connecting back to shared resources within a datacentre.
The customer use case is pretty simple:
- Mapped Drives to on-prem file services
- Print to a follow me print queue (that isn’t Universal Print, or otherwise BYOD Mobility enabled)
- Access internal websites
We’d already worked on making internal websites externally accessible through the use of Microsoft Entra App Proxies to secure access with Conditional Access, MFA and compliant Azure AD joined devices so it wasn’t strictly a requirement anymore for the VPN, just a case of updating some shortcuts.
For accessing the Mapped Drives and Printing though, we needed some method of getting the device ‘on net’ so off we went down the route of looking at whether replacing the VPN like for like was the answer, thankfully it was not.
We looked at and loved ZScaler, both the ZScaler Private Access (ZPA) and ZScaler Internet Access (ZIA) products worked flawlessly and were easily able to meet our customer needs and more by providing a method of securing outbound internet access regardless of the physical location of the device.
ZScaler hooked into our MS Entra setup, conditional access, the works, all working perfectly. Off to the races we were ready to go.
Then in July 2024 Microsoft GA’d a product concept ‘Microsoft Global Secure Access’ similar to ZScaler with an Entra Private Access, and Entra Internet Access. Requiring an existing MS Entra P1 or P2 license and a top up the functionality is unlocked.
In terms of deployment, I was pleasantly surprised to see it was baked into the existing (updated) Microsoft Entra App Proxy product to extend it beyond just reverse proxying (a very posh reverse proxy I admit) websites to now be able to carry all sorts of traffic.
I stood up a couple of dedicated App Proxies for testing located within Azure to reduce latency and with a very quick configuration within the Entra Portal and deploying the client (from Intune) was able to RDP to internal servers and map drives whilst not being connected to the legacy VPN.
I took a step back at that moment to marvel at the simplicity of deploying this and getting access into the network without opening any inbound firewall ports.
Next on the list is to look at using Entra Internet Access to improve the visibility of road warrior users when they’re not connected to the ‘traditional’ VPN anymore.
Well impressed… though I think ZScaler is a bit quicker to connect and work but there’s a lot going for this, especially at the price point!