|
1 | 1 | --- |
2 | 2 | title: How to configure customer premises equipment for Global Secure Access (preview) |
3 | | -description: Learn how to configure customer premises equipment for Global Secure Access (preview). |
| 3 | +description: Learn how to configure the connectivity between your customer premises equipment and the Global Secure Access (preview) network. |
4 | 4 | author: shlipsey3 |
5 | 5 | ms.author: sarahlipsey |
6 | 6 | manager: amycolannino |
7 | 7 | ms.topic: how-to |
8 | | -ms.date: 06/08/2023 |
| 8 | +ms.date: 09/22/2023 |
9 | 9 | ms.service: network-access |
10 | 10 | ms.custom: |
11 | 11 |
|
| 12 | +# Customer Intent: As a Global Secure Access administrator, I need to know how to configure the connection between my customer premises equipment and Microsoft's network so that I can create a tunnel from my remote network to the Global Secure Access network. |
12 | 13 | --- |
13 | 14 | # Configure customer premises equipment for Global Secure Access (preview) |
14 | 15 |
|
15 | 16 | IPSec tunnel is a bidirectional communication. One side of the communication is established when [adding a device link to a remote network](how-to-manage-remote-network-device-links.md) in Global Secure Access (preview). During that process, you enter your public IP address and BGP addresses in the Microsoft Entra admin center to tell us about your network configurations. |
16 | 17 |
|
17 | | -The other side of the communication channel is configured on your customer premises equipment (CPE). This article provides the steps to set up your CPE using the network configurations provided by Microsoft. |
| 18 | +This article provides the steps to set up the other side of the communication channel. |
18 | 19 |
|
19 | 20 | ## Prerequisites |
20 | 21 |
|
21 | 22 | To configure your customer premises equipment (CPE), you must have: |
22 | 23 |
|
23 | 24 | - A **Global Secure Access Administrator** role in Microsoft Entra ID. |
24 | | -- Sent an email to Global Secure Access onboarding according to the onboarding process in the **Remote network** area of Global Secure Access. |
25 | | -- Received the connectivity information from Global Secure Access onboarding. |
26 | 25 | - The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense). |
| 26 | +- To configure your CPE, you must have completed the Global Secure Access onboarding process. |
27 | 27 |
|
28 | 28 | ## How to configure your customer premises equipment |
29 | 29 |
|
30 | | -To onboard to Global Secure Access remote network connectivity, you must have completed the [onboarding process](how-to-create-remote-networks.md#onboard-your-tenant-for-remote-networks). In order to configure your CPE, you need the connectivity information provided by the Global Secure Access onboarding team. |
| 30 | +You can set up the CPE using the Microsoft Entra admin center or using the Microsoft Graph API. When you create a remote network and add your device link information, configuration details are generated. These details are needed to configure your CPE. |
31 | 31 |
|
32 | | -Once you have the details you need, go to the preferred interface of your CPE (UX or API), and enter the information you received to set up the IPSec tunnel. Follow the instructions provided by the CPE provider. |
| 32 | +## [Microsoft Entra admin center](#tab/microsoft-entra-admin-center) |
33 | 33 |
|
| 34 | +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a **Global Secure Access Administrator**. |
| 35 | +1. Browse to **Global Secure Access** > **Devices** > **Remote network**. |
| 36 | +1. Select **View configuration** for the remote network you need to configure. |
| 37 | + |
| 38 | + :::image type="content" source="media/how-to-configure-customer-premises-equipment/remote-network-view-configuration.png" alt-text="Screenshot of the configuration details with the Microsoft information highlighted." lightbox="media/how-to-configure-customer-premises-equipment/remote-network-view-configuration-expanded.png"::: |
| 39 | + |
| 40 | +1. Locate and save Microsoft's public IP address `endpoint` from the panel that opens. |
| 41 | + |
| 42 | +  |
| 43 | + |
| 44 | +1. In the preferred interface for *your CPE*, enter the IP address you saved in the previous step. This step completes the IPSec tunnel configuration. |
| 45 | + |
| 46 | +The following diagram highlights each of the major sections of the device configuration details. Text descriptions of each section follow the diagram. |
| 47 | + |
| 48 | +:::image type="content" source="media/how-to-configure-customer-premises-equipment/device-configuration-map.png" alt-text="Diagram of the configuration details with each section highlighted." lightbox="media/how-to-configure-customer-premises-equipment/device-configuration-map-expanded.png"::: |
| 49 | + |
| 50 | +- The `branchId` and `branchName` represent the remote network details. |
| 51 | +- The `displayName` is the device link name. |
| 52 | +- The `endpoint`, `asn`, `bdpAddress`, and `region` represent the Microsoft connectivity details. Enter these details on your CPE. |
| 53 | +- For zone redundant device links, a second set of details are generated. |
| 54 | +- `PeerConfiguration` and the subsequent details represent the CPE connectivity details. |
| 55 | +- If you've configured more devices, their details follow. |
| 56 | + |
34 | 57 | > [!IMPORTANT] |
35 | | ->The crypto profile you specified for the device link should match with what you specify on your CPE. If you chose the "default" IKE policy when configuring the device link, use the configurations described in the [Remote network configurations](reference-remote-network-configurations.md) article. |
| 58 | +>The crypto profile you specified for the device link should match with what you specify on your CPE. If you chose the "default" IKE policy when configuring the device link, use the configurations described in the **[Remote network configurations](reference-remote-network-configurations.md)** article. |
| 59 | +
|
| 60 | +## [Microsoft Graph API](#tab/microsoft-graph-api) |
| 61 | + |
| 62 | +Follow these instructions to download the connectivity information for your remote network. |
| 63 | + |
| 64 | +1. Sign in to [Graph Explorer](https://aka.ms/ge). |
| 65 | +1. Select **GET** as the HTTP method from the dropdown. |
| 66 | +1. Set the API version to **beta**. |
| 67 | +1. Run the following query to list your remote networks and their device links: |
| 68 | + |
| 69 | + ``` http |
| 70 | + GET https://graph.microsoft.com/beta/networkaccess/connectivity/branches |
| 71 | + ``` |
| 72 | +1. Run the following query to get the connectivity information, replacing `{branchSiteId}` with the ID of your remote network and `{deviceLinkId}` with the ID of your device link: |
| 73 | +
|
| 74 | + ``` http |
| 75 | + GET https://graph.microsoft.com/beta/networkAccess/connectivity/branches/{branchSiteId}/deviceLinks/{deviceLinkId} |
| 76 | + ``` |
| 77 | +
|
| 78 | +The details in the response are similar to the device configuration details found in the Microsoft Entra admin center. |
| 79 | +
|
| 80 | +--- |
| 81 | +
|
36 | 82 |
|
37 | 83 | [!INCLUDE [Public preview important note](./includes/public-preview-important-note.md)] |
38 | 84 |
|
|
0 commit comments