Step-by-Step Implementation of Entra Application Proxy

The Entra Application Proxy service offers secure remote access to on-premises web applications. Following a single sign-on to Entra ID, users can access both cloud and on-premises applications via an external URL or an internal application portal.

For instance, Application Proxy facilitates remote access and single sign-on to services such as Remote Desktop, SharePoint, Teams, Tableau, Qlik, and various line-of-business (LOB) applications.

The implementation of Entra Application Proxy is straightforward and provides secure access to your on-premises web applications without the need to open any inbound ports on the firewall. You can also integrate the solution with Multi-Factor Authentication services like DUO or Microsoft Authenticator and apply Conditional Access Policies to enhance security even further.

Before we begin the implementation of Entra Application Proxy, it’s crucial to understand the various components required for this process. I have listed the two most important ones below.

Azure Proxy Service: Microsoft Entra ID has an Application Proxy service that enables users to access on-premises applications by signing in with their Microsoft Entra account.

Application Proxy Connector: This is a lightweight agent that runs on a Windows server inside your network. This connector facilitates communication between your on-premises application and the Application Proxy Service.

Important Note

Implementation of Azure AD  Application Proxy

Step 1 – Enable Application Proxy Service

If you are using Entra Application Proxy for the first time, you will need to enable it before downloading and installing a connector on Windows servers. Let’s review the steps to enable Application Proxy in the Entra admin center.

  1. Login to the Entra admin center.
  2. Navigate to Applications > Enterprise Applications > Application Proxy.
  3. You may encounter a warning message indicating that “Application Proxy is currently disabled for your tenant. Click here to enable Application Proxy“.
  4. Click on Enable Application Proxy. (If you find this option greyed out, follow the guidance below, and then proceed to point 5 to proceed with Connector Installation).

Why is the ‘Enable Application Proxy’ Option Greyed Out?

You may find that the “Enable Application Proxy” option is greyed out. This could be due to not having the required license in your Entra ID organization. Ensure you have at least Entra ID P1 (formerly Azure AD Premium P1) or Entra ID P2 (formerly Azure AD Premium P2) license.

The screenshot below displays a warning message along with the ‘Enable Application Connector‘ option.

Installation of Azure Application Proxy Connector
Installation of Azure Application Proxy Connector
Why is the ‘Enable Application Proxy’ option Greyed out

Step 2 – Install a Connector on a Windows Server

To utilize Application Proxy, install a connector on each Windows server that you intend to use with the Application Proxy service. The connector serves as an agent, overseeing the outbound connection from the on-premises application servers to the Application Proxy in Microsoft Entra ID.

1. Pre-requisites for Installing the Connector

  • Minimum Server Requirements: Windows Server 2012 R2 or Later.
  • If you are installing Entra Application Proxy Connector on Windows Server 2019, make sure to disable HTTP2 protocol support in the WinHttp component using the below reg key.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] “EnableDefaultHttp2″=dword:00000000
  • Ensure that the server where the connector is installed has access to the on-premise website.
  • Ensure that TLS 1.2 is Enabled on the Windows Server. To enable TLS 1.2, you can use the following registry keys:
Enable TLS 1.2 Using these Registry Keys
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] “SchUseStrongCrypto”=dword:00000001
  • It’s recommended to have multiple App Proxy Connector servers to ensure service availability, particularly in scenarios where one of the servers with the App Proxy Connector installed goes into maintenance.
  • Ensure that outbound traffic on ports 80 and 443 is allowed to Azure Proxy Services, and grant access to the necessary URLs on the firewall.
  1. Open any web browser on the server where you intend to Install the connector and go to the Entra admin center > Applications > Enterprise Applications > Application Proxy.
    • Click on “Download connector service“. The best practice is to install the App Proxy connector on a server closest to your application, preferably in the same subnet and domain.
  1. When you click on “Download connector service“, a pane on the right-hand side appears. Review the information about system requirements and proceed by clicking on “Accept terms & Download“.
Installation of Azure Application Proxy Connector
Install a Connector on a Windows Server
  1. The download of the AADApplicationProxyConnectorInstaller.exe file will commence. Save the file to run it later.
Installation of Azure Application Proxy Connector
Install a Connector on a Windows Server
  1. Right-click on the .exe file and select “Run as administrator.
Installation of Azure Application Proxy Connector
Install a Connector on a Windows Server
  1. Check the box to agree to the license terms and conditions.
Installation of Azure Application Proxy Connector
Install a Connector on a Windows Server
  1. Installation in Progress.
Installation of Azure Application Proxy Connector
Install a Connector on a Windows Server
  1. Sign in to Microsoft Azure using a user account with administrative privileges.
Installation of Azure Application Proxy Connector
Install a Connector on a Windows Server
  1. Once you have successfully authenticated, the setup will proceed and complete. You should see the screen below. Click on the “Close” button to exit the setup.
Installation of Azure Application Proxy Connector
Install a Connector on a Windows Server
  1. To verify the installation of the Application Proxy Connector, follow these steps: Go to Start -> Run -> services.msc and ensure that the highlighted services below are “Running”.
Azure Application Proxy Connector Service
Install a Connector on a Windows Server
  1. Return to the Entra admin center > Applications > Enterprise Applications > Application Proxy. You will notice that the server is now displayed as “Active” under the Default connectors group.
Azure Application Proxy Connector Status
Install a Connector on a Windows Server
  1. Repeat steps 4-13 for the installation of the Application Proxy Connector on additional servers to ensure high availability of the service. If one server is down or undergoes maintenance, the other active servers can still serve client requests.
Azure Application Proxy Connector Status
Install a Connector on a Windows Server

Step 3 – Add On-Premises Application to Entra ID

The next step is to add/register an on-premises application on the Entra admin center. Let’s review the steps:

  1. Login to the Entra admin center.
  2. Navigate to Applications > Enterprise Applications.
Add on-Premise Application to Azure AD
Add On-Premises Application to Entra ID
  1. Click on + New application under All applications.
Add on-Premise Application to Azure AD
Add On-Premises Application to Entra ID
  1. On the Next Screen, Click on Add an on-premises application.
Add on-Premise Application to Azure AD
Add On-Premises Application to Entra ID
  1. Provide information about your on-premise web application and configure the application as shown in the screenshot below. Click on “+ Add” to add the app. Ensure that the internal URL supplied in the form below is accessible from the Application Proxy Connector servers.
Add on-Premise Application to Azure AD
Add On-Premises Application to Entra ID

Step 4 – Assignment of Application to Test Users

To test the application, create an Entra Security Group to provide access to this application.

  1. Navigate to “Enterprise applications” on the Entra admin center.
  2. Search for the application added earlier and click on it to open the application.
  3. On the Overview page, select “Assign users and groups“.
Add on-Premise Application to Azure AD
Assignment of Application to Test Users
  1. Click on “+ Add user/group“.
  2. Add the security group for application access. Access to this application can be controlled using the membership of this security group.
Add on-Premise Application to Azure AD
Assignment of Application to Test Users

Step 5 – Test the Application

  1. Navigate to “Enterprise applications” on the Entra admin center.
  2. Search for the application added earlier and click on it to open the application.
  3. Click on the “Application Proxy” link on the left-hand side, and then click on “Test Application“.
Implementation of Azure AD  Application Proxy
Test the Application
  1. Click on open application.
Implementation of Azure AD  Application Proxy
Test the Application
  1. Note down the external URL of the application and share it with users. Users can then use this link to securely access the application via Entra App Proxy.

Step 6 – Secure the On-Premise Application Access

Now that the application has been created and tested externally, your next task is to protect the application from unauthorized access. Below, conditional access policies can be created:

Conditional Access Policies:

  1. Block application access (from any location) when a user is not a member of the security group (created/configured in the previous steps while testing the application).
  2. If a user is a member of the security group, they should be prompted for Multi-Factor Authentication (MFA).

Leave a Comment