Tag Archives: web application

Azure Active Directory Application Proxy – Part 01

Today I am going to explain about another great feature which comes with Azure Active Directory. Rebeladmin Corp. does have a CRM application which use by its employees.  This is web based app and hosted in internal network. This app uses windows authentication. From internal, users can log in to it with SSO. Rebeladmin Corp. also uses some application hosted in Azure as well as Office 365. These applications are currently used by its users internal and externally. There was recent requirement that users also want to access this CRM application from external. So, what we can do to allow access from external?

1. Setup VPN, so users can dial in to VPN and access the application through it. 

2. Use ADFS to provide multi factor authentication and SSO from external. ADFS proxy server can place in DMZ to provide more secure connection from external

3. Use Remote Desktop Gateway and Remote Desktop Servers to host application for external access

4. If users are connecting from specific networks, allow direct access to application using edge firewall rules. 

All above solutions can work but it need additional configurations and resource such as,

1. Firewall rules to control traffic between different network segments (DMZ, LAN, WAN) 

2. Public IP addresses and DNS entries for internet facing components

3. Additional servers to host server roles and applications such as ADFS proxy, ADFS Farm, RDG etc. 

4. Additional licenses cost

5. Additional maintenance cost

6. Skills to configure these additional server roles, firewall rules etc. 

Azure Active Directory Application Proxy can integrate on-premises applications with Azure Active Directory and provide secure access with minimum changes to the existing infrastructure. It doesn’t need VPN, additional firewall rules or any other additional servers’ roles. This experience is similar to accessing applications hosted in azure or accessing office 365. This great feature was there for a while but still lots of people do not use this and some not even aware there is such feature available. Whole point of this blog series in to make public aware of this and encourage them to use this.

Why it’s good?

1. This allows organizations to use existing Azure security features to protect the on-premises workloads similar to azure SaaS workloads. 

2. All the components are hosted in cloud so less maintenance. 

3. Simple to setup and no need additional skills to setup different server roles or applications. 

4. If users already familiar with Azure or other Microsoft hosted solutions, the access experience will be similar. Users will not need to train to use different tools to access the hosted applications. (VPN, Remote Desktop etc.)

5. No requirement for public IP address or public DNS entries. It will use public url which is generated during the configuration process and its from Azure. 

However, not every application supported for this method. According to Microsoft it only supports,

Any web application which uses windows authentication or form-based authentication. 

Applications hosted behind RDG (Remote Desktop Gateway)

Web APIs

How it works?

Let’s see how it’s really works in real world.

post-ad app proxy

1. User accessing the published Url for the application from the internet. This URL is similar to application url which is hosted in Azure. This is the azure generate public URL for on premises app. 

2. Then its redirected to log in page and will be authenticate using Azure AD.

3. After successful authentication, it generates a token and send it to user. 

4. Then request is forwarded to Azure AD application proxy. Then it extracts User principle name (UPN) and security principal name (SPN) from the token.

5. Then the request is forwarded to application proxy connector which is hosted in on-premises. This is act as a broker service between application proxy module and web application. 

6. In next step, application proxy connector requests Kerberos ticket which can use to authenticate web application. This request is made on behalf of the user. 

7. On-premise AD issue Kerberos ticket.

8. Kerberos ticket used to authenticate in to web app. 

9. After successful authentication web app send response to application proxy connector. 

10. Application proxy connector send response to the user and he/she can view the web application content. 


To implement this we need the followings,

Azure AD Basic or Premium Subscription 

Healthy Directory Sync with on-premises AD

Server to install Azure Application Proxy Connector (this can be same server which host web application) 

Supported web application (earlier I mentioned what type of applications are supported)

In next part of this blog series will look in to configuration of Azure AD application proxy. Hope this was helpful and if you have any questions feel free to contact me on rebeladm@live.com   

Active Directory Federation Services (AD FS) – Part 3

This is the part 3 of the series of articles which explains about the AD FS and configuration. If you still not read the part 1 and 2 you can find it here.

Active Directory Federation Services (AD FS) – Part 1

Active Directory Federation Services (AD FS) – Part 2

In this post let’s see how we can install AD FS web application proxy. As I explain on part 1 of the series, web application proxy need to be installed in perimeter network. Using it we can authenticate AD FS users before allow access to published application in corporate network.

Installation of Web Application Proxy

External DNS record

To access the web service from external it needs valid external DNS record which can use to connect from internet. If your organization DNS hosted in external make sure you create appropriate records and allow time for DNS propagation before proceed with the installation. 

In here for the demo I have created DNS entry for host name adfsproxy.contoso.com and point it to the server which will use for the service install.


Valid SSL

To allow the HTTPS communication it is must to have valid SSL certificate in place to use with the proxy server. It can be from external SSL provider or via company CA. it needs to match with the DNS entry we created on previous step.

In demo I have created self-signed SSL and deploy it on the server.


Installation Steps

To start the installation, log in to the server you choose as domain admin or enterprise admin.

1)    Load Server Manager > Add Roles and Features


2)    It will open up the add roles and features wizard. Click next to continue.


3)    In next window keep selection as “Role-based or feature-based installation” and click next to continue.


4)    In next window keep the default selection and click next to continue.


5)    In role selection window select “Remote Access” and click next


6)    On the feature selection leave the default selection and click next


7)    Then in next window it will give brief description about remote access role. Click next to continue


8)    In next window select the option “Web Application Proxy” then it will prompt to add features. Click on “add features” button and then click next on window to proceed.



9)    In next window it will give brief description about the selections you made so far and click install to begin the installation.


10)    It will start the installation process.


11)    Once its completed, click on “open the web application proxy wizard” from the window


12)    It will open up the web application proxy configuration wizard and click next to proceed


13)    In next window needs to input ADFS server and admin account info to connect to it. It will use for the authentication. Once input data correctly, click on next to continue.


14)    In the next window, need to specify the SSL cert which will use by the proxy server.


15)    In next window it will give the confirmation about the configuration and to begin install click on configure.


This finishes the installation and configuration of the web application proxy. In next post let’s look in to some of the configuration options in ADFS. If you have any questions about the post feel free to contact me on rebeladm@live.com