CA policy requires corporate network. VPN requires CA to pass. How is anyone solving this
Posted by Economy_Passenger296@reddit | sysadmin | View on Reddit | 31 comments
Genuinely losing my mind here
entra conditional access is set to require trusted location (corporate network) for anything sensitive. fine. but the VPN client authenticates through entra before the tunnel is up so CA fires before the user is on the corporate network. CA fails. VPN won't connect. user can't get on the corporate network. CA can't be satisfied.
we inherited this setup. previous admin apparently just excluded VPN auth from CA entirely which is... not great. i put that exclusion back because security team flagged it in a review and now i have 40 tickets.
i've been reading about always-on VPN with device compliance as the signal instead of network location but that's a full MDM project and i don't have 3 months for that right now.
is there a middle ground here that doesn't require either gutting CA or a 3 month rollout. running GlobalProtect + entra ID, about 200 users, hybrid joined devices mostly win11 but a handful of older stuff
Ok_Abrocoma_6369@reddit
The real issue here is that we’re still treating the VPN as a bolt-on to identity rather than part of the same fabric. If you're looking for a long-term fix, you have to move the trust anchor away from the public IP and toward device state. If you can't get Hybrid Join or Intune compliance sorted quickly, you're going to keep hitting these logic loops. A lot of modern shops are just moving to a unified SASE platform. Cato does this well, where the client handles the pre-auth and the corporate network check happens at the cloud edge, so you aren't bricking the user's internet just to check their ID.
Ihaveasmallwang@reddit
You exclude the VPN from that CA policy and make a new CA policy just for the VPN that does not require trusted location.
bobdvb@reddit
Yup, in my company, if you travel to another country you need to raise a ticket beforehand. It's a bit of a PITA but it's a heck of a way to reduce the attack surface.
angelface100@reddit
This!!
AdmRL_@reddit
Security team need to give their heads a wobble. The VPN is the entry point to the trusted locations, it is obviously incompatible with a policy specifically requiring trusted loction origin.
The quickest path is to exclude the VPN from that policy and create a secondary policy that requires the VPN auth to occur on a corporate device and ideally (but fully dependent on the state of your intune inventory) a compliant one as well.
That way your trusted locations are still secure and have their own auth requirements, and the entry point has guard rails to prevent unauthorised access from unknown or untrusted devices.
Sa77if@reddit
if you need to keep vpn you need 2 different CA policies
but even better you can get rid of your vpn and use Microsoft Global access
billy_teats@reddit
The vpn wouldn’t be needed if you were already in the trusted network. You can do a device state check. We have a certificate pushed via Intune that our vpn uses to authenticate clients. That Intune autopilot enrollment requires a 3rs party to pre-provision the device, so we trust that process.
Or you out strong mfa in front of the vpn. A CA policy to require phish resistant mfa. And you trust that.
man__i__love__frogs@reddit
Is this an out of season April Fools joke?
IwishIhadntKilledHim@reddit
Add a custom certificate purpose to certs issued under this template using your own identification number (need to register for this, but it's free and the same enterprise number you'd use in SNMP oids)
And then check for this custom certificate purpose called 'Your company VPN auth usage' on the authentication side. A bunch of protocols can handle this.
It's not foolproof but slightly more of a challenge to attackers and can buy you some time with security while making it look like a meet in the middle situation.
BrainWaveCC@reddit
Well, clearly the exclusion was there for a reason. Put it back.
Also, you can have more than one conditional access policy. Make one for the VPN by itself that allows you to have better control of it, without any catch-22 situations. There's no need to "gut" conditional access.
And may don't overload the acronym "CA" in a security-related thread.
OneSeaworthiness7768@reddit
Why would that take 3 months? Do you not already have MDM in place?
iamliterate@reddit
We have compliance policies for devices to establish VPN connections.
MisterIT@reddit
You should be fired, full stop. I really hope this is a joke post.
hadrabap@reddit
No. Classic corporate approach. Unfortunately
LaDev@reddit
Yes, remove VPN from CA policy, maybe add a new policy that only permits auth on trusted machine (hybrid joined) through device filtering.
Configure GP for HIP Checks (Domain, AV status, etc)
TerrorToadx@reddit
Users need vpn to access corp network. But they also need corp network to access vpn.
This makes no sense. Exclude vpn from CA.
Major-Error-1611@reddit
In addition to excluding the VPN client from the Trusted Location CA, you could also create a new CA to require that the VPN client connection is made from a Hybrid-joined (and maybe Compliant) device? That way you would still restrict the VPN connection but in a way that doesn't lead to that catch 22 that you're in right now.
raip@reddit
If you go down this route, just know that device state isn't shipped with the GlobalProtect integrated browser, so make sure that you have the client configured to use the system browser instead.
Blade4804@reddit
if he had hybrid joined PC's then an MDM solution wouldn't be 3 month away lol
halodude423@reddit
So for 3 months or until that MDM project can be completed you need to exclude VPN auth from the CA.
Thirsty_Comment88@reddit
Just unfuck the shit you fucked up.
It was working before you touched it.
Educational_Boot315@reddit
But OP determined that was… not great.
How did they come to that conclusion or did they put any thought into why it was set up that way? No idea.
Excellent-Program333@reddit
Probably ChatGPT told him this was “the way”.
I was asking it about locking down a breakglass account last week out of curiosity. It advised me to make sure its “blocked from signing in”. Lol. Wtf? I corrected it and it was like “Oh youre right, sorry”.
Makes no sense half the time.
TaiGlobal@reddit
Well first I’d start by making sure the devices are secure. Patching, Antivirus, ips/ids, centralized logging, dlp. Your vpn can do a posture assessment against these items and allow it on the vpn or disallow. You present that to security as to why they can be excluded from the ca.
EfeAmbroseEFOTY@reddit
Require trusted location is for onsite only. Even if it was allowed through the Auth it would still deny you unless you send all traffic up the VPN tunnel which with global protect requires a shitload of resource on the Palo firewalls.
nailzy@reddit
The standard here is to not require trusted location and to require MFA as a specific policy for VPN auth.
burundilapp@reddit
Trust the device, only restrict on location if it’s outside usual territories. Presuming you are only installing VPN on corporate devices then the decision has already been made that you don’t need to be in the building to connect to secure resources so ignore the location and focus on device trust, restrict on locations where no one should be logging in from.
SVD_NL@reddit
Exclude VPN from the main CA policy, and create a different CA policy to lock down VPN as much as you need.
Compliant device, maybe only allow specific countries, authentication strength, etc.
gumbrilla@reddit
you exclude the VPN app from the CA policy
Blade4804@reddit
seriously lol.
Any real solution is going to take 3 to 6 month. Either MDM, or an agent on a PC to let your VPN/Internal network know this device is trusted to connect to the network.
Jkabaseball@reddit
What is the security concern you are trying to take actions against? Who said that you have to work at a trusted location, but then said people can work where ever with a VPN? Those 2 statements can't work together. We have a CA that allows VPN if the user is in a VPN approved group, MFA, and is using a hybrid joined device. We also have a CA rule that uses trusted location as an MFA condition, so people don't need to MFA to use Outlook in the office.