DNSFilter +Microsoft Global Secure Access + Comcast security filtering
launched
Thomas J Sweet
We are running into issues in an office that has Comcast SecurityEdge and a static IP. We don't know when Comcast turned on SecurityEdge. We know that DNSFilter's icon is green in that office. We use Microsoft Global Secure Access (GSA) Entra Private Access as a ZTNA feature across all the offices, especially for IT.
When DNS Filter is green, Microsoft Global Secure Access client won't connect. This is not just happening to the office but is happening to another user who uses Spectrum Internet.
GSA has three features.
- Send all MS traffic through MS Servers - we want to use that. That is a really good anti-phishing tool.
- Entra Private Access (vpn replacement) - we use that today
- DNS Filter competitor- we don't want to have to use that.
This issue is also happening with Spectrum
Minetta Gould
launched
Happy to report our Support Team worked with customers who ran into the same challenge and put together workarounds that are now documented here: https://help.dnsfilter.com/hc/en-us/articles/44202542637971-Microsoft-Entra-GSA-and-Windows-Roaming-Client
Thanks for bringing visibility to it — we hope this resource makes life easier if you hit the same scenario!
Jonathan Bullock
Minetta Gould Could we use this same method for our RMM and AV tool domains so if a Agent fails to connect, or site fails to authenticate we could remotely access those devices?
Minetta Gould
Jonathan Bullock We don't have the means to test what you're suggesting, but in theory it could work! I'd say give it a shot in a test environment and see what happens—you could be on to something 🤔💖�
Jonathan Bullock
Minetta Gould Is there a way to manage this through the DNS Filter Portal? I know that there's settings for local domain controllers but I've never thought to use this for public domains. We are an MSP so it'd be nice if we were able to create a global exclusions list using global policies for our tools to trickle down to each of our clients. If this was a feature I'd have a few more devices that have high orbits that I'd feel more comfortable putting the roaming client on.
Minetta Gould
Jonathan Bullock: Nothing's currently in play that would meet this need for in-app updates, but DNS Pre-Check is going to give admins options for the Windows agent to fail open, which will address part of your initial scenario, just from a different angle.
It also sounds like you're curious about Global Local Domain/Resolver settings, to function a bit like the Universal Lists at the MSP Organization level? It's not currently on the Roadmap, but we're always looking at the next enhancement to make the Multi-Tenant experience easier, so it is on our radar.
Thomas J Sweet
work around - Add edgediagnostic.globalsecureaccess.microsoft.com to the block list in DNS Filter.
Thomas J Sweet
This really isn't a workaround as updates to GSA fail and the app crashes over night.