How to manage the Internet Access traffic forwarding profile
The Internet Access traffic forwarding profile routes internet traffic through the Global Secure Access client. Enabling this traffic forwarding profile allows remote workers to connect to the internet in a controlled and secure way. With the features of Microsoft Entra Internet Access, you can control which internet sites can be accessed. You can also configure which traffic to exclude from Global Secure Access based on IP addresses, IP address ranges, IP subnets, and Fully Qualified Domain Names (FQDNs).
Prerequisites
To enable the Internet Access forwarding profile for your tenant, you must have:
- A Global Secure Access Administrator role in Microsoft Entra ID.
- The product requires licensing. For details, see the licensing section of What is Global Secure Access. If needed, you can purchase licenses or get trial licenses.
Internet Access traffic forwarding profile policies
View the policies that relate to the Internet Access traffic forwarding profile. There are three policies by default. To view them:
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access > Connect > Traffic forwarding.
- Select the View link in the Internet Access policies section.
The default Internet Access policies include:
- Custom Bypass Contains user-defined traffic/endpoints that are excluded from the Internet traffic profile. In other words, you define the traffic that the profile shouldn't acquire. You might typically exclude traffic such as your VPN endpoints, private IP ranges, and squat IP ranges, and endpoints that leverage a network Access Control List (ACL).
- Default Bypass Contains predefined traffic that the Internet traffic profile doesn't acquire. For example, private IP ranges. You can't change rules in this policy.
- Default Acquire Defines traffic that gets acquired by the Internet traffic profile. Currently, it’s all internet traffic on ports 80, 443 over Transmission Control Protocol (TCP). The policy takes lowest precedence after all bypass rules are evaluated. You can't change rules in this policy.
Example of adding a custom bypass policy:
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access > Connect > Traffic forwarding.
- In the Internet Access traffic forwarding profile area, in the Internet Access policies section, select the View link
- Expand the Custom Bypass policy.
- Select Add rule.
- Choose a destination type, such as Fully Qualified Domain Name (FQDN). You can add multiple comma-separated destination values. Don't add whitespace. For example,
contoso.com,fabrikam.com
or10.0.0.1/32,10.0.0.2/32
. Ports, protocol, and action are always fixed and can't be changed. - Enter a valid destination.
- Select Save.
Note
Traffic is evaluated from top to bottom, which means it only gets acquired by the Internet traffic profile if it’s not being bypassed in one of the bypass rules.
User and group assignments
You can scope the Internet Access profile to specific users and groups.
To learn more about user and group assignment, see How to assign and manage users and groups with traffic forwarding profiles.
Enable the Internet Access traffic forwarding profile
To enable the Microsoft Entra Internet Access forwarding profile to forward user traffic:
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access > Connect > Traffic forwarding.
- Set policies on the traffic profile. For example, set a custom bypass rule to exclude specific traffic.
- Enable the Internet access profile. Internet traffic starts forwarding from all client devices to Microsoft's Security Service Edge (SSE) proxy, where you configure granular security policies.
Note
When you enable the Internet Access forwarding profile, you should also enable the Microsoft traffic forwarding profile for optimal routing of Microsoft traffic. You enable the Microsoft traffic profile by selecting the profile checkbox on the same page where you enable the Internet Access traffic forwarding profile. To learn more about the Microsoft traffic forwarding profile, see How to enable and manage the Microsoft profile.
Validate the Internet Access traffic forwarding profile
A rule added to a policy takes 10-20 minutes to appear in the client on a user's computer. If the rule doesn't appear after this time, disable and then re-enable the Internet Access traffic forwarding profile.
To validate the traffic forwarding profile, traffic forwarding policies, and rules:
- In the system tray, right click the Global Secure Access client and select Advanced diagnostics.
- Open a web browser and navigate to a destination on the internal network. Confirm that traffic isn't being captured.
- Open a web browser and navigate to a destination that is bypassed. Confirm that traffic isn't being captured.
- Open a web browser and navigate to a public destination that is acquired by the profile. Confirm the traffic is being acquired under the Internet channel.