Step-by-Step Implementation of Entra Application Proxy

The Entra Application Proxy service offers secure remote access to on-premises web applications. Following a single sign-on to Entra ID, users can access both cloud and on-premises applications via an external URL or an internal application portal.

For instance, Application Proxy facilitates remote access and single sign-on to services such as Remote Desktop, SharePoint, Teams, Tableau, Qlik, and various line-of-business (LOB) applications.

The implementation of Entra Application Proxy is straightforward and provides secure access to your on-premises web applications without the need to open any inbound ports on the firewall. You can also integrate the solution with Multi-Factor Authentication services like DUO or Microsoft Authenticator and apply Conditional Access Policies to enhance security even further.

Before we begin the implementation of Entra Application Proxy, it’s crucial to understand the various components required for this process. I have listed the two most important ones below.

Azure Proxy Service: Microsoft Entra ID has an Application Proxy service that enables users to access on-premises applications by signing in with their Microsoft Entra account.

Application Proxy Connector: This is a lightweight agent that runs on a Windows server inside your network. This connector facilitates communication between your on-premises application and the Application Proxy Service.

Important Note

Step 1 – Enable Application Proxy Service

If you are using Entra Application Proxy for the first time, you will need to enable it before downloading and installing a connector on Windows servers. Let’s review the steps to enable Application Proxy in the Entra admin center.

1. Login to the Entra admin center.
2. Navigate to Applications > Enterprise Applications > Application Proxy.
3. You may encounter a warning message indicating that “Application Proxy is currently disabled for your tenant. Click here to enable Application Proxy“.
4. Click on Enable Application Proxy. (If you find this option greyed out, follow the guidance below, and then proceed to point 5 to proceed with Connector Installation).

Why is the ‘Enable Application Proxy’ Option Greyed Out?

You may find that the “Enable Application Proxy” option is greyed out. This could be due to not having the required license in your Entra ID organization. Ensure you have at least Entra ID P1 (formerly Azure AD Premium P1) or Entra ID P2 (formerly Azure AD Premium P2) license.

The screenshot below displays a warning message along with the ‘Enable Application Connector‘ option.

Step 2 – Install a Connector on a Windows Server

To utilize Application Proxy, install a connector on each Windows server that you intend to use with the Application Proxy service. The connector serves as an agent, overseeing the outbound connection from the on-premises application servers to the Application Proxy in Microsoft Entra ID.

1. Pre-requisites for Installing the Connector

• Minimum Server Requirements: Windows Server 2012 R2 or Later.
• If you are installing Entra Application Proxy Connector on Windows Server 2019, make sure to disable HTTP2 protocol support in the WinHttp component using the below reg key.
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] “EnableDefaultHttp2″=dword:00000000
• Ensure that the server where the connector is installed has access to the on-premise website.
• Ensure that TLS 1.2 is Enabled on the Windows Server. To enable TLS 1.2, you can use the following registry keys:

Enable TLS 1.2 Using these Registry Keys

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] “SchUseStrongCrypto”=dword:00000001

• It’s recommended to have multiple App Proxy Connector servers to ensure service availability, particularly in scenarios where one of the servers with the App Proxy Connector installed goes into maintenance.
• Ensure that outbound traffic on ports 80 and 443 is allowed to Azure Proxy Services, and grant access to the necessary URLs on the firewall.

5. Open any web browser on the server where you intend to Install the connector and go to the Entra admin center > Applications > Enterprise Applications > Application Proxy.
   • Click on “Download connector service“. The best practice is to install the App Proxy connector on a server closest to your application, preferably in the same subnet and domain.

6. When you click on “Download connector service“, a pane on the right-hand side appears. Review the information about system requirements and proceed by clicking on “Accept terms & Download“.

7. The download of the AADApplicationProxyConnectorInstaller.exe file will commence. Save the file to run it later.

8. Right-click on the .exe file and select “Run as administrator.

9. Check the box to agree to the license terms and conditions.

10. Installation in Progress.

11. Sign in to Microsoft Azure using a user account with administrative privileges.

12. Once you have successfully authenticated, the setup will proceed and complete. You should see the screen below. Click on the “Close” button to exit the setup.

13. To verify the installation of the Application Proxy Connector, follow these steps: Go to Start -> Run -> services.msc and ensure that the highlighted services below are “Running”.

14. Return to the Entra admin center > Applications > Enterprise Applications > Application Proxy. You will notice that the server is now displayed as “Active” under the Default connectors group.

15. Repeat steps 4-13 for the installation of the Application Proxy Connector on additional servers to ensure high availability of the service. If one server is down or undergoes maintenance, the other active servers can still serve client requests.

Step 3 – Add On-Premises Application to Entra ID

The next step is to add/register an on-premises application on the Entra admin center. Let’s review the steps:

1. Login to the Entra admin center.
2. Navigate to Applications > Enterprise Applications.

3. Click on + New application under All applications.

4. On the Next Screen, Click on Add an on-premises application.

5. Provide information about your on-premise web application and configure the application as shown in the screenshot below. Click on “+ Add” to add the app. Ensure that the internal URL supplied in the form below is accessible from the Application Proxy Connector servers.

Step 4 – Assignment of Application to Test Users

To test the application, create an Entra Security Group to provide access to this application.

1. Navigate to “Enterprise applications” on the Entra admin center.
2. Search for the application added earlier and click on it to open the application.
3. On the Overview page, select “Assign users and groups“.

4. Click on “+ Add user/group“.
5. Add the security group for application access. Access to this application can be controlled using the membership of this security group.

Step 5 – Test the Application

1. Navigate to “Enterprise applications” on the Entra admin center.
2. Search for the application added earlier and click on it to open the application.
3. Click on the “Application Proxy” link on the left-hand side, and then click on “Test Application“.

4. Click on open application.

5. Note down the external URL of the application and share it with users. Users can then use this link to securely access the application via Entra App Proxy.

Step 6 – Secure the On-Premise Application Access

Now that the application has been created and tested externally, your next task is to protect the application from unauthorized access. Below, conditional access policies can be created:

Conditional Access Policies:

1. Block application access (from any location) when a user is not a member of the security group (created/configured in the previous steps while testing the application).
2. If a user is a member of the security group, they should be prompted for Multi-Factor Authentication (MFA).