Benoit HAMET

In this post, I will cover implementation of a new feature on Microsoft Azure called Azure AD Application Proxy.

This mainly consist of the Web Application Proxy role introduced in Windows Server 2012 R2 but on Azure.

Currently in preview, this feature will be available to Azure Active Directory Premium – take a look here for details between Azure Active Directory free and Premium http://azure.microsoft.com/en-us/pricing/details/active-directory/

Idea behind this feature is to allow On Premises application to be published to internet without having to deploy a reverse proxy on your On Premises – in some way, this is the answer of Microsoft after they stopped selling ForeFront Threat Management Gateway (TMG) and ForeFront Unified Access Gateway (UAG).

That said, let’s start.

Enable Azure Active Directory Application Proxy

  • Connect to your Microsoft Azure administration portal and go to the Active Directory section
  • Select the domain on which you want to enable the AADAP

image_thumb

  • Then go to the Configure section

image_thumb4

  • You may already have other premium features for Azure Active Directory, so you may have to scroll the page to reach the section Application Proxy; then click Enabled and Save

image_thumb7

NOTE the Azure Active Directory Application Proxy connector requires to have Visual C++ 2012 redistributable package installed – available here www.microsoft.com/download/details.aspx?id=30679

image_thumb8image_thumb9 

image_thumb10image_thumb11

  • Then register the connector to your tenant using PowerShell. Open a PowerShell command prompt running as administrator and execute the following – when running the registration command you will be asked to enter your Azure credential (use an administrator organizational account, your Microsoft Account will not work)
    • Import-Module AppProxyPSModule
    • Register-AppProxyConnector

image_thumb12

NOTE if you are protecting internet access from your corporate network by blocking some port, you must allow outbound communication from the server you are installing the connector on the 9090, 10100, 10101 20200 and 20201 TCP communication ports. The first port is used during the registration process, the two next (10100 and 10101) are involved when a user request arrives and is managed by the connector while the last two are used to maintain communication between the connector and the Azure platform.

If you want to restrict access on this port to only Azure services, you need to add *.msappproxy.net as destination on your rule

If don’t allow this port, the registration will failed with the error

Register-AppProxyConnector: Could not connect to the registration service. Check your network connectivity.

CategoryInfo: ConnectionError: (:) [Register-AppProxyConnector], EndPointNotFoundException

FullyQualifiedErrorId: ConnectionFailed,Microsoft.ApplicationProxy.Connector.PSModule.RegisterCommand

image_thumb18

  • There is no notification to confirm the registration

Publish an internal application using AADAP

  • Once you have enabled AADAP and registered the connector you can publish internal application
  • While you are still connected to your Microsoft Azure administration portal within the Active Directory section (or the next time you will connect Smile), go to the Application tab and click the Add button at the bottom

image_thumb13

  • Then choose to publish an application that will be accessible from outside your network

image_thumb14

  • Follow the wizard, name your published application and define the INTERNAL URL to access the application

image_thumb15image_thumb16

The wizard has automatically pre populated the external URL which can not be changed. Keep this URL available as it will be required to update your public DNS entry to point your published application through Azure Application Proxy instead of your On Premises reverse proxy.

NOTE you can publish in HTTPS (the default setting) or HTTP just by hitting the related button

This is it, you have published your application through Microsoft Azure Active Directory Application Proxy.

image_thumb17

The last step is to update your DNS entry with the external URL defined when you have created the published application; you can get this URL by returning to the Application tab and selecting the published application AND (off course) update the settings on your firewall/router to point incoming HTTP and/or HTTPS traffic to the server hosting the Application Proxy Connector.

image_thumb1