Everybody knows what it means to have a Environment in a Shell. It is save inside, all is fine, but for remote Working and mobile working it is a kind of a mess. Internal Applications are oinly availible when your in the office, or maybe even when you open a VPN Connection. But this is not a easy way of working for your remote workers or maybe external Staff. They want easy solutions, useable on the edge and even without big things to be done to get working.
With the Azure App Proxy, Microsoft invented a realy nice and easy feature that might be the answer to your and your users needs. It is a feature that allows your users and customers to access internal web applications, located on-premises, from their mobile Device in a save and modern way.
Many of our users have all their web applications on their on-premises servers. Maybe cause they are not suitable for cloud at the moment, have a legacy authentication or there is no reliable hybrid scenario in place until now. To help those customers, we always start to show them Azure App Proxy, cause it is a first step to the cloud. Beside this it is easy and has a straight benefit for the customers and their ability to work remotely.
What is application types are supported with the app proxy?
- Web applications that use SAML, form-based or header-based authentication
- Web applications that use Integrated Windows Authentication
- Web APIs to expose to rich applications on various devices
- Applications hosted behind a Remote Desktop Gateway
- Rich client apps that are integrated within the Active Directory Authentication Library (ADAL)
So what do you need to do? You must have at least Azure AD Premium licenses in place and you need at least one Azure App Proxy Connector in your on-premises environment. And this is roughly it. If not existing you maybe also need a external known URL and a certificate.
And how is it working in detail? Maybe have a look here:
So when the user opens the requested external URL, he will be redirected to the azure authentication page, where he needs to provide the credentials and his second factor when configured. Then he receives a access token (KCD or SAML) and is forwarded to the App Proxy where the token is send to. Then the app proxy forwards the request to a app proxy connector, which is doing another authentication against the app with SSO if possible. When the Server approves the request, the response is sent through the connector again to the users device.
As you see it is no witchcraft, but makes things more easy. But what is it you get also from it? Yes, enhanced Security, a better look on the usage of this web application and also Intune integration.
- Conditional Access to this Apps
- Pre-Authenticated Traffic to your apps with SSO if supported
- Header rewriting (for forms based authentication
- traffic termination at the app proxy
- outbound only traffic with port 80 and 443
- logging, monitoring and visibility for the published apps
- intune integration on mobile devices
One thing you need to keep in mind, it will not replace your Web Application Firewall, cause it has no firewall functionality, and speaking with the Firewall Team of Microsoft last Ignite, they told us that scenarios like those are known at Microsoft and will come somewhen soon.
So what else to say? Have fun with trying and checking the feature and if Azure App Proxy helps you with your needs. In case of further questions, feel free to contact me.