How to configure private network connectors for Microsoft Entra Private Access and Microsoft Entra application proxy
Artiklu
Connectors are lightweight agents that sit on a server in a private network and facilitate the outbound connection to the Global Secure Access service. Connectors must be installed on a Windows Server that has access to the backend resources and applications. You can organize connectors into connector groups, with each group handling traffic to specific applications. To learn more about connectors, see Understand Microsoft Entra private network connectors.
Prerequisites
To add private resources and applications to Microsoft Entra ID you need:
User identities must be synchronized from an on-premises directory or created directly within your Microsoft Entra tenants. Identity synchronization allows Microsoft Entra ID to pre-authenticate users before granting them access to application proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
Windows server
The Microsoft Entra private network connector requires a server running Windows Server 2012 R2 or later. You'll install the private network connector on the server. This connector server needs to connect to the Microsoft Entra Private Access service or application proxy service and the private resources or applications that you plan to publish.
For high availability in your environment, we recommend having more than one Windows server.
The minimum .NET version required for the connector is v4.7.1+.
Note that when using Kerberos Single Sign On (SSO) with Microsoft Application Proxy Service, Disable HTTP 2.0 on Entra private network connector for Windows Server 2019 or later. No need to disable when using Entra Private network connector with Private Access.
Disable the HTTP2 protocol support in the WinHttp component for Kerberos Constrained Delegation to properly work. This is disabled by default in earlier versions of supported operating systems. Adding the following registry key and restarting the server disables it on Windows Server 2019 and later. This is a machine-wide registry key.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"EnableDefaultHTTP2"=dword:00000000
The key can be set via PowerShell with the following command:
If you've deployed Microsoft Entra Password Protection Proxy, do not install Microsoft Entra application proxy and Microsoft Entra Password Protection Proxy together on the same machine. Microsoft Entra application proxy and Microsoft Entra Password Protection Proxy install different versions of the Microsoft Entra Connect Agent Updater service. These different versions are incompatible when installed together on the same machine.
Transport Layer Security (TLS) requirements
The Windows connector server must have TLS 1.2 enabled before you install the private network connector.
To enable TLS 1.2:
Set registry keys.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Restart the server.
Nota
Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. For more information, see Azure TLS certificate changes.
Make sure the connector server and the web application servers are in the same Active Directory domain or span trusting domains. Having the servers in the same domain or trusting domains is a requirement for using single sign-on (SSO) with integrated Windows authentication (IWA) and Kerberos Constrained Delegation (KCD). If the connector server and web application servers are in different Active Directory domains, use resource-based delegation for single sign-on.
Prepare your on-premises environment
Start by enabling communication to Azure data centers to prepare your environment for Microsoft Entra application proxy. If there's a firewall in the path, make sure it's open. An open firewall allows the connector to make HTTPS (TCP) requests to the Application Proxy.
Importanti
If you are installing the connector for Azure Government cloud follow the prerequisites and installation steps. This requires enabling access to a different set of URLs and an additional parameter to run the installation.
Open ports
Open the following ports to outbound traffic.
Port number
How it's used
80
Downloading certificate revocation lists (CRLs) while validating the TLS/SSL certificate
443
All outbound communication with the Application Proxy service
If your firewall enforces traffic according to originating users, also open ports 80 and 443 for traffic from Windows services that run as a Network Service.
Allow access to URLs
Allow access to the following URLs:
URL
Port
How it's used
*.msappproxy.net *.servicebus.windows.net
443/HTTPS
Communication between the connector and the Application Proxy cloud service
The connector uses these URLs during and beyond the registration process.
ctldl.windowsupdate.com www.microsoft.com/pkiops
80/HTTP
The connector uses these URLs during and beyond the registration process.
You can allow connections to *.msappproxy.net, *.servicebus.windows.net, and other URLs above if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the Azure IP ranges and Service Tags - Public Cloud. The IP ranges are updated each week.
Importanti
Avoid all forms of inline inspection and termination on outbound TLS communications between Microsoft Entra private network connectors and Microsoft Entra application proxy Cloud services.
Install and register a connector
To use Private Access, install a connector on each Windows server you're using for Microsoft Entra Private Access. The connector is an agent that manages the outbound connection from the on-premises application servers to Global Secure Access. You can install a connector on servers that also have other authentication agents installed such as Microsoft Entra Connect.
Nota
The minimum version of connector required for Private Access is 1.5.3417.0.
Starting from the version 1.5.3437.0, having the .NET version 4.7.1 or greater is required for successful installation (upgrade).
Nota
Deploy Private Network Connector for Your Azure, AWS, and GCP Workloads from respective Marketplaces (Preview)
The Private Network Connector is now available on Azure Marketplace, AWS Marketplace, and GCP Marketplace (in preview), in addition to the Microsoft Entra admin center. Marketplace offerings allow users to deploy a windows virtual machine with a pre-installed Private Network Connector through a simplified model. The process automates installation and registration, thus improving ease and efficiency.
To install the connector from Microsoft Entra admin center:
Sign in to the Microsoft Entra admin center as an Application Administrator of the directory that uses Application Proxy.
For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.
Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select Switch directory and choose a directory that uses Application Proxy.
Browse to Global Secure Access > Connect > Connectors.
Select Download connector service.
Read the Terms of Service. When you're ready, select Accept terms & Download.
At the bottom of the window, select Run to install the connector. An install wizard opens.
Follow the instructions in the wizard to install the service. When you're prompted to register the connector with the Application Proxy for your Microsoft Entra tenant, provide your Application Administrator credentials.
For Internet Explorer (IE): If IE Enhanced Security Configuration is set to On, you may not see the registration screen. To get access, follow the instructions in the error message. Make sure that Internet Explorer Enhanced Security Configuration is set to Off.
Things to know
If you've previously installed a connector, reinstall it to get the latest version. When upgrading, uninstall the existing connector and delete any related folders. To see information about previously released versions and what changes they include, see Application Proxy: Version Release History.
If you choose to have more than one Windows server for your on-premises applications, you need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see connector groups.
Microsoft Entra Private Access does not support multi-geo connectors. The cloud service instances for your connector are chosen in the same region as your Microsoft Entra tenant (or the closest region to it) even if you have connectors installed in regions different from your default region.
Verify the installation and registration
You can use the Global Secure Access portal or your Windows server to confirm that a new connector installed correctly.
Verify the installation through the Microsoft Entra admin center
To confirm the connector installed and registered correctly:
Sign in to the Microsoft Entra admin center as an Application Administrator of the directory that uses Application Proxy.
Browse to Global Secure Access > Connect > Connectors
All of your connectors and connector groups appear on this page.
View a connector to verify its details.
Expand the connector to view the details if it's not already expanded.
An active green label indicates that your connector can connect to the service. However, even though the label is green, a network issue could still block the connector from receiving messages.
Learn about how Microsoft Entra Private Access secures access to your private corporate resources through the creation of Quick Access and Global Secure Access apps.