Agentless SWG: Onboard M365 traffic remote or agentless network segments

Implementation Effort: Medium

User Impact: Low

Overview

Maintaining security of a corporate network is increasingly difficult in a world of remote work and distributed teams. Security Service Edge (SSE) promises a world of security where customers can access their corporate resources from anywhere in the world without needing to back haul their traffic to headquarters. An agentless approach can be needed in the following scenarios:

• I don’t want to install clients on thousands of devices on-premises
• I can't install clients on all the devices my organization owns.
• I have guests on my network who don't have the client installed.

If you're tunneling your Microsoft traffic through the Global Secure Access service, you can assign remote networks to the traffic forwarding profile. Your end users can access Microsoft resources by connecting to the service from a remote network, such as a branch office location.

To connect a remote network to Global Secure Access, you set up an Internet Protocol Security (IPSec) tunnel between your on-premises equipment and the Global Secure Access endpoint. Traffic that you specify is routed through the IPSec tunnel to the nearest Global Secure Access endpoint. You can apply security policies in the Microsoft Entra admin center. Global Secure Access remote network connectivity provides a secure solution between a remote network and the Global Secure Access service. It doesn't provide a secure connection between one remote network and another.

Reference

• Understand remote network connectivity
• Assign a remote network to a traffic forwarding profile
• Assign the Microsoft traffic profile to a remote network