Saturday, September 8, 2018

Provide Secure Remote access to on-premises applications using Azure Active Directory Application Proxy

I had the pleasure of attending Azure Active Directory overview class last week.

Learnt some really cool stuff and one of the features that stood out was the Application Proxy. 

Allowing access to internal (on-premise) applications has always involved a lot of moving parts - VPN, DMZ, Firewall Rules, Port numbers, etc. To add to it is the worry of is the application really secure? By allowing access from the internet are we creating a backdoor to the organization? 

Thats where Azure AD Application Proxy comes in picture. A modern way of letting your employees access internal applications. In short remote access as a service.

So I thought lets try this for our Lab vSphere Web client. Would't it be cool if you can access the whole Infrastructure without a VPN or without having a proxy sit in the DMZ and forwarding ports? 

Azure AD application Proxy supports the following applications - 
  • Web applications that use Integrated Windows Authentication for authentication
  • Web applications that use form-based or header-based access
  • Web APIs that you want to expose to rich applications on different devices
  • Applications hosted behind a Remote Desktop Gateway
  • Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)
To find out how the Application Proxy works, please refer to the Microsoft documentation - https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy


Ports - You only need 80 and 443 open to outbound traffic.


Now that the prerequisites are taken care of, lets start publishing our application, in this case I am publishing the vSphere Web Client. 

Login to your Azure portal as administrator - portal.azure.com

Select Azure Active Directory > Enterprise applications > New application



Select On-premises application


Next, provide the following information and click Add.


Note: - Make sure you choose Translate URLs in - Application Body to YES if your external name is different than the internal name. 

I had this option set to NO. After publishing the application, I could get to the vSphere login screen but after entering the credentials, it would take me to the internal name (internal URL) and because there is no VPN involved, I could not resolve the internal name and hence would get a DNS error. 

Setting this option to YES would do this - After authentication, when the proxy server passes the application data to the user, Application Proxy scans the application for hardcoded links and replaces them with their respective, published external URLs.

The other way of doing this is to set a custom domain name to match your internal domain. To access your application using a custom domain you must configure a CNAME entry in your DNS provider which points your Internal URL to your external URL.

Example - Your internal URL is https://vcenter_server.contoso.com. Configure a CNAME entry in your DNS which points "vcenter_server.contoso.com" to "vcenter_server.msappproxy.net"

Next select Users and Groups and click Add User and grant the users access.


To add additional security we will enable Conditional Access with Multi-factor Authentication. 

To do this click on Conditional Access and create a new Policy


  • Enter a Name for your Policy 
  • Select the applicable Users
  • Select the newly published app by clicking on Cloud Apps 
  • Conditions - Select Browser and Mobile Apps and Desktop clients & Modern Auth clients.

  • Access Control - Grant - Select Grant Access and check Require MFA
  • Enable the Policy and Save it.
There are two ways to access this published app. 
  1. Go to myapps.microsoft.com and you will see the published app (only visible to the user that was granted access) OR
  2. Just browse to the external URL specified when you created the application.
If you try 2) then you will first be redirected to https://login.microsoftonline.com. Enter your credentials and you will be asked to approve the request on your phone through MFA.

If you have your MFA application setup on the phone, you will get an approval request on the phone, if you dont have MFA setup, it will walk you through the process of setting up MFA by scanning a QR code.

That's all Folks !!