ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Azure Active DirectoryAzure AD Management

Azure AD Application Proxy for remote access to on-premises apps

Azure AD Application Proxy for remote access to on-premises apps

Introduction 

Organizations are increasingly moving their workloads to the cloud, but they still need to access their on-premises applications. Azure AD Application Proxy allows external users to access these applications securely without a VPN connection. If you are interested in finding the difference between on-prem AD and Azure AD, check this article. The purpose of this article is to walk you through the steps that must be followed to implement Azure AD Application Proxy.

Benefits of identity governance in Azure AD

There are a plethora of benefits of implementing identity governance in Azure AD, some of the key ones include:

  1. Reduce the risk of unauthorized acces: By limiting access to only what’s necessary, you minimize the potential data breaches if an attacker gains access to a user’s credentials. Azure AD attenuates the dangers of excessive or misused access permissions.
  2. Meet regulatory requirements: Mandating “least privilege” access control ensures user access aligns with their job duties, not exceeding what’s necessary.
  3. Improved compliance: Ensures alignment with data privacy regulations and security standards.
  4. Enhanced visibility: Provides centralized oversight of user identities and access privileges.
  5. Streamlines access management: By automating tasks and reducing the burden on IT administrators, no more endless manual approvals for user access requests.

Key aspects of identity governance in Azure AD

Identity governance in Azure AD consists of multiple key aspects. Each of the key aspects is as crucial as any other and organizations looking to leverage Azure AD identity governance to its maximum potential should be mindful of the following:

1. Granular access control with PIM:

  • Mitigate risk: Azure AD PIM-Access to critical resources like Azure subscriptions safeguards Microsoft 365 workloads, and on-premises Active Directory environments.
  • Just-in-time access: Grants time-bound or approval-based access (elevated privileges) to privileged accounts only when absolutely necessary and for a limited duration, thereby minimizing the window of vulnerability associated with elevated permissions.
  • Role-based management: Defines roles with specific permissions, ensuring users only have the access required for their designated tasks.
  • Multi-factor authentication (MFA): Adds an extra layer of security by mandating a second verification factor (like a code from your phone) to access privileged resources. Think of it as a double lock on the vault door that leads to the treasury in the fortress of a royal kingdom.
  • Approval workflows: Enables designated reviewers to approve or deny requests for privileged access, adding an extra layer of control. This ensures no single person has unchecked access to the resources.

2. Continuous monitoring with access reviews:

  • Regular assessment: Helps to periodically assess user access to resources, and identify potential inconsistencies or unnecessary privileges.
  • Streamlined workflow: Automates evaluation of review processes, and notifies reviewers to simplify approval or denial actions.
  • Enhanced compliance: Regular access reviews demonstrate conformance to security best practices and regulatory requirements.

Pre-requisites 

Ensure that you have the following prerequisites before you can configure the proxy for secure remote access to on-premises applications:

  1. Azure AD Premium subscription: Azure AD Application Proxy is a feature that is only available with an Azure AD Premium subscription. It is important to note that if you do not already have an Azure AD Premium subscription, you will need to purchase one.
  2. Azure AD Connect: As the name implies, Azure AD Connect serves as a tool that is used to synchronize Active Directory with Azure AD. Before you can begin configuring the proxy, you will need to configure Azure AD Connect and make sure it is running in your on-premises environment.
  3. On-premises applications: To use the proxy, you will need to have at least one on-premises application that you wish to publish over the internet using the Azure AD Application Proxy service.
  4. Server running Azure AD Application Proxy Connector: In order to run the proxy Connector, you will need to have at least one server running it. In order to utilize the proxy Connector, the server must have a stable and reliable internet connection, as well as meet the system requirements that were mentioned earlier.
  5. SSL certificate: If you would like to publish an application using the proxy, you will need to ensure that there is an SSL certificate associated with each application. Ensure that the SSL certificate is issued by a trusted third-party certificate authority in order to prevent unauthorized access.
  6. Firewall configuration: If you want to publish on-premises applications to the Connector, you will need to configure your on-premises firewall to allow traffic from the Connector to those on-premises applications.

It is very important that you ensure that you have met these prerequisites before you start configuring Application Proxy in Azure AD for secure remote access to your on-premises applications.

Considerations 

Considerations for Azure AD Application Proxy 

  1. It requires a stable and reliable internet connection.
  2. It requires SSL certificates for each application being published.
  3. It can impact application performance due to additional network traffic.
  4. It should be secured using best practices for secure remote access, such as multi-factor authentication and conditional access policies.

Considerations for High Availability 

  1. Deploy multiple Azure AD Application Proxy connectors in different regions to ensure high availability.
  2. Configure DNS failover to automatically redirect traffic to a healthy connector if one fails.
  3. Use Azure Traffic Manager to load balance traffic across multiple connectors.
  4. Ensure that the on-premises applications being published are also configured for high availability.

High availability is an important consideration for any critical application, and application proxy in Azure AD is no exception. By deploying multiple connectors and configuring failover and load balancing, organizations can ensure that their users have uninterrupted access to their on-premises applications. It is also important to ensure that the on-premises applications being published are also configured for high availability.

Now, let us see the steps that must be followed to enable remote access to on-premises apps implement.

How to implement Azure AD Application Proxy

1. Configure Azure AD Application Proxy 

  1. Log in to the Azure portal – https://azure.microsoft.com/en-us/get-started/azure-portal
    • Note: Ensure you are signing in using an account with Global Administrator permissions.
  1. Log in to the Azure portal.
    • Note: Ensure you are signing in using an account with Global Administrator permissions.
  2. Navigate to Azure Active Directory, then Enterprise applications.
  3. Click on the “+ New application” button and select “On-premises application“.
  4. Enter your preferred name for the application and click “Add“.
  5. Move to the “Configure” tab and then select “Configure Azure AD Application Proxy“.
  6. Click on the “+ Add a connector” button and select the connector that was installed on the on-premises network.
  7. Click “Download Connector” to download the connector software.
  8. Once the connector is downloaded, run the installation wizard and follow the instructions and prompts to install the connector on a Windows Server machine on your on-premises network.
  9. After the connector is installed, it will get registered automatically with Azure AD. Click “Refresh” to see the connector in the list.
  10. Select the connector and click “Next“.
  11. Enter the URL for the application being published and click “Add“.
  12. If the application prompts you to choose an authentication, select the appropriate authentication method.
  13. If the application requires additional settings, configure them as necessary.
  14. Click “Save” to save the application configuration.

2. Configure the application for Azure AD Application Proxy 

  1. Install an SSL certificate for the application being published on the server hosting the application.
  2. Configure the application to use HTTPS.
  3. Ensure that the server hosting the application is accessible from the server where the proxy Connector is installed.
  4. Test the application to ensure its accessibility.

3. Test the application with Azure AD Application Proxy 

  1. In the Azure portal, navigate to Azure Active Directory -> Enterprise applications.
  2. Select the application that was configured in Step 1.
  3. Click on the “Test” tab.
  4. Click “Sign in” to test the application.
  5. Enter valid credentials for an account that has access to the application.
  6. The application should launch and be accessible via the application proxy.

By following the steps outlined above, you can configure the application proxy to provide secure remote access to your on-premises applications. Now let us see some more specific configurations.

4. Configure additional settings

  1. In the Azure portal, navigate to Azure Active Directory -> Enterprise applications.
  2. Select the application that was configured in Step 1.
  3. Click on the “Application Proxy” tab.
  4. Configure the following settings as necessary:
    • Pre-authentication: Select the appropriate authentication method for the application.
    • Connector Group: Create a connector group if multiple connectors are being used to publish applications.
    • Networking: Configure network settings if necessary, such as allowing access to specific IP addresses or blocking certain IP addresses.
    • Custom Domains: Configure a custom domain if desired.
    • Access Controls: Configure access controls to limit access to the application as necessary.

5. Configure Application Proxy for Remote Desktop Services 

  1. Ensure that Remote Desktop Gateway is installed and configured on the server hosting the Remote Desktop Session Host.
  2. Create a custom application in Azure AD and configure the application proxy settings as described in Steps 1-4.
  3. On the Remote Desktop Gateway server, open Remote Desktop Gateway Manager and navigate to the Properties of the RD CAP Store.
  4. In the RD CAP Store Properties window, select the Azure AD application that was created in Step 2 as an allowed RD CAP issuer.
  5. On the RD CAP Store Properties window, select the RD RAP Store and add the appropriate Remote Desktop users and groups.
  6. Configure the Remote Desktop client to connect to the Azure AD application URL.

6. Configure Conditional Access policies for Azure AD Application Proxy 

  1. In the Azure portal, navigate to Azure Active Directory -> Conditional Access.
  2. Create a new Conditional Access policy and select the Azure AD Application Proxy application as the target.
  3. Configure the necessary conditions, such as device or location-based access.
  4. Configure the necessary access controls, such as multi-factor authentication or access restrictions.
  5. Save the Conditional Access policy.

Manage, scale and monitor Azure AD application proxy 

Now let us see how to manage, scale and monitor the application proxy in Azure AD.

1. Manage

  1. Navigate to Azure Active Directory -> Enterprise applications from the Azure portal.
  2. Select the application that was configured in Step 1.
  3. Click on the “Manage” tab.
  4. From here, you can manage users and groups who have access to the application and also manage application settings and configurations.

2. Scale

  1. Navigate to Azure Active Directory -> Enterprise applications from the Azure portal.
  2. Select the application that was configured in Step 1.
  3. Click on the “Scale” tab.
  4. Select the appropriate scale option based on the expected number of users and traffic to the application.
  5. Click “Save” to update the scale settings.

3. Monitor 

  1. In the Azure portal, navigate to Azure Active Directory -> Enterprise applications.
  2. Select the application that was configured in Step 1.
  3. Click on the “Monitoring” tab.
  4. Monitor usage and performance metrics for the application.

Troubleshooting tips

  1. In the Azure portal, navigate to Enterprise applications from Azure Active directory.
  2. Select the application that is experiencing issues.
  3. Click on the “Monitoring” tab and review the logs for any errors or issues.
  4. Check the server hosting the application to ensure it is running and accessible.
  5. Check the Azure AD Application Proxy Connector to ensure it is running and accessible.

Conclusion 

Azure AD Application Proxy provides a powerful tool for organizations to securely access their on-premises applications without the need for a VPN connection. By following the steps outlined in this blog post, you can configure the proxy to provide secure remote access to your on-premises applications. It is important to monitor and manage application proxy in Azure AD to ensure a secure and reliable service. Additionally, considerations should be made for the impact on application performance and security best practices.

Related posts
Azure Active DirectoryAzure AD Management

How to implement app registration in Microsoft Entra ID

Azure Active DirectoryAzure AD Management

How to register apps using Microsoft Entra ID

Azure Active DirectoryAzure AD Security

How to monitor and report security events in Microsoft Entra ID

Azure Active DirectoryAzure AD Management

How to implement device enrollemnt via Microsoft Intune

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.