The Azure AD Application proxy is a cloud service that also makes it possible to provide reverse proxy functions for web applications that run on-premises. It serves as a central control center.
The Azure AD application proxy can accept requests from the Internet and forward them to internal servers. This makes accesses more secure and uncomplicated, without having to adapt firewalls in the company.
(Picture: ra2 studio – stock.adobe.com )
In many companies, there are web applications that run on-premises and where users are supposed to access the internal services from the Internet. In addition to configuring the firewall, a Rervese proxy must also be used here to control access to these services from the Internet.
Of course, this also applies to web services that are made available via Azure. Azure AD Application Proxy can deploy and protect older web applications just as securely on the Internet as modern web apps on-premises or from the cloud. Even multiple web applications at the same time are no problem.
On-premises applications also benefit from the Azure AD application proxy
The Azure AD application proxy is able to accept requests from the Internet and forward them to internal servers on-premises. This makes access more secure and uncomplicated, since the firewalls in the company do not have to be adapted. Communication between clients, Azure AD application proxy, and web applications runs through agents installed on the target servers. All accesses of the clients therefore run via a fixed URL, including domain, in Microsoft Azure.
The connector of the Azure AD application Proxy is one of the numerous Azure Hybrid agents that bring functions from Azure to on-premises data centers. For almost all of these agents, there is no need to make any changes to the firewalls in the company, including for the connector of the Azure AD application proxy.
The advantage of using Azure AD application Proxy is that the public IP address of a company does not have to be provided for a web application and does not have to be publicly known. There is a risk of DoS attacks or other attacks that directly target the company’s public IP address. This is exactly what the Azure AD application proxy protects.
Protection against DDoS attacks and modern authentication methods for older applications
Azure AD application Proxy also offers the possibility to log in to web applications via Azure AD in local networks. The actual authentication takes place directly at the application proxy, which transmits the requests from the Internet via the agent on the server to the local data center.
The connection between the published services in the on-premises data center and Azure AD application proxies runs through a connector that is installed on the servers. The complete communication between Azure AD application proxy, client and published web application takes place via this connector. The public IP address of the company is just as little needed for this as an adaptation of the firewall. At the same time, companies benefit from the fact that all accesses run via the application proxy. This is reliably protected against malware attacks and DDoS attacks and routes users’ accesses reliably. The complete data traffic runs via the connector to the application proxy. There is no HTTP/HTTPS data running through the firewall.
Access via your own Internet domain
The web applications are accessed via the domain “msappproxy.net ” provided. The users access Azure with the specified URL of the web service and the Azure AD application proxy accepts the request, authenticates the user via Azure AD and, if authentication is successful, forwards the request to the web service on-premises or in Azure. It is also possible to work with Conditional Access in Azure AD, i.e. to check whether users are allowed to log in to the respective system based on their location and time.
The communication takes place between Connector on the internal server and Microsoft Azure, the users in turn communicate between the Internet and Azure AD application proxy. If you want to take a more comprehensive look at the setup, you will find detailed information about the Microsoft documentation on the page “Publishing local apps for remote users with the Azure AD Application Proxy”.
This is how the accesses of users via the Azure AD application proxy work
In the first step, the users enter the URL that is stored for the web application. For example, this can be “outlookjoos.msappproxy.net ” be. The application proxy forwards the authentication request to Azure AD. If the user has successfully logged in to Azure AD, he will receive a login token from Azure AD.
The login data goes to the Azure AD application proxy, which checks it and, if the login is successful, forwards the request for access from the respective user to the application proxy connector. The connector runs on an internal server in the network. This can be the same server that provides the web application, but it can also be a different server.
If authentication is configured with SSO, the connector authenticates the user directly to Active Directory. If no SSO is in use, the user must authenticate again to access the application. In most environments, admins will work securely with Active Directory synchronization between AD and Azure AD. In this case, the users log in to Azure AD and then gain access to the web application via the configured SSO access.
After the successful authentication of the user via SSO or additional manual authentication to Active Directory, the connector sends the user’s request to the web application in the internal network. The web application now responds to the user via the connector.
Practical tips for using the Azure AD Application Proxy
In order for the connector to be installed on a server, it is necessary to make sure that a registry key is set correctly that controls HTTP2 protocol support for Kerberos delegation in WinHTTP. This can be done using the following command in the PowerShell:
Set-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWinHttp' -Name EnableDefaultHTTP2 -Value 0
The server that provides the connector for the Azure AD application proxy must still have TLS 1.2 enabled. Microsoft recommends adjusting a registry key at this point:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]"DisabledByDefault"=dword:00000000"Enabled"=dword:00000001[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]"DisabledByDefault"=dword:00000000"Enabled"=dword:00000001[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]"SchUseStrongCrypto"=dword:00000001
The server on which the application proxy connector is installed must be able to open outgoing connections to ports 80 and 443. In general, the connections to the connector should not be separated by other services, but should always run between the connector server and Azure.
The Azure AD application proxy is set up by managing Azure AD in the Azure Management Portal. The Azure AD Admin Center can also be used here, which can be accessed via the URL https://aad.portal.azure.com is achieved. The installation files for the connector can be found via the “Download Connector Service” button at “Application Proxy” in the Azure AD Admin Center.
