Azure AD Application Proxy

Nothing to do with App Proxy, Just a cool Arizona mountain I saw outside my plane window

There’s alot of talk on the street about Application Proxy

Before we even get started, what exactly is this Application Proxy thing you’ve heard so much about? Application Proxy allows you to publish INTERNAL network applications so that remote users can securely access them from OUTSIDE your network.

TLDR; The official Microsoft Documentation is here and it’s great.


OK, Let’s get Real

Picture this common Real World Scenario:

Company A acquires Company B. Both Companies have their own separate Networks and the process of integrating them is going to take a little bit of time, as you can imagine. Some users in Company A need access to a really cool Application that is located inside Company B’s network; The application, safely inside Company B’s network, is not connected to the internet and there is no VPN.

So, in other words…

Even the Balrog doesn’t stand a chance of getting to the app

We have Zero Trust in this relationship… and that’s actually a good thing.

Zero Trust is a topic we’ll do a deeper dive into at a later time but Zero Trust is a core concept of network security, essentially, when it comes to access: Never Trust, Always Verify. We can’t just expose this application or the network to the internet. So, how do we enable users in Company A to access that really cool network application on Company B’s network without putting the entire network at risk?

Azure AD Application Proxy to the rescue

I’ll walk through at a high level but for Step By Step directions, you can’t beat this.

This solution will require that Company B create domain user accounts for the users in Company A that need access to the application, this is where Azure AD B2C comes in real handy 😉

Next, from a server inside the Company B network, a Connector Service from Company A’s Azure AD needs to be installed. the final step of installation is to connect (login) to Company A’s Azure tenant with an account that has Global Administrator privileges.

Once the connector is running, all that is left is to do is “Configure an app” inside Application Proxy, et Voila! There is a new Enterprise application in town that can be assigned to users or groups.

Keep this in mind

Application Proxy has a very specific use case and as you can see, it is probably not ideal for a large number of applications. Here are a few parting notes and lessons learned:

  • Application Proxy requires Azure AD Basic, P1 or P2
  • The account used to Connect the AD Connector to AD must be a Global Administrator
  • TLS 1.2 must be enabled on the VM where the connector is installed
  • App Proxy requires the internal DNS Name of the VM BUT without a Public IP assigned, Azure doesn’t show this on the overview page, so what to do? I had to login to the VM and use DOS to get this information:
    • start menu: CMD
    • IPCONFIG /ALL
    • {Host Name}.{DNS Suffix}
  • If you use Pass-Through Authentication, you cannot use Conditional Access
  • You can disable all Inbound TCP for Ports 80 & 443 (NSG) and this solution will still work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s