Azure Active Directory Application Proxy Implementation

18 minute read

Are you running internal web-based applications that you want to give access to users working remotely securely, without the need for a VPN or firewalls? Do you want to enforce or use Azure Conditional Access policies to protect and manage access?

Let me introduce the Microsoft Azure Active Directory Application Proxy…

Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server. Azure AD, the Application Proxy service, and the Application Proxy connector work together to securely pass the user sign-on token from Azure AD to the web application. Application Proxy also supports single sign-on.

Application Proxy is recommended for giving remote users access to internal resources. Application Proxy replaces the need for a VPN or reverse proxy.

Overview

The Azure Active Directory Application Proxy has been around for a few years, but appears to be a hidden gem, the Application Proxy allows users (by using Azure Active Directory and an Application Proxy Connector(s)) to connect to internally hosted web applications, by the connector relaying the traffic.

Azure Application Proxy - Network Diagram

Application Proxy supports the following types of applications:

  • Web applications
  • Web APIs that you want to expose to rich applications on different devices
  • Applications hosted behind a Remote Desktop Gateway
  • Rich client apps that are integrated with the Microsoft Authentication Library (MSAL)

Azure Application Proxy can often be overlooked to solve your business requirements without the need to implement costly third-party firewalls (it also doesn’t have to be an on-premises workload, for example, if the web application is running on a VM in Azure, it will also work).

The Azure Application proxy connector is a lightweight agent installed on a Windows Server machine that is logically close to the backend service that you want to deliver through the proxy.

The Connector gives access to and relays the information to the Application proxy service in Microsoft Azure via HTTP/HTTPS as long as it has access to the following:

URL Port How it’s used
*.msappproxy.net *.servicebus.windows.net 443/HTTPS Communication between the connector and the Application Proxy cloud service
crl3.digicert.com crl4.digicert.com ocsp.digicert.com crl.microsoft.com oneocsp.microsoft.com ocsp.msocsp.com 80/HTTP The connector uses these URLs to verify certificates.
login.windows.net secure.aadcdn.microsoftonline-p.com *.microsoftonline.com *.microsoftonline-p.com *.msauth.net *.msauthimages.net *.msecnd.net *.msftauth.net *.msftauthimages.net *.phonefactor.net enterpriseregistration.windows.net management.azure.com policykeyservice.dc.ad.msft.net ctldl.windowsupdate.com www.microsoft.com/pkiops 443/HTTPS The connector uses these URLs during the registration process.
ctldl.windowsupdate.com 80/HTTP The connector uses this URL during the registration process.

Setup Azure Application Proxy

I will set up an Azure Application Proxy to grant access to my Synology NAS (Network Attached Storage) device web page in this guide.

Although I am using my local NAS web administration page, it can be any webpage (Unifi Controller, hosted on Apache, IIS etc.) accessible from the connector.

  • I have a Windows Server 2022 Domain Controller.
  • Synology NAS (not domain joined, but accessible on the network via a DNS record from the domain)
  • Microsoft 365 Developer subscription with appropriate licenses

Pre-requisites for Azure Application Proxy setup

The following resources and rights will be needed to set up Azure Application Proxy:

  • An Azure Active Directory tenant
  • A minimum of Application Administrator rights is required to set up the Application and user and group assignments.
  • A server running Windows Server 2012 R2 or above to install the Application Proxy connector on (and the permissions to install)
  • If you are using a third-party domain (you will need a public SSL certificate) and, of course, the ability to edit external DNS records, the domain will need to be added to Azure Active Directory as a custom domain in order to be used.
  • Azure Active Directory Premium P1 license or M365 Business Premium/E3 license for each user using Azure Active Directory Application Proxy.

Azure Active Directory Application Proxy Licensing

(Note: Normal Azure AD service limits and restrictions apply).

I will be configuring the Azure Application Proxy on a domain controller running Windows Server 2022.

Disable IE Enhanced Security Configuration

The Azure Application Proxy connector requires you to log in to Microsoft Azure, and I will be installing this on a Windows Server 2022 domain controller; if this Enhanced Security Configuration is enabled (as it should be), you will have problems authenticating to Microsoft Azure, so the easiest thing is to turn it off temporarily.

  1. Open Server Manager
  2. Click on Local Server
  3. Click on: IE Enhanced Security Configuration
  4. Select Off for: Administrators
  5. Close Microsoft Edge (if you have it opened)
  6. Disable IE Enhanced Security Configuration

Install Azure Application Proxy Connector

  1. Login to Azure Portal (on the server that you want to install the Connector on)
  2. Navigate to: Azure Active Directory
  3. Select Application Proxy
  4. Azure Portal - Application Proxy
  5. Click on: Download connector service.
  6. Accept the system requirements and click Accept Terms & Download
  7. A file named: ‘AADApplicationProxyConnectorInstaller.exe’ should have been downloaded. Run it.
  8. Select: I agree to the license terms and conditions and select Install
  9. Microsoft Azure Active Directory Application Proxy Connector Installation
  10. Wait for the Microsoft Azure Active Directory Application to display and log in with an Azure Active Directory account with Application Administrator rights.
  11. The Microsoft Azure Active Directory Application Connector will now be registered in your Azure Active Directory tenancy.
  12. Microsoft Azure Active Directory Application Proxy Connector Installation
  13. Click Close
  14. Now re-enable IE enhanced security configuration.

You should now see two new services appear in services as Automatic (Delayed Start):

  • WAPCsvc - Microsoft AAD Application Proxy Connector
  • WAPCUpdaterSvc - Microsoft AAD Application Proxy Connector Updater

And the following processes running:

  • ApplicationProxyConnectorService
  • ApplicationProxyConnectorUpdateService

ApplicationProxyConnectorService

If you are running Server Core, Microsoft Azure Active Directory Application Proxy can be installed via PowerShell.

The Azure Application Proxy Connector agent gets updated automatically when a new major version is released by Microsoft.

Configure Connector Group

Now that you have created the Connector, the Application Proxy has put our Connector in a group that has defaulted to Asia; because you can have more than one Application Proxy Connector for redundancy and different applications, we will create a new Connector Group that is set to use the Australia region if Asia works for you – feel free to skip this step.

  1. Login to Azure Portal (on any PC/server)
  2. Navigate to: Azure Active Directory
  3. Select Application Proxy
  4. You should now see: Default and your Region
  5. If you expand the Default Group, will you see your Connector:
  6. Azure AD Application Proxy Connector Groups
  7. Click on + New Connector Group
  8. Give it a name (i.e., On-premises)
  9. Select the Connector you had earlier and select the region closest to you (currently, the following regions can be chosen: Asia, Australia, Europe, North America)
  10. Azure AD Application Proxy - New Connector Group
  11. Click + Create
  12. Clicking create will create your new On-premises connector group and add the Connector to the group.

Configure your Azure Application Proxy Application

Now that you have your Connector setup, its time to set up your application

  1. Login to Azure Portal (on any PC/server)
  2. Navigate to: Azure Active Directory
  3. Select Application Proxy
  4. Click on: + Configure an app
  5. Fill in the details that match your application:
  • Name: This is the application that users will see (i.e. I am going with Pizza, which is the name of my NAS)
  • Internal URL: This is the internal URL used to access your application inside the network (in my example, it is: http://pizza.corp.contoso.com/)
  • External Url: This is the external URL that will be created so that users can access the application form; I will go with Pizza. Note this URL down.
  • Pre-Authentication: You don’t have to authenticate with Azure AD, you can use passthrough, but it is not something I would recommend without delving into requirements, testing – I am going to select: Azure Active Directory.
  • Connector Group: Select the connector group you created earlier or that your Connector is signed to.
  • Leave all Additional Settings as default – they can be changed later if you need to.
    1. Verify that everything is filled out correctly and, click + Add
    2. Azure Application Proxy has now created a new Enterprise Application for you; based on the name mentioned earlier, if you navigate to the external URL mentioned earlier, you should get a prompt similar to below:
    3. Azure AD Login Error
    4. It is now time to assign the permissions for users to access the Application via Azure Active Directory!

Assign rights to your Azure Application Proxy Application

  1. Login to Azure Portal (on any PC/server)
  2. Navigate to: Azure Active Directory
  3. Select Enterprise Applications
  4. Find the application that was created earlier by the Azure Application Proxy service.
  5. Azure Active Directory, Enterprise Application
  6. Click on the Application
  7. Click on: Users and Groups
  8. Click Add Assignment
  9. Add a user or group (preferred) you want to have access to this application.
  10. Click Assigned
  11. Azure AD Enterprise Applications - User & Group Assignment
  12. Click on Application Proxy
  13. Here you can see and edit the information you created earlier when you created the application, copy the External URL
  14. Open Microsoft Edge (or another browser of your choice)
  15. Paste in the External URL
  16. Log in with the Azure Active Directory account that was assigned to the Enterprise application.
  17. You should now have access to your on-premises web application from anywhere in the world, and because you are using Azure Active Directory, your conditional access policies and restrictions will be in effect:
  18. Synology Login

Note: Because the Synology web interface was running on port: 5000, I had to go back and add the port to the internal URL, as the Application Proxy was attempting to route to the incorrect port. Note: You may also notice that Microsoft has supplied an *.msappproxy.net certificate, even if your backend service doesn’t have one..

Setup Password-based Single-Sign on

Azure Application Proxy supports various single sign-on methods, including Kerberos SPN integration.

However, my Synology NAS uses standalone accounts, so I will set Password-based single sign-on, allowing the MyApps extension to store my credentials (if you want single-sign-on using the password-based sign in, then every user will need to have this extension configured).

  1. Download and install the MyApps Secure Sign-in extension
  2. Log in using your Microsoft account to the MyApps extension
  3. Login to Azure Portal (on any PC/server)
  4. Navigate to: Azure Active Directory
  5. Select Enterprise Applications
  6. Find the application that was created earlier by the Azure Application Proxy service.
  7. Click on Single sign-on
  8. Select Password-based
  9. Azure Portal - Single Signon
  10. Type in the URL of the authentication webpage and click Save
  11. The Azure AD Application Proxy didn’t find my sign-in login and password fields, so I have to manually configure them, select: Configure Pizza Password Single Sign-on Settings.
  12. Select: Manually detect sign-in fields
  13. Select Capture sign-in fields
  14. Azure Application Proxy - Configure Sign-on
  15. Your MS Edge Extension should show Capture Field:
  16. Azure Application Configure Extension
  17. Enter in your username
  18. Press Enter
  19. Enter in your password
  20. Select the MS Apps extension and select Save
  21. Navigate back to the Azure Portal
  22. Select ‘I was able to sign in.’
  23. If successful, Azure AD should now have mapped the fields:
  24. Azure Portal - Signin Fields
  25. Click Save
  26. Next time you log in to the application, the My Apps Secure Sign-in Extension will have cached the credentials. It should automatically log you into the application, meaning you should only log in once with your Azure AD credentials.

Access your Azure Application Proxy published application

  1. You can now go to My Apps (microsoft.com), and you will see your application.
  2. Your application will also appear in the Microsoft 365 Waffle (it may take up to an hour to appear):

I recommend you go into the Enterprise Application and upload a better image/logo so your users can quickly tell it apart.

Categories:

Updated:

Leave a comment