Forum Discussion
Entra Private Access - Private DNS
Hello Everyone
We are using the trial period of Entra Private access and Entra Internet Access using Global Secure Access client. We recently got the Private DNS feature within Quick Access under Global Secure Access.
The moment, we added our on-premise domain suffix to create a line of sight to the DC's, access to other private apps, some of which are actually cloud web apps stopped working. The cloud app web portals won't open, RDP to servers were not working. Intermittently, we could open the portal or RDP to the server, but everything had just died down. After leaving it for more than 8 hours, the issues were still not going away, so we removed the quick access app and disabled private DNS, issue was resolved after that.
Any ideas why ? Also, is there a way we could allow our on-premise user accounts to change their passwords when it expires or get those password expired notifications as we did when we used Cisco VPN. We have Azure hybrid-joined machines with GSA running in them, but users don't get password expiry notifications, nor can they change the password on the local Laptop as it can't talk to the DC's. We created an app with Kerberos port 88, LDAP 389 and 464, still password change doesn't work. Users are logging in to the Laptops with cached passwords.
4 Replies
Hi
I recently set up GSA in my lab and also experiencing the same issue when performing dns lookups using resolve dnsname query.
I was watching john savile deep dive video on the private setup and his appears to work fine.
My connectors are domain joined and on the same ip range as my dcs with full access to them.
My quick access is configured with the io cidr ranges and private dns has my on prem domain configured.
Not sure what is happeneing or why i keep getting these synthetic 6.x.x.x ranges on the resolving addresses.
- anyone with any ideas ?
vbakshi123Hey, no ideas, but wanted to let you know I'm suffering along with you.
If I try
resolve-dnsname -name _ldap._tcp.my.domain.com -type SRVit fails, but if i specify the server listed in the connection properties by doing
resolve-dnsname -name _ldap._tcp.my.domain.com -type SRV -server 6.6.255.254
it returns records for all my domain controllers.
I've opened a ticket with Microsoft support for assistance but they haven't been able to provide a resolution yet, still hoping.- I managed to resolve it in some way. Even though you are correct, it won't resolve the private DNS name of any of the devices in the on-premise network
We had a Entra Global Secure Access app that had port 3389 access to the entire domain, i.e. *.yourdomain.com I suspected that after enabling private DNS, somehow the namespace was conflicting between the Quick Access app and the entra global secure app since the private dns name and the domain name are obviously the same. Even though they are meant to be communicating on different ports.
So, I removed that entry from the entra global app and then enabled private dns, then our access to the other private apps were unaffected. For password change, we opened the relevant ports on the same quick access app which allows private dns. Creating a separate enterprise app for DC communications whilst having private DNS enabled on the quick access app didn't seem to work that well.
The only issue we have is looking up DNS names , but only getting magic IP's instead of the private IP address.
