Post

Bye-Bye VPN, Hello Per-App Access!

Posted Updated
By Otto Gudszent
2 min read

Remember the “good old days” of VPNs? You connect, and suddenly you have network visibility to the printer on the 4th floor, the coffee machine IoT controls, and that one server from 2003 nobody dares to reboot. 😱 It was like giving a house guest the keys to every single room, including the safe.

Enter Global Secure Access (GSA) Per-App Access. It’s Microsoft’s way of saying, “You can come in, but only to this specific room.” It’s Zero Trust in action, and honestly, it’s about time, but honestly, I hate they not create a linux appliance, so I always have to use Windows server for this. :/

The “I Need Coffee” Guide to Setting It Up ☕

Here is the quick rundown on how to get this set up without pulling your hair out.

1. The Prep Work (Don’t skip leg day)

You need a Connector Group with at least one active Entra private network connector. Think of this as the bouncer at the door of your on-prem network. If you don’t have this, nothing gets in. Make sure your connector version is at least 1.5.3417.0! PLEASE give us linux container version

2. Create the “App” (The VIP Room)

  1. Go to the Microsoft Entra admin center.
  2. Navigate to Global Secure Access > Applications > Enterprise applications.
  3. Hit New application.
  4. Give it a name (e.g., “Secret Legacy App”) and pick your Connector Group.

3. Define the Rules (The Velvet Rope)

This is where the magic happens. You need to tell GSA exactly what this app looks like on the network.

  1. Click Add application segment.
  2. Destination Type: IP address, FQDN (checking for wildcards!), or IP range.
  3. Ports: 80, 443, 3389 (RDP), whatever you need.
    • Fun fact: You can add up to 500 segments per app. Please don’t test that limit for your own sanity.

4. The Guest List (Access Control)

Just because the room exists doesn’t mean everyone gets in.

  1. Go to Users and groups in your new app.
  2. Add the specific users or groups who actually need access.
    • Note: Nested groups are a no-go here. Keep it flat!

5. Flip the Switch

Finally, ensure the Private access traffic forwarding profile is enabled in Global Secure Access > Connect > Traffic forwarding. Without this, it’s just a nice configuration sitting on a shelf.

My Two Cents 💭

I love this because it solves the “Lateral Movement” problem. If an attacker compromises a user’s device, they don’t get the whole network—they get… one app. And maybe not even that if you have good Conditional Access policies on top (which you should!).

It feels like we are finally moving away from “crunchy on the outside, soft on the inside” networks to something where every door is locked. Sure, setting up segments requires knowing your network (which can be a scary discovery process 😅), but the peace of mind is worth it.

Happy segmenting! 🛡️

Entra, Global Secure Access
ZeroTrust PrivateAccess Security
This post is licensed under CC BY 4.0 by the author.