Connectors for Microsoft Entra Private Access
Overview
Connectors are lightweight agents installed on servers within private networks to facilitate outbound connections to the Global Secure Access service. These connectors must be installed on Windows Servers that have access to backend resources and applications. Connectors can be organized into groups, with each group managing traffic to specific applications.Installing and Registering a Connector
To utilize Microsoft Entra Private Access, install a connector on every Windows server that supports your on-premises applications. This connector acts as an agent managing outbound connections to Global Secure Access. It can also coexist with other authentication agents, such as Microsoft Entra Connect.
- OS Version: Windows Server 2012 R2 or later.
- .NET Framework: Version 4.7.1 or higher (required for connector version 1.5.3437.0 and above).
- Minimum Connector Version: 1.5.3417.0.
- TLS Requirement: TLS 1.2 must be enabled on the server.
Key Ports for Communication
Ensure the following ports are open for outbound traffic:
If a firewall enforces traffic based on originating users, ensure ports 80 and 443 are open for services running as a Network Service.
Inactive Connectors: Often caused by firewalls blocking required ports.
Required URLs and Ports
To ensure proper functionality of Microsoft Entra private network connectors and Application Proxy, allow access to the following URLs and ports:
| URL | Port | Usage |
|---|---|---|
| *.msappproxy.net, *.servicebus.windows.net | 443/HTTPS | Communication between the connector and the Application Proxy cloud service. |
| crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com | 80/HTTP | Certificate verification for the connector. |
| crl.microsoft.com, oneocsp.microsoft.com, ocsp.msocsp.com | 80/HTTP | Certificate verification for Microsoft-related services. |
| login.windows.net, secure.aadcdn.microsoftonline-p.com | 443/HTTPS | Connector authentication and communication. |
| *.microsoftonline.com, *.microsoftonline-p.com | 443/HTTPS | Service communication for authentication and proxy functions. |
| *.msauth.net, *.msauthimages.net, *.msecnd.net | 443/HTTPS | Supporting authentication services. |
| *.msftauth.net, *.msftauthimages.net, *.phonefactor.net | 443/HTTPS | Multi-factor authentication and registration services. |
| enterpriseregistration.windows.net | 443/HTTPS | Device registration services. |
| management.azure.com | 443/HTTPS | Azure management API access. |
| policykeyservice.dc.ad.msft.net | 443/HTTPS | Policy key services. |
| ctldl.windowsupdate.com, www.microsoft.com/pkiops | 443/HTTPS | Connector registration process. |
| ctldl.windowsupdate.com, www.microsoft.com/pkiops | 80/HTTP | Certificate updates during connector registration. |
- For high availability, deploy multiple Windows servers with connectors installed.
- When using Windows Server 2019 or later, disable HTTP 2.0 in the WinHttp component to ensure Kerberos Constrained Delegation functions correctly. Use the following PowerShell command to disable HTTP 2.0:
Marketplace Deployment (Preview)
The Private Network Connector is available in Azure, AWS, and GCP Marketplaces (preview). These offerings allow users to deploy a pre-configured Windows virtual machine with the connector already installed and registered. This streamlined process simplifies deployment for Azure, AWS, and GCP workloads.
Deployment of Entra Private Network Connector from Azure Marketplace
From Azure, if you have applications or resources that need external access through Entra Private Access, you can deploy the connector directly on Azure. On Azure, go to the search bar and look for Microsoft Entra Private Network Connector.
Click Create, then select the Subscription and Resource Group where you want to deploy the Entra Private Network Connector. Next, choose the desired Region for deployment.
Click Next to configure the Private Network connection details. You will be prompted to select the Authentication Type, where you can choose between Verify identity using access token or Verify identity using username/password.
In this example, I will use Verify identity using access token.
Refer to the following Microsoft article for instructions on generating the token.
Paste the token into the Access Token field, then click Review and Create.
The deployment has started, and the progress is visible in the screenshot below.
The Connector VM has now been successfully deployed from the Azure Marketplace and Private connector is visible on the Entra Global Secure Access > Connectors page.
You can refer to my Blog for detailed steps on configuring the Connector in Entra and publishing applications through the Private Network Connector.
Optimizing Connector Performance
To ensure the best performance:
- Physical Proximity: Place the connector server near the application servers.
- Domain Configuration: Ensure the connector and application servers are in the same Active Directory domain or trusting domains for seamless SSO with Kerberos Constrained Delegation.
- Network Optimization: Use Azure ExpressRoute or work with your networking team to optimize connections to Microsoft Entra services.
Connector Authentication
- Connectors use client and server certificates for mutual authentication. These certificates are generated during registration and are automatically renewed every few months.
- If a connector is offline for an extended period, its certificates may expire. Reinstall the connector to re-register and renew the certificates.
Use the following PowerShell commands to register a connector:
Import-Module MicrosoftEntraPrivateNetworkConnectorPSModule
Register-MicrosoftEntraPrivateNetworkConnector -EnvironmentName "AzureCloud"
High Availability and Scaling
- Deploy multiple connectors in a group to ensure resiliency.
- Connectors are stateless, and their performance depends on the number and size of requests, not user or session counts.
- Typical hardware can handle around 2,000 requests per second with standard web traffic.
Performance Factors
- Network Quality: Ensure low-latency connections to both Microsoft services and backend applications.
- Domain Controller Responsiveness: For SSO scenarios using Kerberos, ensure domain controllers are responsive and properly configured.
- Traffic Failover: In case of connector unavailability, traffic automatically redirects to other connectors within the same group.
Avoid any form of inline inspection or TLS termination on outbound TLS communications between Microsoft Entra private network connectors and Entra SSE Cloud Services. This ensures secure and uninterrupted connections.
Notes:
- Unused connectors are marked as inactive and removed after 10 days of inactivity.
- To manually uninstall, remove both the Connector Service and Updater Service from the server and restart.
Conclusion
The Microsoft Entra Private Network Connector ensures secure and seamless access to internal resources, enabling per-app access with strong security controls. It supports dynamic scalability, high availability, and advanced traffic routing, making it ideal for modern IT environments.
With this solution, your organization can simplify remote access while enforcing compliance and security policies. Follow the steps in this blog to get started and unlock the full potential of Microsoft Entra Private Access.
0 Comments