Global Secure Access (GSA) is quickly becoming the go-to replacement for traditional VPNs. It uses a cloud-based, Zero Trust approach to keep connections safe. GSA is deeply integrated with Microsoft Entra and Conditional Access. It also gives you tools for traffic inspection and compliance checks, making it easier to secure resources.
Of course, every new solution comes with its own set of challenges. As more organizations roll out GSA, a few common issues tend to pop up – especially when running client health checks. In this guide we’ll go through the most frequent errors and show you how to fix them, so you can get the most out of GSA without the initial headaches.
The errors I most commonly see in customer environments are:
- IPv4 not set as preferred
- QUIC is not set to disabled
- Magic IP recieved
- Break-glass mode disabled
IPv4 not set as preferred
Global Secure Access currently only supports IPv4, so a common error during health check is that it is not set as preferred. To fix this we have to set the registry key DisabledComponents to 0x20. Currently the best way to do this for your whole environment in Intune is by deploying a PowerShell Script. Here is a simple script that does this (it does not contain any logging, so add that to the script if needed):
# Prefer IPv4 over IPv6 by setting DisabledComponents = 0x20
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters'
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
Set-ItemProperty -Path $regPath -Name 'DisabledComponents' -Value 0x20 -Type DWord -Force
When deploying this script via Intune, ensure the following options are set:
- Run script as signed-in user: No
- Enforce script signature check: No
Once the script has run on the targeted devices, you may need to restart the device.
QUIC is not set to disabled for Chrome and Edge
This error can be resolved by simply creating a Configuration profile in Intune.
- Navigate to:
Devices –> Configuration profiles –> Create profile - Choose:
- Platform: Windows 10 and later
- Profile type: Templates –> Administrative Templates
2. Configure Chrome Policy
- Search for: QUIC
- Set Allow QUIC Protocol to Disabled
3. Configure Edge Policy
- Search for: QUIC
- Set Allow QUIC Protocol to Disabled
Assign the profile to the appropriate group.
Magic IP recieved
In most cases a restart of the Global Secure Access Client and/or the device will solve this issue.
Break-glass mode disabled
This error is usually caused by the traffic forwarding profile not being assigned.
Go to Entra –> Global Secure Access –> Connect –> Traffic forwarding.
Ensure the profiles you are using (Internet Access, Microsoft 365, or Private Access) are enabled.
Assign the enabled profile(s) to the affected users or groups. After assignment, restart the device.
Author
Discover more from Agder in the cloud
Subscribe to get the latest posts sent to your email.
Per-Torben Sørensen