Azure AD Application Proxy is the recommended solution to access on premise web application from external network (outside corporate). The end user can login to My Apps portal to access all the application assigned to the user. With My Apps Browser addon installed, user can use the same Web URL to access from both internal and external corporate network. This means user don’t have to remember different URL to access application. “My Apps Secure Sign-in” browser add-on redirects internal URL to external URL.
In this post we will cover below topics
• Azure Active Directory Application Proxy architecture
• Azure Active Directory Application Proxy pre-requisite
• Benefits of Azure Active Directory Application Proxy
• Limitations of Azure Active Directory Application Proxy
• Azure Active Directory Application Proxy connector configuration
• How to publish internal application in My Apps portal for external users
- What is My Apps Secure Sign-in Extension / Addon ?
- Install browser addon – My Apps Secure Sign-in
- End user experience with browser addon – My Apps Secure Sign-in
Server Side Configurations:-
Azure AD Application proxy architecture
Azure AD Application proxy provides secure remote access solution to on-premises Web application. This need Azure AD Application proxy Connector installed in your on-premise server. This connector works as proxy for communication between Azure and on-premises web app.
Benefits of Azure AD application proxy
- Easy to setup and Secure
- Don’t require VPN or DMZ : If you are already in Azure then only component you need to install is Azure AD application proxy connector.
- Conditional Access : You can leverage Conditional access for the applications published in Azure AD application proxy
Azure AD application proxy pre-requisite
- Microsoft Azure AD basic or premium subscription
- On premise Windows Server to install the Azure AD Application Proxy Connector
- Required ports and websites should be accessible for Azure AD Application Proxy Connector. You can use the Azure AD Application Proxy Connector Ports Test Tool to test the connectivity.
Limitations of Azure AD application proxy
Azure application proxy doesn’t support all type of authentication. You need consider what authentication method is used by Web applications. Azure application proxy support Web applications that use Integrated Windows Authentication . For more details refer
Azure AD application proxy connector configuration
- Login to Azure portal as global administrator.
- Navigate to Azure Active Directory – > Application Proxy and Enable Application proxy
- Next Download Connector service
- The size of the connector is 6 MB. Install the connector as administrator on your on-premise server.
- You will get below install wizard. Click on Install.
- During installation, provide Azure AD global admin credential if prompted.
- You will receive below message after successful installation.
- After Connecter installation, it is recommended to test the connectivity using Azure AD Application Proxy Connector Ports Test Tool
- You can also verify the event viewer to ensure there are no errors related to Proxy connector
- 2 new Azure AD Application proxy connector service gets created.
- In the Azure portal, you can see the server on which we installed the connector along with its status.
How to publish internal application to My Apps portal
- For Demo, I have a simple HTML web page hosted on premise web-server. We will configure below internal website for external users to access.
- Login to Azure portal as global admin
- Navigate to Azure Active Directory – > Enterprise Applications
- Click on “New application”
- Select “On-premise application”
- Update below form and click on Add.
- External URL is pre-populated based on application and domain name.
- Next we will assign the application to users.
- Navigate to Azure Active Directory – > Enterprise Applications . Select the application which we created.
- Add the users to whom we need to deploy the internal application.
Client Side Configurations:-
What is My Apps Secure Sign-in Extension / Addon ?
This extension is required to launch specific applications at https://myapps.microsoft.com, also known as the My Apps, which provides single sign-on to cloud applications within your organization.
With this extension you can:
• Sign in directly into applications from the application's login page • Launch any application through the search bar • Find shortcuts to your recently used applications and customize the number of recently used applications saved • Access internal company URLs while remote
Install My Apps Browser Addon
- In this post we will install the addon for Edge from Microsoft store. You can download the Browser add on for Edge, Chrome, and Firefox
- After Installation completes you will receive prompt to turn on Addon.
- Click on “Turn On” and sign in with your account
- After Sign in , you will see an icon as shown below.
- Click on below icon.
- As shown below, Browser addon provide single interface along with single sign on to all the applications published by IT to you.
Now let’s try accessing the internal website URL – “http://localhost “. As seen below, Browser addon performed the DNS translation to external URL automatically. I would suggest using this browser addon along with Azure AD Web application proxy. This provide benefits to both end user and IT Admin. From end user perspective, they don’t have to remember different URL for internal and external access. From IT Admin perspective, they don’t have to create public DNS record for internal web URL.