Entra Private Access/GSA – Automatic Network Detection

This blog covers a custom script solution for Intune, that can be used to automatically detect, if the Entra Private Access (GSA) client is connected to the internal network – or off-site. When the client is connected to the internal network, we don’t want to send the network traffic into the GSA tunnel through Microsoft – but use direct connectivity to the servers.

Scripts can be used in Intune with the necessary scripts (detection, remediation, suspension). Scripts can serve as a workaround until Microsoft releases support for this in the Entra GSA client.

Background

As part of the implementation of Entra Private Access, you define your internal networks in the Entra Private Access solution. Then the agent knows which networks / FQDNs to “tunnel” through the agent. This is very cool, when you are sitting home, at guest networks, hotels, etc.

But when you are sitting onsite close to the servers (internal network), you don’t want the traffic to go through the tunnel, but directly through the local network. Your users will appreciate you for this improvement 🙂

Solution

On my Github, I have provided 3 scripts, that can be used to solve this problem.

My script will be updated according to the below mentioned steps.

TimingFunctionality
June 2024Script (current version) will stop/start Windows service for Entra GSA client (3 services), which will impact all client functionality (Private Access, Internet Access)
July 2024My script will be adjusted, so it Entra GSA API to stop/start only Entra Private Access functionality. Then script functionality will not impact Entra Internet Access.
2H- 2024Entra Private Access “Intelligent local access” feature built into product


Scenario: Computer is NOT connected to internal network – it can NOT do NSLOOKUP of DNS record

Screenshot shows script runs in testing mode every 2 sec $RerunTesting = $True. You can disable testing, by setting to $true and then it will run with the parameter you define in $RerunEveryMin

Result: GSA client is started

Scenario: Computer is connected to internal network – it can do NSLOOKUP of DNS record

Screenshot shows script runs in testing mode every 2 sec $RerunTesting = $True. You can disable testing, by setting to $true and then it will run with the parameter you define in $RerunEveryMin

Result: GSA is stopped

Suspension of behavior once in production

Suspension of script-behavior is built into the remediation-script, in case of rogue network detection or user wants to override.

In advance, you can prepare the suspension-script in Intune, so you quickly can activate it for a single user or multiple users. Basically it sets a reg-key.

Implementation

Using Intune Proactive Remediations, you can implement the detection and remediation scripts. Of course you want to test it before uploading to Intune 🙂

Please adjust the following parameters in the remediation script:

##################################
# VARIABLES
##################################

$Internal_DNSRecord_Name = "<put in your DNS record here>"
$Internal_DNSRecord_Expected_Response = "<put in the expected IPv4 address here>"

$RerunEveryMin = 1

$RerunNumberBeforeExiting = 59
# When it hits the number, it forces script to Exit 1. It must be less than 1 hr, as remediation job kicks off hourly


$RerunTesting = $False
# If $true it will force script to run every 2 sec. If $False, if uses $RerunEveyMin

Based on the values above, the script runs every 1 minute with 59 runs and then it terminates. The remediation script should run hourly. Feel free to fine-tune to your needs of how often you want the script to wait/run.

2 thoughts on “Entra Private Access/GSA – Automatic Network Detection”

Leave a Reply