Step-by-Step Implementation of Azure AD Application Proxy

Table of Contents

Microsoft Azure

Azure Active Directory’s Application Proxy service provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint, Teams, Tableau, Qlik, and line of business (LOB) applications.

Implementation of Azure Application Proxy is easy and provides secure access to your on-premise web applications without the need to open any inbound ports on the firewall. You can also integrate the solution with Multi Factor authentication like DUO or MS authenticator and Conditional Access Policies to secure it even further. I am sharing step by step guide with you with screenshots for implementing Azure application proxy.

Before we start the implementation of the Azure Application Proxy, you need to understand the various components for making this work. I have listed two most important one’s below:

Azure Proxy Service: This is a part of Azure Active directory which runs in the cloud. It passes the SSO token from the user to the App Proxy Connector.

Application Proxy Connector: This is a lightweight agent that runs on windows server inside your network. This connector manages communication between your on-premise application and Application Proxy Service.

Please note:

Implementation of Azure AD  Application Proxy

Install Azure Application Proxy Connector on Windows Server

Pre-requisites before installing the connector

  • Minimum Server Requirements is Windows Server 2012 R2 or Later.
  • If you are installing Azure Application Proxy Connector on Windows Sever 2019, make sure to disable HTTP2 protocol support in the WinHttp component using below reg key.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] “EnableDefaultHttp2″=dword:00000000
  • Make sure the Server where connector is installed have access to the On-Premise Web Site.
  • Make sure TLS 1.2 is enabled on the Windows Server. To Enable TLS 1.2, you can use below registry keys:
Reg Keys
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] “SchUseStrongCrypto”=dword:00000001
  • Its recommended to have multiple app proxy connector servers to make sure the availability of the service in scenarios when one of the server where App proxy connector is installed goes into maintenance.
  • Make sure Port 80 and 443 is allowed outbound to Azure Proxy Services and Allow Access to URLs on the Firewall.

Installation of Azure Application Proxy Connector

  1. Login to Azure Portal link https://portal.azure.com
  2. Search for Azure Active directory in your search bar
Installation of Azure Application Proxy Connector

3. On the Azure Active Directory Page, on the left hand side find Application Proxy link. Click on the Application Proxy. You will presented with below screen:

Here you see that the warning message is displayed “Application Proxy is currently disabled for your tenant. Click here to enable Application Proxy”

Why is the Enable Application Proxy button greyed out?

Installation of Azure Application Proxy Connector
Installation of Azure Application Proxy Connector

4. Click on Download connector service on the server where you want to install Application proxy connector (best practice is to install App Proxy connector on a server closest to your application, preferably in the same subnet and same domain)

5. When you click on Download connector service, A pane on the right hand side appears. Go through the information about system requirements and click on Accept terms & Download

Installation of Azure Application Proxy Connector

6. Once you click on Accept terms & Download. Download of the AADApplicationProxyConnectorInstaller.exe file will start. Save the file to run it later.

Installation of Azure Application Proxy Connector

7. Right-click on the exe file and Run as administrator.

Installation of Azure Application Proxy Connector

8. Select the checkbox to Agree the license terms and conditions.

Installation of Azure Application Proxy Connector

9. Progress

Installation of Azure Application Proxy Connector

10. Sign in to Microsoft Azure using a user account having admin privileges.

Installation of Azure Application Proxy Connector

11. Once you are successfully authenticated, the setup will proceed / complete and you should see below screen. Click on Close button to close the setup.

Installation of Azure Application Proxy Connector

12. To Verify the installation of Application Proxy Connector. Go to Start -> Run -> services.msc and make sure below highlighted services are “Running”.

Azure Application Proxy Connector Service

13. Go back to Azure Active Directory Console -> Application Proxy Page. You will see that the server is now showing as Active under Default connectors group.

Azure Application Proxy Connector Status

14. Repeat the steps 4-13 for installation of Application Proxy Connector on more servers for High-availability of the service. If one server is down or goes into maintenance then other Active Servers can still serve the client requests.

Azure Application Proxy Connector Status

Add on-Premise Application to Azure AD

Next step is to add the On-Premise Web Application

  1. Login on Azure Portal using Administrator Rights -> Azure Active Directory -> Enterprise applications
Add on-Premise Application to Azure AD

2. On the Enterprise Application Page. Click on All applications -> New application

Add on-Premise Application to Azure AD

3. On the Next Screen, Click on Add an on-premise application.

Add on-Premise Application to Azure AD

4. Provide information about your on-premise web application and configure the application as shown in the below screenshot, click on + Add to Add the App. Make sure the Internal URL Supplied in the below form is accessible from the Application Proxy Connector servers.

Add on-Premise Application to Azure AD

Application Assignment

To test the application, create Active Directory Security Group to provide the access to this application. (AD Security Group can be created on-premise or In-Cloud)

Add/Assign users to the Application

  1. Select Enterprise applications, and then search for the application added earlier and click on it to open the application.
  2. On Overview page, Select Assign users and Groups
Add on-Premise Application to Azure AD

3. Click on + Add user/group and Add the security group for Application Access. Access to this application can be controlled using the membership of this security group.

Add on-Premise Application to Azure AD

Test the Application

  1. Go to Azure Portal -> Azure Active Directory -> Enterprise Applications -> Search for your application and click on it to open the application configuration page.
  2. Click on Application Proxy Link on the left hand side and then click on Test Application.
Implementation of Azure AD  Application Proxy

3. click on open application

Implementation of Azure AD  Application Proxy

4. Note down the External URL of the application and share it with users.

Secure Application Access

Now as the application has been created and tested externally. Your next task is to protect the application from unauthorized access. Below conditional access policies needs to be created:

Conditional Access Policies:

  1. Block the Application Access (from any location) when a user is not a member of the Security Group (created / configured in the previous steps while testing the application).
  2. If user is a member of the security group, he/she should be prompted for MFA.

Create two CA Policies using Azure Portal -> Azure AD Conditional Access.

Implementation of Azure AD  Application Proxy

Leave a Comment