Lets dive into the Entra secure web gateway solution, Microsoft Entra Internet Access! Please make sure to read the description for the chapters and key information about this video and others. ⚠ P L E A S E N O T E ⚠ 🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there! 🕰 I don't discuss future content nor take requests for future content so please don't ask 😇 🤔 Due to the channel growth and number of people wanting help I no longer can answer or even read questions and they will just stay in the moderation queue never to be seen so please post questions to other sites like Reddit, Microsoft Community Hub etc. 👂 Translate the captions to your native language via the auto-translate feature in settings! th-cam.com/video/v5b53-PgEmI/w-d-xo.html for a demo of using this feature. Thanks for watching! 🤙
I just do not know what we should do without these very easy to understand videos , Microsoft documentation only make sense after watching John's video. I guess these days Microsoft documentation is too much talk and heavy to understand . Thanks John
Listened to a podcast about GSE last week and knew it was going to be something I need to put in place within our business. I searched straight for Jon Savill knowing fine well that this quality content would be available. Another superb video Jon. Thanks as always!
Very useful. You seem to be using an updated version of the client that I am. The version I used didn't really show if you were connected to the services or not. This is very welcome.
Looks like an interesting challenge to services such as CloudFlare Argo tunnels and Tailscale networks, as well as traditional VPNs with split tunnelling.
Thanks for another great demo. I am assuming we can add block all rule to priority 6500 security profile to block any traffic that is outside the explicit rules.
Can add whatever you want but be careful you don't block things needed for authentication etc to function :-) You can easily break things if too agressive.
@@NTFAQGuy I was thinking more along the lines of traditional firewall rules where we explicitly allow traffic and then block everything else via default deny all rule in the end. I will look for the documentation on traffic/ports/rules needed for authentication.
Remember most firewalls are stateful so a response to an outbound works. Here you are blocking access to sites hence you need to give a lot more consideration.
great content as always John, qq..does the 65000 weighted profile trump all/any other policy (possibly conflicting) setting ? thanks in advance and happy new year !
This is really interesting, can this be used to access Azure SQL databases? We have an issue at our company where we need to VPN to our office to access SQL databases and this causes performance issues
How the machine is going to recover if the global admin accidently applied Entra ID Conditional Access Policy with Block control? Because now local client is set up to Block Internet Access app.
So in case the user got accidently blocked by Entra ID CA policy, all need to be done is to sign out and GA to fix Entra ID CA applied to Internet access
It does if http. You see that in demo. This is not a browser extension so tls is encrypted which means more difficult to inject a message from the OS into a browser page I suspect.
That's not the case. Endpoint would have first dibs since it's hooked into the browser. the SSE client doesn't do anything until the edgeSWG has access to the connection.@@NTFAQGuy
OpenDNS only in the sense of traffic filtering. OpenDNS manages filtering on a single IP and can be skirted by users updating their DNS server. This is far more advanced than OpenDNS. This can be used to manage traffic granularly by machine across your entire enterprise.
Lets dive into the Entra secure web gateway solution, Microsoft Entra Internet Access! Please make sure to read the description for the chapters and key information about this video and others.
⚠ P L E A S E N O T E ⚠
🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there!
🕰 I don't discuss future content nor take requests for future content so please don't ask 😇
🤔 Due to the channel growth and number of people wanting help I no longer can answer or even read questions and they will just stay in the moderation queue never to be seen so please post questions to other sites like Reddit, Microsoft Community Hub etc.
👂 Translate the captions to your native language via the auto-translate feature in settings! th-cam.com/video/v5b53-PgEmI/w-d-xo.html for a demo of using this feature.
Thanks for watching!
🤙
I just do not know what we should do without these very easy to understand videos , Microsoft documentation only make sense after watching John's video. I guess these days Microsoft documentation is too much talk and heavy to understand . Thanks John
Listened to a podcast about GSE last week and knew it was going to be something I need to put in place within our business. I searched straight for Jon Savill knowing fine well that this quality content would be available. Another superb video Jon. Thanks as always!
Thank you
what a successor vid to the first vid on global secure access!
thanks so much John!
Waited for this. You never disappoint :)
Very useful. You seem to be using an updated version of the client that I am. The version I used didn't really show if you were connected to the services or not. This is very welcome.
Thanks for the great explanation!
Interesting tech, could solve some problems in my environment thanks for the walk through!
You bet!
Thanks for this, very fun demo and great overall video.
Glad you enjoyed it!
Looks like an interesting challenge to services such as CloudFlare Argo tunnels and Tailscale networks, as well as traditional VPNs with split tunnelling.
Awesome as usual!
Awesome video!! lot of useful information!. Thank you!!!
Glad you enjoyed it!
Great Video John! Very interesting. I can see this possibly replacing our Forcepoint Web Filter Agents on our end user devices?!
This is great! Wish it can go to all different browsers such as google chrome and Firefox
This is within the OS. Nothing to do with which browser you are using.
Thanks for another great demo. I am assuming we can add block all rule to priority 6500 security profile to block any traffic that is outside the explicit rules.
Can add whatever you want but be careful you don't block things needed for authentication etc to function :-) You can easily break things if too agressive.
@@NTFAQGuy I was thinking more along the lines of traditional firewall rules where we explicitly allow traffic and then block everything else via default deny all rule in the end. I will look for the documentation on traffic/ports/rules needed for authentication.
Remember most firewalls are stateful so a response to an outbound works. Here you are blocking access to sites hence you need to give a lot more consideration.
great content as always John, qq..does the 65000 weighted profile trump all/any other policy (possibly conflicting) setting ?
thanks in advance and happy new year !
no its the lowest possible priority as I said in the video. Anything else overrides it.
Signing out of the agent gives unfiltered internet access? I assume sign out capability will be restricted for standard users?
Right, roadmap item.
At time of me writing this, the "Sign in as another user" option doesn't exist for me.
Huge news!
Very clear! Thx
You're welcome!
This is wonderful, however this breaks internal applications causing a DNS issues that I am still trying to determine how to fix this.
Thanks John
***Merci beaucoup*** Thanks John ***
Thank you!
Welcome!
This is really interesting, can this be used to access Azure SQL databases? We have an issue at our company where we need to VPN to our office to access SQL databases and this causes performance issues
you are mixing up internet and private access.
I was view #1
ROFL. Congrats
How the machine is going to recover if the global admin accidently applied Entra ID Conditional Access Policy with Block control? Because now local client is set up to Block Internet Access app.
Well you saw me undo it in the demo.
@@NTFAQGuy thanks for prompt response and covering this issue, asked my question too fast :) still watching.
So in case the user got accidently blocked by Entra ID CA policy, all need to be done is to sign out and GA to fix Entra ID CA applied to Internet access
surprised it doesn’t issue a ‘sorry/denied’ page
It does if http. You see that in demo. This is not a browser extension so tls is encrypted which means more difficult to inject a message from the OS into a browser page I suspect.
This is a great video. I was wondering about the
If MDE(Defender for Endpoint)'s webfiltering and Entra GSA's webfiltering policies collide, who wins?
Guess would be most restrictive. Think layers of blocking. If any blocks you can’t get to the target.
That's not the case. Endpoint would have first dibs since it's hooked into the browser. the SSE client doesn't do anything until the edgeSWG has access to the connection.@@NTFAQGuy
I guess authentication to Entra is required for the whole thing to work then. Shame we still authenticate to on-premise DCs
Is Entra Edge = Microsoft’s Security Service Edge (SSE) solution ?
Yes, I do mention that in the video.
Feels like OpenDNS 18 years after?
OpenDNS only in the sense of traffic filtering. OpenDNS manages filtering on a single IP and can be skirted by users updating their DNS server. This is far more advanced than OpenDNS. This can be used to manage traffic granularly by machine across your entire enterprise.
it's really web filtering 1.0. back when the internet was flat and single purposed.