Azure Active Directory’s Application Proxy service provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint, Teams, Tableau, Qlik, and line of business (LOB) applications.
Implementation of Azure Application Proxy is easy and provides secure access to your on-premise web applications without the need to open any inbound ports on the firewall. You can also integrate the solution with Multi Factor authentication like DUO or MS authenticator and Conditional Access Policies to secure it even further. I am sharing step by step guide with you with screenshots for implementing Azure application proxy.
Before we start the implementation of the Azure Application Proxy, you need to understand the various components for making this work. I have listed two most important one’s below:
Azure Proxy Service: This is a part of Azure Active directory which runs in the cloud. It passes the SSO token from the user to the App Proxy Connector.
Application Proxy Connector: This is a lightweight agent that runs on windows server inside your network. This connector manages communication between your on-premise application and Application Proxy Service.
Install Azure Application Proxy Connector on Windows Server
Pre-requisites before installing the connector
- Minimum Server Requirements is Windows Server 2012 R2 or Later.
- If you are installing Azure Application Proxy Connector on Windows Sever 2019, make sure to disable HTTP2 protocol support in the WinHttp component using below reg key.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] “EnableDefaultHttp2″=dword:00000000
- Make sure the Server where connector is installed have access to the On-Premise Web Site.
- Make sure TLS 1.2 is enabled on the Windows Server. To Enable TLS 1.2, you can use below registry keys:
|Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] “SchUseStrongCrypto”=dword:00000001|
- Its recommended to have multiple app proxy connector servers to make sure the availability of the service in scenarios when one of the server where App proxy connector is installed goes into maintenance.
- Make sure Port 80 and 443 is allowed outbound to Azure Proxy Services and Allow Access to URLs on the Firewall.
Installation of Azure Application Proxy Connector
- Login to Azure Portal link https://portal.azure.com
- Search for Azure Active directory in your search bar
3. On the Azure Active Directory Page, on the left hand side find Application Proxy link. Click on the Application Proxy. You will presented with below screen:
Here you see that the warning message is displayed “Application Proxy is currently disabled for your tenant. Click here to enable Application Proxy”
Why is the Enable Application Proxy button greyed out?
4. Click on Download connector service on the server where you want to install Application proxy connector (best practice is to install App Proxy connector on a server closest to your application, preferably in the same subnet and same domain)
5. When you click on Download connector service, A pane on the right hand side appears. Go through the information about system requirements and click on Accept terms & Download
6. Once you click on Accept terms & Download. Download of the AADApplicationProxyConnectorInstaller.exe file will start. Save the file to run it later.
7. Right-click on the exe file and Run as administrator.
8. Select the checkbox to Agree the license terms and conditions.
10. Sign in to Microsoft Azure using a user account having admin privileges.
11. Once you are successfully authenticated, the setup will proceed / complete and you should see below screen. Click on Close button to close the setup.
12. To Verify the installation of Application Proxy Connector. Go to Start -> Run -> services.msc and make sure below highlighted services are “Running”.
13. Go back to Azure Active Directory Console -> Application Proxy Page. You will see that the server is now showing as Active under Default connectors group.
14. Repeat the steps 4-13 for installation of Application Proxy Connector on more servers for High-availability of the service. If one server is down or goes into maintenance then other Active Servers can still serve the client requests.
Add on-Premise Application to Azure AD
Next step is to add the On-Premise Web Application
- Login on Azure Portal using Administrator Rights -> Azure Active Directory -> Enterprise applications
2. On the Enterprise Application Page. Click on All applications -> New application
3. On the Next Screen, Click on Add an on-premise application.
4. Provide information about your on-premise web application and configure the application as shown in the below screenshot, click on + Add to Add the App. Make sure the Internal URL Supplied in the below form is accessible from the Application Proxy Connector servers.
To test the application, create Active Directory Security Group to provide the access to this application. (AD Security Group can be created on-premise or In-Cloud)
Add/Assign users to the Application
- Select Enterprise applications, and then search for the application added earlier and click on it to open the application.
- On Overview page, Select Assign users and Groups
3. Click on + Add user/group and Add the security group for Application Access. Access to this application can be controlled using the membership of this security group.
Test the Application
- Go to Azure Portal -> Azure Active Directory -> Enterprise Applications -> Search for your application and click on it to open the application configuration page.
- Click on Application Proxy Link on the left hand side and then click on Test Application.
3. click on open application
4. Note down the External URL of the application and share it with users.
Secure Application Access
Now as the application has been created and tested externally. Your next task is to protect the application from unauthorized access. Below conditional access policies needs to be created:
Conditional Access Policies:
- Block the Application Access (from any location) when a user is not a member of the Security Group (created / configured in the previous steps while testing the application).
- If user is a member of the security group, he/she should be prompted for MFA.
Create two CA Policies using Azure Portal -> Azure AD Conditional Access.