Skip to main content
Versa Networks

Versa Secure SD-WAN and Microsoft Entra Internet Access API-Based Integration

  1. Last updated
  2. Save as PDF

This article describes how to integrate Versa Secure SD-WAN with Microsoft Entra Internet Access. The integration uses two IPsec tunnels to Microsoft Entra Internet Access, and both tunnels peer using BGP to two different zones for redundancy within Microsoft Entra.

Versa Director provides workflows to automate the configuration and provisioning of the IPsec tunnels to Microsoft Entra Internet Access. Equal Cost Multipath (ECMP) load balancing is enabled by default. 

The Versa API-based integration with Microsoft Entra Internet Access focuses on simplicity and time to deployment. With this method, you can ensure a consistent and reliable connection to critical resources, while ensuring the highest level of security across both solutions.
 
api-based-integration.png

Prerequisites

The following prerequisites are required to integrate Versa Secure SD-WAN and Microsoft Entra Internet Access.

Versa Secure SD-WAN:

  • Versa Director and Versa Operating SystemTM (VOSTM) Release 22.1.4 or later.
  • The physical interface where the IPsec tunnels terminate must have a public IP address.

Microsoft Entra Internet Access:

  • Enable permissions on Microsoft Entra Admin Center.
  • Create an application and service principal. Refer to the documentation for Microsoft Entra Identity Platform.
  • Add application permissions. Refer to the documentation for Microsoft Entra Identity Platform.

Gather Information from the Microsoft Entra Application

In this procedure, you gather the Microsoft Entra client ID, tenant ID, and client secret, which you need to create the CMS cloud connector in Versa Director.

To gather information from the Microsoft Entra application:

  1. Log in to Microsoft Entra Admin Center.
  2. Navigate to Entra ID > App registrations, and then select your application.
  3. Select Overview in the left menu. 

    entra1.png
  4. Copy the Directory (tenant) ID and Application (client) ID and store them for later use. 
  5. To create a client secret, refer to the Microsoft Entra Identity Platform documentation. After you save the client secret, the value of the client secret is displayed. This is only displayed once, so copy this value and store it where you can retrieve it. You provide the secret value along with the application's client ID to sign in to the application.

Enable a Microsoft Traffic Profile

To enable a traffic profile in Microsoft Entra:

  1. Log in to Microsoft Entra Admin Center.
  2. Navigate to Global Secure Access > Connect > Traffic Forwarding.
  3. Click the toggle to enable the Microsoft traffic profile, as shown below.

    traffic-forwarding.png

Configure a CMS Cloud Connector in Versa Director

To establish a connection between a VOS device and Microsoft Entra, and manage that connection through Versa Director, you must first configure a CMS cloud connector on Versa Director. Note that you can create only one CMS connector per tenant for Microsoft Entra API-based integration.

Before you create the CMS cloud connector on Versa Director, make sure that you have the Microsoft Entra application client ID, client secret, and tenant ID. To obtain these items, see Gather Information from Microsoft Entra Application, above.

Create a CMS Cloud Connector

  1. Log in to Versa Director.
  2. In Director view, select the Administration tab in the top menu bar.
  3. Select Connectors > CMS in the left menu bar, and then click the + Add icon.

    add-cms.png
  4. In the Add CMS Connector window, enter information for the following fields.

    cms-connector-add.png
     
    Field Description
    CMS Name (Required) Enter the name of the CMS connector. The name is a text string.
    Organization (Required) Select the tenant organization, which should be present in the provider Versa Director.
    CMS Flavor Select Microsoft GSA for the type of cloud service.
    Client ID (Required) Enter the client ID obtained from Microsoft Entra.
    Client Secret (Required) Enter the client secret ID obtained from Microsoft Entra.
    Tenant ID (Required) Enter the tenant ID value obtained from Microsoft Entra.
  5. Click OK. 

Verify the CMS Cloud Connector

To verify that the CMS connector is working:

  1. In Director view, select the Administration tab in the top menu bar.
  2. Select Connectors > CMS in the left menu bar. The main pane displays the CMS connectors.
  3. Select the CMS connector to verify, and then click validate-icon.PNGValidate Connector in the horizontal menu bar. This triggers an API call to the CMS connector to verify its Microsoft Intra user rights. If the validation is successful, the Valid Credentials popup message displays.

    valid-credentials.png

Associate the CMS Cloud Connector with an Organization

After you add a CMS cloud connector, you associate it with an organization that is already configured on the Director node.

To associate a CMS connector with an organization:

  1. In Director view, select the Workflows tab in the top menu bar.
  2. Select Infrastructure > Organizations in the horizontal menu bar. The main pane displays a list of organizations.
  3. Select the organization with which you want to associate the CMS connector. In this example, the organization is Tenant1.

    infra-tenant.png
  4. Select step 4, CMS Connector. The Configure CMS Connector screen displays with the CMS Connectors tab selected.
  5. In the Available pane, click Select for the connector (here, Microsoft-Tenant1-cms) to add it to the Selected pane.

    cms-connector-select.png
  6. Select step 7, Review, to review the configuration and make any needed changes. 
  7. Click Deploy.

Configure a Site-to-Site Tunnel in a Workflow Template for Microsoft Entra

  1. In Director view, select the Workflows tab in the top menu bar.
  2. Select Template > Templates in the horizontal menu bar.
  3. Select an SD-WAN post-staging template in the main pane. To create a new workflow template, see Create and Manage Staging and Post-Staging Templates.

    workflow-template.png
  4. Select step 3, Tunnels, in the top menu bar. The Configure Tunnels screen displays. 

    partner-site.png
  5. In the Partner Site to Site Tunnels section, click the + Add icon.
  6. In the Partner Site to Site Tunnels popup window, enter the following information.

    partner-site-tunnels.png
     
    Field Description
    Name (Required) Enter a name for the site-to-site tunnel.
    Peer Type Select the Microsoft GSA peer type.
    Tunnel Protocol Select the IPsec tunnel protocol to use to reach the peer.
    WAN Network Select one or more WAN networks to use. This network is the originating endpoint of the tunnel. The highest priority is 1.
    Organization Select the organization for which the site-to-site tunnel is created.
    LAN VRF Select one or more virtual routing instances to use to reach the LAN.
  7. Click OK, and then click Save.
  8. If modifying an existing device:
    1. Click step 7, Review, and then click Re-Deploy.
    2. Commit the template.

      Versa Director shows a diff with newly-added changes for the tunnel to validate changes.

      auto-merged.png
  9. Click Deploy.

    For more information on template workflows, see Overview of Configuration Templates.

Configure a Site-to-Site Tunnel in a Device Workflow for Microsoft Entra

Versa Network’s device workflow automates configuration or provisioning, attaching the device groups and bind data for each VOS instance. To configure the device workflow, you must attach the template workflow to the device group within the device workflow. In this scenario, this is the template workflow that you configured in Configure a Site-to-Site Tunnel in a Workflow Template for Microsoft Entra, above. For more information on device workflows, see Overview of Configuration Templates.

In the following example configuration, there are two Microsoft Entra BGP peers and one Versa BGP peer. Versa uses a local tunnel interface that can be viewed as a loopback. The Versa BGP local IP peer exchanges information with the primary BGP peer (BGP peer IP) and the secondary BGP peer (BGP zone peer IP) through the IPsec tunnels. In this example, APIPA (RFC 3927) address space is used. You can also verify Microsoft Entra supported address space and ASNs here.

To configure a Versa Director–Microsoft Entra IPsec site-to-site tunnel for a device:

  1. In Director view, select the Workflows tab in the top menu bar.
  2. Select Devices > Devices in the left menu bar.
  3. Select a device in the main pane.

    workflow-devices.png
  4. In workflow step 1, Basic, select a device group that has a template associated with it. 

    device-group-info1.png
  5. Select step 3, Tunnel Information. The Tunnel Information screen displays. 
  6. Click the Names field, select the partner site-to-site tunnel created in the workflow template, and then click the add-icon-image.png Add icon.

    tunnel-information.png
  7. In the Configure Site-To-Site Tunnel popup window, enter information for the following fields.

    device-site-tunnel-config.png
     
    Field Description
    Bandwidth (Mbps) Select the tunnel bandwidth, in Mbps,  for Microsoft Entra.
    BGP Peer IP Enter the IP address of primary BGP speaker on Microsoft Entra.
    BGP Zone Peer IP Enter the IP address of secondary BGP speaker on Microsoft Entra.
    BGP Local ASN Enter the Versa BGP local autonomous system number (ASN).
    Versa BGP Local IP Enter the VOS local ASN.
    Region Select the Microsoft Entra region.
  8. Click OK. The tunnel information page displays the tunnel information for the device workflow.

    microsoft-gsa.png
  9. Click Save.
  10. If modifying an existing device:
    1. Click step 6, Review, and then click Re-Deploy.
    2. Commit the template.

Commit Template Modifications

When you change the configuration in an existing configuration or service template, you must commit the changes so that the new configuration is deployed on the associated devices. You can commit all changes, and you can merge the changes into the existing configuration.

To commit a modified template:

  1. In Director view, select the Administration tab in the top menu bar.
  2. Select Appliances in the left menu bar.
  3. In the Status column in the main pane, check whether Reachability is green and Service is Up, and then click Commit Template. If the device is not reachable or if the service is not up, the commit may not succeed.

    commit-template1.png
  4. In the Commit Template To Select Devices window, select which templates to commit to which devices. You can select either All the Associated Templates or Only Selected Templates. The All the Associated Templates option is selected by default.
    1. Select the organization.
    2. Select a post-staging template
    3. Click Fetch Devices.
    4. Select the device and click Review.

      commit-template-fetch-devices.png
  5. The Commit Template to Devices Review window displays.

    commit-template-administration.png
  6. Click Commit to commit the template changes.
  7. To schedule the commit for a later date or time, click Schedule & Commit. In the Schedule Your Commit popup window, set the schedule.

    commit-template4.png
  8. Click OK.

To view the details and progress of the commit template, click the task_icon.png Task icon. Expand an activity to view more information, which you can use to analyze and troubleshoot any issues.

task-page.png

Verify IPsec Tunnel Services 

To verify IPsec tunnel services for a site-to-site tunnel:

  1. In Director view:
    1. Select the Monitor tab in the top menu bar.
    2. Select Devices in the horizontal menu bar.
    3. Select a device in the main pane. The view changes to Appliance view.
  2. Select Services > IPsec in the horizontal menu bar.

    verify-ipsec-services.png
  3. On the IPsec tab, select IKE History, and then select the IPsec tunnel. Click an entity to view the IKE history.

    verify-ipsec-services1.png
  4. Select IPsec Security Association, and then select the IPsec tunnel. Click an entity to view the IPsec security details.

    workflows-templates-services2.png

Verify Microsoft Entra BGP Peers in Versa Director

  1. In Director view:
    1. Select the Monitor tab in the top menu bar.
    2. Select Devices in the horizontal menu bar.
    3. Select a device in the main pane. The view changes to Appliance view.
  2. Select Networking > BGP in the horizontal device menu bar.
  3. On the BGP tab, select Neighbors, and then select Tenant1-microsoftGSA-Transport-VR to check neighbors for Microsoft Entra BGP Peers.

    verify-ipsec-tunnels1.png
  4. Select Received Prefixes to view the prefixes received from Microsoft Entra Intra Access.

    verify-ipsec-tunnels2.png

Verify Traffic Through VOS to Microsoft Entra

  1. In Director view:
    1. Select the Monitor tab in the top menu bar.
    2. Select Devices in the horizontal menu bar.
    3. Select a device in the main pane. The view changes to Appliance view.
  2. Select Services > Session in the horizontal device menu bar to display the session information.

    services-sessions.png

Verify Versa Director Device Information from Microsoft Entra

To verify the device information from Microsoft Entra:

  1. Log in to Microsoft Entra Admin Center.
  2. Navigate to Global Secure Access > Connect > Remote Networks.
  3. Click the remote network created by Versa Director.

    remote-network1.png
  4. In the remote network details page, select Links. The view link details pane displays the device information. 
    1. Select the General tab to view the device information. 

      remote-network-links.png
    2. Select the Details tab to view the IKE and IPsec information. For Versa supported IKE encryption algorithms, see Supported Encryption Algorithms.

      remote-network-details.png
    3. Select the Security tab to view the randomly generated pre-shared keys. 

      remote-network-security.png

View Versa Director Traffic Logs from Microsoft Entra

To view Versa Director traffic logs from Microsoft Entra:

  1. Log in to Microsoft Entra Admin Center.
  2. Navigate to Global Secure Access > Monitor > Traffic Logs.
  3. Select the Connections tab.

    traffic-logs.png

 

Supported Encryption Algorithms

Versa Networks supports the following IKE encryption algorithms in phase 1 and phase 2. The default values for phase 1 is MIX 8 and phase 2 is MIX 6.

Table 1: IKE Phase 1 Encryption Algorithms

IKEV2 MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 MIX 6 MIX 7 MIX 8
Encryption AES128 AES128 AES128 AES128 AES256 AES256 AES256 AES256
Integrity SHA256 SHA256 SHA384 SHA384 SHA256 SHA256 SHA384 SHA384
DH Group ECP256 ECP384 ECP256 ECP384 ECP256 ECP384 ECP256 ECP384

Table 2: IKE Phase 2 Encryption Algorithms

IPsec MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 MIX 6
Encryption GCMAES128 GCMAES128 GCMAES128 GCMAES256 GCMAES256 GCMAES256
Integrity GCMAES128 GCMAES128 GCMAES128 GCMAES256 GCMAES256 GCMAES256
PFS Group PFS14 ECP256 ECP384 PFS14 ECP256 ECP384

Supported Software Information 

Releases 22.1.4 and later support all content described in this article.

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Director
  2. Tags
    1. Microsoft Entra ID