Mastering Azure AD App Proxy

Securely publish your on-premises applications to the cloud.

Introduction to Azure AD Application Proxy

Azure Active Directory (Azure AD) Application Proxy is a feature that enables users to access on-premises applications from outside the corporate network. It allows you to publish applications that are not cloud-native, providing them with the benefits of Azure AD's pre-authentication, single sign-on (SSO), and rich access control policies.

Why Use App Proxy?

  • Enhanced Security: Leverage Azure AD's pre-authentication to ensure only authenticated users can access your applications.
  • Single Sign-On (SSO): Provide a seamless user experience by allowing access to on-premises apps with their Azure AD credentials.
  • Remote Access: Enable employees to securely access internal applications from any location, on any device.
  • Reduced Infrastructure Complexity: Eliminate the need for complex VPN setups and public-facing servers.
  • Modern Authentication: Bring modern authentication protocols to legacy applications.

How It Works

Azure AD App Proxy uses an agent installed on-premises, called the App Proxy connector, to manage traffic. The connector acts as a bridge between Azure AD and your internal applications. When a user requests access to a published application:

  1. The user is redirected to Azure AD for authentication.
  2. Upon successful authentication, Azure AD sends an access token to the user's device.
  3. The user's device sends the token and the request to the Azure AD App Proxy service.
  4. The App Proxy service routes the request to the appropriate connector installed on-premises.
  5. The connector performs a reverse proxy lookup and forwards the request to the internal application.
  6. The application responds to the connector, which then sends the response back through the App Proxy service to the user.

Key Components:

  • Azure AD Tenant: Your cloud-based identity and access management service.
  • App Proxy Connector: A lightweight agent installed on a Windows Server within your on-premises network.
  • On-Premises Application: The application you want to publish.
  • User Device: The client machine accessing the application.

Setting Up Your First Application

Follow these steps to publish an application using Azure AD App Proxy:

Prerequisites:

  • An Azure AD Premium P1 or P2 license.
  • A server within your on-premises network to install the App Proxy connector. This server must have outbound access to the Azure AD App Proxy service endpoints.
  • Administrative privileges in your Azure AD tenant.

Step-by-Step Configuration:

  1. Install the App Proxy Connector:

    Download the connector from the Azure portal (Azure Active Directory > Application proxy > Download connector service).

    Run the installer on your designated on-premises server. Follow the prompts to register the connector with your Azure AD tenant.

  2. Publish the Application in Azure AD:

    In the Azure portal, navigate to Azure Active Directory > Enterprise applications > New application.

    Search for "On-premises application" or choose a pre-integrated application if available.

    Configure the following settings:

    • Internal URL: The URL users will use to access the application when inside the corporate network.
    • External URL: The public-facing URL users will use to access the application from outside the network. This is often a custom domain.
    • Pre-Authentication: Select 'Azure Active Directory' for robust security.
    • Connector Group: Assign the connector group that will handle traffic for this application.
  3. Configure Single Sign-On (SSO):

    Under the application's settings in Azure AD, navigate to Single sign-on.

    Choose an SSO method that suits your application. Common options include:

    • Header-based: Useful for applications that expect specific HTTP headers for authentication.
    • Password-based: Azure AD stores the user's credentials and sends them to the application.
    • Linked: Simply provides a link to the application, relying on other authentication methods.
    • SAML: For applications supporting SAML 2.0.
  4. Assign Users and Groups:

    Go to the Users and groups section of your application in Azure AD and assign the users or groups who should have access.

Example Configuration Snippet (Conceptual):

// Azure AD Application Proxy Configuration (Conceptual) // Application: Internal HR Portal { "displayName": "Internal HR Portal", "internalUrl": "http://hr.internal.company.com", "externalUrl": "https://hr.company.com", "preAuthentication": "AzureActiveDirectory", "connectorGroupId": "your-connector-group-id", "singleSignOn": { "type": "HeaderBased", "headers": [ {"name": "X-Remote-User", "value": "{User.PrincipalName}"}, {"name": "X-Remote-Groups", "value": "{User.Groups}"} ] }, "assignedUsers": ["user1@company.com", "group:HR_Admins"] }

Advanced Scenarios and Best Practices

Application Segmentation:

Use different connector groups to manage traffic for various sets of applications, enhancing isolation and control.

Custom Domains:

Brand your external URLs with custom domains for a more professional appearance and improved user recognition.

Conditional Access Policies:

Integrate App Proxy with Azure AD Conditional Access to enforce granular security policies, such as MFA, device compliance, or location-based access.

High Availability and Scalability:

Install multiple connectors on different servers within your on-premises environment. Azure AD App Proxy automatically load balances traffic across available connectors.

Monitoring and Troubleshooting:

Utilize Azure AD sign-in logs and connector health monitoring in the Azure portal to diagnose and resolve issues.

Conclusion

Azure AD Application Proxy offers a robust and secure solution for extending access to your on-premises applications. By following these guidelines, you can effectively deploy and manage your applications, ensuring secure remote access for your users while simplifying your IT infrastructure.