Global Secure Access (GSA) : The future of secure corporate Internet browsing --- A Technical Guide

1 - What is GSA (Global Secure Access) :

Global Secure Access (GSA) is a part of Microsoft's Security Service Edge (SSE) solution. It's designed to provide secure network access control and visibility to users and devices, regardless of their location or the device they are using.

GSA is built upon the core principles of Zero Trust, which include using least privilege, verifying explicitly, and assuming breach. It comprises two main components:

• Microsoft Entra Internet Access : This secures access to Microsoft services, SaaS, and public internet apps while protecting users, devices, and data against internet threats.
• Microsoft Entra Private Access : is designed to provide remote secure access to private enterprise applications and resources, whether hosted on-premises, in Azure, or in other cloud environments.

In this blog, we will discuss only Microsoft Entra Internet Access.

2 - What is GSA Internet Access used for ?

GSA Internet Access is designed to replace traditional web proxy and secure web gateway solutions. It provides complete protection and web filtring for Internet traffic, while optimizing performance and ease of use.

3 - How GSA Internet Access works

1. Traffic routing: All Internet traffic is routed to GSA via thin clients or network configurations.
2. Authentication: User identity is verified via Microsoft Entra ID.
3. Inspection and filtering: Traffic is analyzed in real time to detect and block threats.
4. Policy enforcement: Rules based on user, group or device are applied.
5. Logging and reporting: All activities are recorded for analysis and compliance.
6. Zero Trust : GSA applies Zero Trust principles to Internet access.
7. Compliance : Helps comply with various regulations (RGPD, HIPAA, etc.).
8. Encryption : Ensures the confidentiality of data in transit.

3 - Prerequisites for GSA Internet Access :

• Azure subscription
• Entra ID tenant with P1 licences (provided from Business Premium licences and above)
• Global Secure Access Administrator role or Global Administrator role
• Entra-joined Windows device for testing purposes.

4 - Mindmap to implement GSA Internet Access :

here is mindmap to implement GSA Internet Access :

5 - Start Configuring GSA Internet Access :

Step 1 : Activate and configure Global Secure Access in your tenant :

• Log in to the Microsoft Entra portal (https://entra.microsoft.com/)
• Goto "Global Secure Access" from the left menu bar
• Select "Get started"
• Select "Activate" to Activate Global Secure Access in your tenant (This step is critical to activating GSA’s features and capabilities within your environment)

Second Feature that we need to enable is Access signaling in conditional access.

Adaptive access settings allow admins to enable features used by Microsoft Entra Conditional Access and Microsoft Entra Identity Protection.

After enabling Global Secure Access and Access signaling in conditional access :

• Return to "Global Secure Access" menu
• Expand "Connect" from the left menu bar
• Select "Traffic forwarding"
• Enable "Internet Access Profile"

Select "OK" to validate "Internet Access Profile" Enabling.

• Here is the window after enabling "Internet Access Profile"

• Click "View" to select users and groups assignement.

• Select Assign to all users, or you can just select one or many groups as your company needs.

• After users assignment.

Now that we have Enabled and configured Global Secure Access, we can move to the next phase : Create Web content filtering policy

Step 2 : Create Web content filtering policy

In the Entra portal :

• navigate to the GSA section
• under Secure, Select “Web Content Filtering policies”
• click on “Create policy“ (These profiles will later be linked to Conditional Access policies)

• Name the Web Content Filtering policy that aligns with the targeted content and desired action. In my case, I'm gonna setup Policy to restrict access to all unwanted websites cathegory (Pornography, Child abuse, Hacking , Hate And Intolerance...etc) , I have choosing name as "Block unwanted websites"
• Proceed to determine the desired Action for the web content policy. You have two primary options: a. Allow: This option permits access to the designated web content. b. Block: This option denies access to the specified web content. Since the objective is restricting access to Social Media, opt for the “Block” Action then click on Next.

• Navigate to the “Policy Rules” tab, then select the "Add Rule" option.
• Add Rule Name
• Keep "WebCathegory" as destination type
• Select websites Cathegories to block (In my case I have Choosen : Pornography, Child abuse, Hacking , Hate And Intolerance, Illegal Softwares, Marijuana...etc) you can choose Coathegories that compliant with your compagnie needs.
• Click "Add"

• Here we can see new created rule.
• Click "Next"

• In the “Review” tab, carefully examine the configured web content filtering policy. Once satisfied with the settings, click “Create policy” to finalize the process.

• Here we can see our new created Policy

Now that we have established all the requisite Web Content Filtering policies, we can transition to the next phase: Creating Security Profiles.

Step 3 : Creating Security Profiles

• In the Microsoft Entra portal, locate Global Secure Access, expand the “Secure” section, and select “Security profiles”. Within the Security profiles page, initiate the creation process by clicking on “Create profile” to define our initial profile.

• Give name to your security profile (In my case, I have choosen "Block unwanted websites for all Users")
• Add description
• Set State as "Enabled"
• Click "Next"

• In this section, you have the choice to either create a new Web Content Filtering policy if needed or select an existing one that has already been defined. Since we have already configured our Web Content Filtering policy (Block unwanted websites), we will opt for "Existing policy".
• Select your existing Policy (Block unwanted websites)
• Keep state as "Enabled"
• Click "Add"

• Once the Security Profile has defined all necessary content, click “Next” to advance to the “Review” tab.

• In the "Review" tab, carefully review the configured Security Profile. Once you are satisfied with the settings, click "Create policy" to finalize the process.

• here we can see our security profile configured.

Having configured the Security Profiles for our use case, we can proceed to the next section on Conditional Access.

Step 4 : Create Conditional Access Policy

In the Microsoft Entra portal :

• Go to "Protection"
• Select "Conditional Access"
• Inside the Conditional Access interface, click "Policies"
• Click "Create new policy" to define our initial policy.

• In the new Conditional Access policy wizard, begin by providing a descriptive name for the policy, such as "Web Filtering Policy – Restrict Unwanted websites".
• Select Users or group of users that you want to apply this policy for them.

• Next, under the "Target Ressources" section, choose the “Global Secure Access” resource, and then select the “Internet traffic” profile underneath.

• In the “Session” section, find the option labeled “Use Global Secure Access security profile“, and proceed to select the Security Profile that should be deployed/scoped within this policy.
• Click "Select"

• In Enable Policy section select "On"
• Click "Create"

• Here we can the new Conditional access policy.

Now that we have set up the required Conditional Access policies, we can move forward to the next section.

Step 5 : Download and?Install the GSA Agent on Entra-joined Windows Device

In the Microsoft Entra portal :

• Navigate to Global Secure Access
• Expand "Connect" and select “Client download“.
• On the Client download page, expand “Windows 10/11” section and click "Download Client"

• here is agent file.

• Let's connect and proceed with agent installation on Entra id joined machine.

• double click on the setup file
• select "I agree..."
• Click "Install" buton

After finishing program setup :

• Click "Close"

After Installing client agent in my VM, I should see Office 365 authentication window , but here in my case, my machine is already joined to Intune, so no need to re-authenticate again, that's way I can't see it, but you can see it in your side, just authenticate with your office 365 account.

• Just look at the Quick Access tray to double-check if the installation was successful. If you see the client icon there and it’s running, the installation worked.

• Verify that the client has successfully connected to the Global Secure Access client by checking the overview interface.

• Consider opening the Global Secure Access Client and navigating the Health check screen. Confirm that Tunneling succeeded Internet Access is displayed as "Yes"

To test internet access, simply try accessing a blocked website. If it is blocked, you will see a connection reset and will not be able to access the site. This means users will not be able to access this site cathegory.

• Here, I have tried to download cracked software, and as we can see here, illegal softwares website is blocked.

Step 6 : Monitor Internet Access from Entra ID

after implementing the GSA and testing it on a user workstation, it's time to monitor Internet access and the blocked sites visited, for this :

• Go to Entra ID admin center
• Go to GSA section
• Expand "Monitor" menu and select "Traffic logs"

Here, we can see all the traffic passing through Global Secure Access for the connected endpoints and the actions taken. We can review and export this data to CSV or JSON files.

As you can see here, I have tried to access illegal website and the content was blocked by GSA agent.

6 - Conclusion :

Global Secure Access (GSA) represents a significant step forward in securing access to corporate resources. Based on Zero Trust principles, GSA offers secure connectivity and centralized management, while simplifying security architecture. Thanks to its integration with Microsoft Entra, GSA provides robust protection against threats and helps organizations meet compliance requirements. By adopting GSA, companies can guarantee secure, seamless access to their applications and data, regardless of the location of users or resources.

Thanks

Aymen EL JAZIRI

System Administrator