Remotely Access On-Premises Apps with Azure AD App Proxy

Do you have an app that has to remain on-premises? Maybe you’ve got plenty hosted in Azure, but you also have that one stubborn, legacy or otherwise, restricted application that just cannot be migrated.

With many of the world’s workforce now working remotely, you might be wondering how best to provide secure remote access to these apps, without the added infrastructure and inbound connectivity required by VPN or VDI. 

Well if you do want to provide secure remote access to on-premises apps with single sign-on (SSO), support for various authentication protocols, and additional Azure AD security features, then look no further than Azure AD Application Proxy.

Your keys to a better career

Get started with ACG today to transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.

This Azure AD Premium-licensed product allows you to publish on-premises apps for your remote workforce. It only requires outbound network connectivity to Azure - so your network security team will be happy that no inbound firewall rules are required. It adds additional protection to these apps through Azure AD features like Conditional Access Policies. And it supports SSO for several authentication protocols, such as:

• Integrated Windows authentication (IWA)
• Header-based authentication
• Forms-based and password-based authentication
• SAML authentication

If this sounds like it will help you provide secure application access in your environment, then stick around! We’ll take a high-level walk through the architecture and implementation of Azure AD Application Proxy, with a few added tips to help along the way.

Just before we dive into how to use Azure AD Application Proxy though, let’s just quickly summarize some important requirements:

• Azure AD Application Proxy requires Azure AD Premium P1 or P2 licensing
• The on-premises application must be registered in Azure AD
• One or more Azure AD Application Proxy connectors must be installed on-premises
• The connector must have access to Azure AD and the on-premises app
• Your on-premises app can be private, and does not require access to Azure AD
• SSO and features such as Conditional Access require pre-authentication

To help provide secure access to your on-premises applications, you need to install the Azure AD Application Proxy connector. If you’re just getting started, you can simplify your setup  by just installing one connector. But it is possible to use more than one to provide resilience, and is recommended for production environments.

To install the connector you should logon to the Windows server that you will be using as a connector. This server should have outbound connectivity to Azure AD, and internal private connectivity (ideally close / low-latency) to your app.

From this server, logon to the Azure Portal. You can then navigate to Azure Active Directory > Application Proxy, and choose to download and install the connector.

When successfully installed, you should see the connector listed as ‘Active’ here in the portal.

For your on-premises app to be accessible through Azure AD Application Proxy, it must be registered in Azure AD. This registration also allows you to configure access restrictions, and single sign-on (SSO) settings if desired.

To register the application, logon to the Azure AD Portal and navigate to Azure Active Directory > Enterprise Applications. Choose to create a new application.

Everyone’s application registration is unique to their own environment, but the following points provide some general guidance:

• You can create the app using one of the ‘on-premises app’ options, or you may already have an application configured - in any case, once your application is configured you can find all important options in the ‘Application Proxy’ section of the app once it is registered
• The internal URL refers to the internally accessible address for your application - for example, if you logged on to your connector server and tried to access your on-premises application from that server
• Pre Authentication (using Azure AD for authentication) allows you to use additional features such as Conditional Access and MFA - if you use this option your user accounts must exist in Azure AD, or be synchronized from on-premises to Azure AD
• Passthrough authentication means that users will not be authenticated at Azure AD first, and instead all authentication will be handled by the application on-premises

Once your application is registered, ensure that you have user-access configured. You can allow all users, or only select users, to access your app. This is configured through the registered application, within the ‘Users and Groups’ section.

Before moving on to any additional configuration, I would recommend you test that the application is now working remotely as expected using these basic settings.

You can use the ‘Test Application’ functionality within the ‘Application Proxy’ settings for your registered application. In this section, you’ll also find your ‘External URL’ which you can use to perform tests and ensure access is working.

The journey of a thousand miles begins with a SQL step

Start a free trial with ACG today and accelerate your career with our range of Azure data cert courses, SQL courses, hands-on labs and other awesome learning features. Not sure where to start? We'll guide you step-by-step through the knowledge and skills needed to progress through our learning paths. And no matter where you are in your journey, stay up to date on the latest Azure news with our original series Azure This Week.

You’ve now successfully configured Azure AD Application Proxy to provide remote access to your users. At this stage, you may have everything you require for your needs, but it’s worth noting that there are different scenarios and additional features that you can configure. For example:

• Single Sign-On using one of the supported authentication methods:
  • Navigate in to the ‘Single Sign-On’ settings within your registered app
  • Configure the authentication method that your app uses
• Conditional Access
  • Configure Conditional Access Policies to enable fine-grained authentication requirements for your on-premises application
  • Note that this is supported by Azure AD Premium P1 licensing and that you must be using the Azure AD pre-authentication method 
• Custom Domains and SSL
  • If you have a custom domain registered for Azure AD, you can change the ‘External URL’ for your registered application to something more user-friendly
  • If using SSL, you can also upload the SSL certificate for the registered app within Azure AD and further secure application access

Whether you’re providing users centralized application access through the MyApps portal, or using the external URL directly, our remote users now have access to on-premises applications, all with the added security of Azure AD. 

If you’d like to learn more about other awesome Azure AD features - or you’d like to watch an Azure AD Application Proxy setup demo - then you may find my AZ-305 course useful.

Check it out here at A Cloud Guru. I walk through Azure AD, a wide variety of Azure services, application security, and plenty of other content to help you go and design solutions for Azure!