1
00:00:03,440 --> 00:00:05,120
So let's move on to the demonstration.

2
00:00:05,120 --> 00:00:09,440
Let's configure some zero trust network access policies.

3
00:00:09,440 --> 00:00:12,410
Once again, back in the Endpoint Manager admin center,

4
00:00:12,410 --> 00:00:16,980
I'm going to demonstrate traffic filters on our user tunnel.

5
00:00:16,980 --> 00:00:18,600
So I'm going to click on this profile,

6
00:00:18,600 --> 00:00:21,900
but I want you to be clear that traffic filters and everything that I'm

7
00:00:21,900 --> 00:00:25,790
demonstrating here can be applied to the device tunnel as well,

8
00:00:25,790 --> 00:00:28,240
but I'm just going to demonstrate it on the user tunnel.

9
00:00:28,240 --> 00:00:29,890
So here we are in our user tunnel,

10
00:00:29,890 --> 00:00:35,340
we're going to scroll down and click Edit next to our Configuration settings,

11
00:00:35,340 --> 00:00:38,840
and now we're going to go to our Apps and Traffic Rules.

12
00:00:38,840 --> 00:00:43,030
And here you'll see Network traffic rules for this VPN connection.

13
00:00:43,030 --> 00:00:47,020
So we'll click Add, and we'll provide a name here.

14
00:00:47,020 --> 00:00:49,730
So in this case, I'm going to, for demonstration purposes,

15
00:00:49,730 --> 00:00:53,190
I'm going to create a traffic filter that restricts access

16
00:00:53,190 --> 00:00:55,430
to the internal network over RDP only.

17
00:00:55,430 --> 00:00:59,130
So the only port I'm going to open up is 3389, so we'll take a look at that.

18
00:00:59,130 --> 00:01:01,830
So I'm going to give this a name.

19
00:01:01,830 --> 00:01:04,680
The Rule type here, I'm going to select Split tunnel.

20
00:01:04,680 --> 00:01:09,900
And then for the Protocol, of course, you notice that's not a drop‑down list,

21
00:01:09,900 --> 00:01:10,300
unfortunately.

22
00:01:10,300 --> 00:01:11,680
It would be nice if it was.

23
00:01:11,680 --> 00:01:14,950
But fundamentally, it's asking for the protocol number.

24
00:01:14,950 --> 00:01:20,140
So in this case, I'm just going to do TCP, which is Protocol number 6.

25
00:01:20,140 --> 00:01:21,840
Now this is interesting here.

26
00:01:21,840 --> 00:01:27,020
This is a rather odd behavior of the UI is that you do not

27
00:01:27,020 --> 00:01:29,630
have to define the local port ranges.

28
00:01:29,630 --> 00:01:34,420
If you leave this out, it defaults to basically any local port.

29
00:01:34,420 --> 00:01:36,650
The UI wants to complain about this though.

30
00:01:36,650 --> 00:01:38,920
It says it must not be empty.

31
00:01:38,920 --> 00:01:41,780
I can assure you you can leave this empty and it will work.

32
00:01:41,780 --> 00:01:45,800
So I'm going to ignore this, and I'm going to go to the remote port ranges here,

33
00:01:45,800 --> 00:01:47,900
and I'm going to specify my remote port,

34
00:01:47,900 --> 00:01:50,330
which in this case is the RDP port of 3389.

35
00:01:50,330 --> 00:01:54,640
And I've defined that for both the upper and lower

36
00:01:54,640 --> 00:01:56,400
port because it's just a single port.

37
00:01:56,400 --> 00:02:00,090
If you had an application that used a port range, you can do it that way.

38
00:02:00,090 --> 00:02:03,560
If you want multiple ports to apply to this rule,

39
00:02:03,560 --> 00:02:07,340
you can just simply add those here.

40
00:02:07,340 --> 00:02:08,180
Once again,

41
00:02:08,180 --> 00:02:12,700
the local address range I really don't care about because it's on my endpoint.

42
00:02:12,700 --> 00:02:15,500
One, I'm not going to know what that IP address is.

43
00:02:15,500 --> 00:02:21,120
Two, I could define a range, but I find that of limited usefulness.

44
00:02:21,120 --> 00:02:23,780
I really don't care what the what the local address is

45
00:02:23,780 --> 00:02:25,280
on the endpoint or on the client.

46
00:02:25,280 --> 00:02:28,640
I'm really concerned with how it's accessing my internal network.

47
00:02:28,640 --> 00:02:31,300
So in this case, I'm going to add my remote address range.

48
00:02:31,300 --> 00:02:35,770
And sadly, the UI does not accept a CIDR notation here.

49
00:02:35,770 --> 00:02:38,640
It does in XML, which makes your life a little easier,

50
00:02:38,640 --> 00:02:42,290
but here you'll actually have to specify a valid address range.

51
00:02:42,290 --> 00:02:51,540
And so for simplicity sake, I'm just going to specify 172.16.0.0/24.

52
00:02:51,540 --> 00:02:53,280
And again, those have to be valid addresses.

53
00:02:53,280 --> 00:02:54,970
No network IDs, no broadcast IDs.

54
00:02:54,970 --> 00:02:59,720
So we'll click Save, and that table row has been added.

55
00:02:59,720 --> 00:03:04,940
So I'm going to click Review + save and then save once again.

56
00:03:04,940 --> 00:03:07,780
And now I've updated our Always On VPN device

57
00:03:07,780 --> 00:03:11,330
configuration profile to support a traffic filter.

58
00:03:11,330 --> 00:03:16,040
So let's jump over to the client and see what that looks like in action.

59
00:03:16,040 --> 00:03:18,690
So here we are back on our Windows client.

60
00:03:18,690 --> 00:03:22,180
This client has already synchronized its configuration with Intune,

61
00:03:22,180 --> 00:03:25,020
and it should have the policy in place.

62
00:03:25,020 --> 00:03:29,610
Now, it's important to understand that we've implemented these traffic filters,

63
00:03:29,610 --> 00:03:33,060
but they don't show up in any sort of visible way on the endpoint.

64
00:03:33,060 --> 00:03:34,480
You can't see it.

65
00:03:34,480 --> 00:03:38,780
If you look at the VPN properties, you can't see it in the Windows Firewall.

66
00:03:38,780 --> 00:03:42,190
The traffic filters are implemented essentially in WFP,

67
00:03:42,190 --> 00:03:43,680
in the Windows Filtering Platform,

68
00:03:43,680 --> 00:03:46,420
so they're implemented in the OS at a very low level.

69
00:03:46,420 --> 00:03:48,810
But we can see them in action,

70
00:03:48,810 --> 00:03:51,340
and that's what I kind of want to demonstrate here.

71
00:03:51,340 --> 00:03:55,600
So recall that we defined our traffic filter to restrict access

72
00:03:55,600 --> 00:03:59,570
to the internal network on RDP port 3389,

73
00:03:59,570 --> 00:04:05,550
and we defined the entire 172.16.0.0/24 subnet.

74
00:04:05,550 --> 00:04:07,770
So, what does that look like in action?

75
00:04:07,770 --> 00:04:08,830
Let's take a quick look.

76
00:04:08,830 --> 00:04:10,840
And so I'm going to open up the PowerShell,

77
00:04:10,840 --> 00:04:13,760
and the first thing I want to do is just demonstrate some behavior here.

78
00:04:13,760 --> 00:04:18,140
So I'm going to try to ping a server on the internal network,

79
00:04:18,140 --> 00:04:20,230
and the first thing you'll notice here is that the

80
00:04:20,230 --> 00:04:24,900
name resolves to an IP address, but then I get a general failure message,

81
00:04:24,900 --> 00:04:28,060
and this should happen if I try to ping any other internal resource.

82
00:04:28,060 --> 00:04:34,340
So you can see ICMP traffic is not being allowed over this tunnel.

83
00:04:34,340 --> 00:04:37,240
Now I'm going to run the Test‑NetConnection command,

84
00:04:37,240 --> 00:04:42,240
I'm going to specify the port of 445, which is the SMB port,

85
00:04:42,240 --> 00:04:45,150
and I'm going to specify the application server here,

86
00:04:45,150 --> 00:04:50,740
what internal resource.

87
00:04:50,740 --> 00:04:54,440
And you'll see that our TcpTestSucceeded report says False,

88
00:04:54,440 --> 00:04:57,340
so we do not have access to that particular port.

89
00:04:57,340 --> 00:05:05,340
However, if I change this port to 3389,

90
00:05:05,340 --> 00:05:08,530
so you'll see now that the TcpTestSucceeded value is True,

91
00:05:08,530 --> 00:05:10,640
so I do have access on this port.

92
00:05:10,640 --> 00:05:14,270
That means if I open up the RDP application,

93
00:05:14,270 --> 00:05:16,150
I should be able to RDP into the server.

94
00:05:16,150 --> 00:05:21,790
And sure enough, I do.

95
00:05:21,790 --> 00:05:25,910
Not real exciting here because this is a Windows Server Core server,

96
00:05:25,910 --> 00:05:28,370
but I have access to this particular server.

97
00:05:28,370 --> 00:05:31,240
So I'm going to bail out on that, and again,

98
00:05:31,240 --> 00:05:34,480
if I was trying to open an Explorer window,

99
00:05:34,480 --> 00:05:36,540
you would see that I would not have that access,

100
00:05:36,540 --> 00:05:41,240
as I demonstrated previously.

101
00:05:41,240 --> 00:05:41,940
So there you go.

102
00:05:41,940 --> 00:05:47,410
No access to port 445, so I can't get to any SMB shares on the server.

103
00:05:47,410 --> 00:05:50,310
I can't even ping it, but I can RGB to it.

104
00:05:50,310 --> 00:05:54,440
So that is our traffic filter in action.

105
00:05:54,440 --> 00:05:58,190
If you plan to implement this traffic filter using XML,

106
00:05:58,190 --> 00:06:01,200
you'll use the code that you see here on your screen.

107
00:06:01,200 --> 00:06:06,760
This traffic filter, again, identifies the protocol as Protocol 6,

108
00:06:06,760 --> 00:06:11,300
which is TCP, the remote port range being 3389.

109
00:06:11,300 --> 00:06:14,350
And if this was a multi‑value, you could,

110
00:06:14,350 --> 00:06:17,920
if you had multiple ports, you could do 3389,

111
00:06:17,920 --> 00:06:21,310
4000, what have you.

112
00:06:21,310 --> 00:06:27,850
And then if it's a range, it would just be 3389 to 3392 or something like that,

113
00:06:27,850 --> 00:06:28,570
right?

114
00:06:28,570 --> 00:06:30,930
The RemoteAddressRanges here, as you see,

115
00:06:30,930 --> 00:06:33,000
I've defined this in CIDR notation,

116
00:06:33,000 --> 00:06:36,290
which makes it a little easier to configure in XML,

117
00:06:36,290 --> 00:06:40,250
but you can do address ranges or you could do multiple addresses as well,

118
00:06:40,250 --> 00:06:42,140
and those are comma separated.

119
00:06:42,140 --> 00:06:46,030
Again, the VPNv2 CSP reference is your friend here.

120
00:06:46,030 --> 00:06:48,850
It will tell you everything you need to know about the accepted

121
00:06:48,850 --> 00:06:53,140
parameters in this particular traffic filter.

122
00:06:53,140 --> 00:06:56,560
And looking at the traffic filter XML in practice,

123
00:06:56,560 --> 00:06:58,070
let's take a quick peek at that,

124
00:06:58,070 --> 00:07:03,250
what you'll see here is that I've implemented it here in this block,

125
00:07:03,250 --> 00:07:06,800
which is what I just showed you just a minute ago.

126
00:07:06,800 --> 00:07:17,000
This is our traffic filter, Protocol 6, 3389 to the internal subnet. So that's how it's implemented in the Sfile itself