Publishing web based Intranet applications using Azure AD Application Proxy.

Azure AD Application Proxy is a new feature available in Azure AD Premium and Azure AD Basic. This is a type of reverse proxy solution that enables access to web-based applications that exist on a corporate network, secured behind a corporate firewall.

The advantage of using Azure AD Application Proxy over the traditional firewall publishing application to the external users are:

  • The application can leverage the enhanced security of Azure AD pre-authentication in addition to enable Azure Multifactor authentication.
  • The corporate applications can be listed under user’s Azure application access panel or Office 365 menu.
  • The users can access all internal web-based applications as well as 3rd party SaaS applications from the same place.
  • Once the user logs on to Azure Active directory or O365, he/she can launch the assigned applications without login on to these applications individually.

Prerequisites:

There are a few requirements need to be met in order to run Azure AD Application Proxy, such as:

  • One domain-joined Windows Server 2012 R2 or Windows 8.1 or higher on premises is required to install the Azure AD Application Proxy Connector. This server must be able to send HTTPS requests to the Application Proxy services in the cloud and to the web applications you intend to publish. The connector installed on multiple server is recommended as best practice to avoid single point of failure.
  • Along with the Azure AD Application Proxy Connector Server, there are several firewall ports that must be opened externally. A detailed list of those ports can be found here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-enable/

This post illustrates how to publish a web based Intranet application using Azure AD Application Proxy.

Setup requirements:

  • Working URL (http://websrv01:8080) of the intranet web application (for this post, I have created a simple web page in IIS running on my web server WebSrv01.
  • Active Azure Active Directory subscription and access to the Azure Management Portal.

Adding the Application

Browse to the Azure Management Portal https://manage.windowsazure.com and Click Active Directory tab.

Select the directory in which you enabled Application Proxy and for which you want to publish an application (for example, Contoso).

Click on the arrow to get into the directory.

Capture2

Browse to Applications and then click the ADD button at the bottom of the screen

Capture3

Choose to Publish an application that will be accessible outside your network.

Capture4

Name: Provide Name of the application

Internal URL: the URL used to access the web site locally from the intranet site. The application proxy connector uses this URL to access the application internally. (for example: http://websrv01:8080)

Preauthentication method: specify the authentication method to be used for the application

You have two options here:

Azure Active Directory – whenever user tries to access the application, application proxy will redirect the user to log in with Azure AD which will authenticate the user to ensure that the user has the necessary permissions for the directory and the application.

Pass through – No preauthentication is performed.

Capture5

Ensure that the Application Proxy is enabled, if not, click on Enable Application Proxy.

 

Installing the Connector

Download the Azure AD Application Proxy Connector and install it on the web server or on a separate machine that has connectivity to the web server. Microsoft recommends to install the Application Proxy Connector on a separate dedicated server running on HA mode.

Click on the Download a Connector tab

Capture6a

 

accept the license terms and privacy agreement to download the connector.

Capture6b

Copy the downloaded connector to the dedicated server, in our case the Web Server itself

Capture6c

To install the connector, accept the license agreement and click on Install.

Capture7

Enter credentials that has Global Admin permission on the Azure AD tenant and then click Sign in

Capture10

Capture8

After the setup is successful, click on Close to exit the installation wizard.

Capture10x

After the installation complete, go back to the created application and click on the view connector status

Capture11

Make sure the status shows Active.

Capture11a

 

Assign Users

Since we chose to publish the application with Azure AD pre-authentication, we should assign the application to individual users or to groups.

Click on Assign Accounts

Capture12

Chose Groups or user to assign permission. Click the ASSIGN button at the bottom of the screen.

Capture13

Configure Additional Settings

Click on Configure to make additional configurations for the application.

Click on the UPLOAD LOGO button at the bottom of the screen to add custom logo for your application.

Capture14

The External URL which is used to access the published application over the internet is displayed.

By default, applications are published by using the HTTPS protocol. The service will automatically redirect users who type the URL with HTTP.

Capture15

Open a new session on your browser and logon to the user application access panel through https://myapps.microsoft.com/.

Capture16a

Notice the newly assigned application is appeared on the list of applications.

Click on the FlankerWeb icon to access the application.

Capture17

The web page running on the internal web server is displayed.

Capture18

 

 

Advertisements

About Jayachandran PK
My passion is for Microsoft technologies and how if properly implemented, they can provide actual value for an organization especially in the field of infrastructure, virtualization and system monitoring. I work for the biggest Microsoft partner in Kuwait, specialized in project consultation and implementation services for enterprise clients. When I'm not at work, I try to contribute back through a charitable organization dedicated to prompting cultural values of Kerala. In my free time, I dabble in gardening and am also an avid solar power aficionado.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: