I have previously sung my praises about Global Secure Access Private in a another article here on my blog and I do think that Global Secure Access (GSA) is a great product with a lot of potential. However, there are still features that needs additional development one of these features are the automatic network detection feature.
In short, the Global Secure Access client does not detect if your Windows device is connected to the corporate network. This means that Global Secure Access is always active and even though the resources published in Global Secure Access are on the same network as the Windows device, communication to these resources still go through Global Secure Access.
I have written about how to deploy, configure and lock down the Global Secure Access client adding to this article, I have created a script as a workaround to disable GSA Private Access if the Windows device is on a corporate network.
Global Secure Access client registry configuration
According to this article, Microsoft is letting the user decide when to enable or disable GSA Private Access. Even though I put a lot of faith in users, I am pretty sure that most users do not know or remember when to enable or disable GSA Private Access. So, to help the users out let’s configure a Windows scheduled task and do some Powershell magic.
The article by Microsoft mentions a particular registry value called IsPrivateAccessDisabledByUser this value is configured in HKCU:Software\Microsoft\Global Secure Access Client. This registry value can disable or enable GSA Private Access based on the value data configured.
From the article:
The scripts
This solution consists of 2 scripts. 1 script to do the network detection and another script to create a scheduled task which triggers on a specific event ID.
The network detection script
I have created a script that leverages the registry value mentioned above. The script is available in a repository on my Github account here:
Global-Secure-Access-Scripts/Detect Corporate network at main · kaspersmjohansen/Global-Secure-Access-Scripts
The script has 4 variables that can be configured:
NetworkCheck
This variable must be configured as it determines what kind of check is being performed to check if the Windows devices is connected to the corporate network. Currently the supported values are, DNS, FQDN and IP.
DNSSuffix
This variable must be configured if the NetworkCheck variable is configured with the DNS value.
A DNS suffix value should be configured, like domain.local, the script will do a check to determine if a DNS suffix has been configured on the active NIC. If the DNS suffix on the active NIC matches the DNS Suffix value in this variable, GSA Private Access is disabled.
HostFQDN
This variable must be configured if the NetworkCheck variable is configured with the FQDN value.
The script will try to resolve the FQDN using the local DNS server/servers. If the name can be resolved, GSA Private Access is disabled.
HostIP
This variable must be configured if the NetworkCheck variable is configured with the IP value.
The script will ping the IP. If the host with the IP return the ping requests, GSA Private Access is disabled.
The scheduled task script
This script creates a scheduled task running in user context. The scheduled task triggers when an event ID 4004 occurs in the Microsoft-Windows-NetworkProfile/Operational event log. Event 4004 occurs everytime there is a network change on the Windows device.
The script has 5 variables that can be configured:
ScriptFileName
Must be configured with the name of the network detection script. Default is Detect-CorpNetwork.ps1
ScriptFileLocation
Must be configured with the scriptfilename location. Default is C:\ProgramData\GSAScripts
ScheduledTaskName
Must be configured with the name og the scheduled task. Default is Global Secure Access – Detect network state
ScheduledTaskDescription
Must bu configured with a description og the scheduled task. Default is Powershell script executed on event id 4004, to detect if the device is on the corporate network. GSA Private Access is disabled if the device is on the corporate network
ScheduledTaskPath
Must be configured with the scheduled task path. Default is \
The network detection script in action
I have created a small screen recording, to demonstrate the scheduled task in action and how it looks on the user’s Windows device.
As you might notice, the screen recording is performed on a virtual machine where I am changing VLAN IDs to simulate a network change. The script executed via the scheduled task has been modified to check if the DNS suffix johansen.local is available and if it is, disable GSA Private Access.
This concludes the article. Feel free to reach out to me on X or on LinkedIn if you have any comments or questions.