In this video, Pete Zerger explains how Azure AD App Proxy enables easy and secure publishing of on-premises web and line-of-business apps, eliminating the need for complex firewall rules.
- [Narrator] Azure Active Directory Application Proxy is a feature available at Azure AD Premium that allows secure remote access for web applications hosted on premises, even apps written before the cloud. When users access applications remotely, they connect through a published end point. They're authenticated in Azure AD and routed through a connector installed on a virtual machine and routed to the on premises application. You install this connector on a Windows VM.
The install is simple and it only takes a minute. They are several advantages to Azure AD app proxy including simplicity and scale, security and the user experience. And the total cost of ownership is lower than a traditional firewall. App proxy is a Azure based service that leverages connectors you install on premises to securely publish web apps to the internet. It's easier to set up and secure than on premises firewalls and you don't have to rewrite your applications.
When you publish your apps using Azure AD app proxy, you can take advantage of Azure's authorization controls like MFA and conditional access and security analytics like the Intelligent Security Graph. And you don't have to open any inbound ports on your firewall. App proxy gives your users a consistent authentication experience, across both modern and legacy apps, enabling your end user ease of access with a single username and password. With App Proxy, you can access different types of internal applications including web apps that use foreign based authentication, web apps that use integrated Windows Auth.
Web API's that you want to expose to rich applications on different devices. As well as applications hosted behind a remote desktop gateway. App proxy works by installing a slim window server service called the connector inside your corporate network. The connector auto-connects to the cloud's service. And with the connector, you don't have to open any inbound ports or put anything in your perimeter network or DMZ. If you have high traffic in your apps, you can add more connectors in the service, which is located and Azure takes care of the load balancing.
The connectors are stateless and pull everything from the cloud as necessary. The user connects to the published app via the cloud service which then routes the request on premises via the connector. And at low scale, you can install this service on a multipurpose (mumbles). The short answer is a lot. We can enable single sign-on, conditional access, publishing applications with a custom domain name, working through existing on-premises proxy servers and working with claims-aware apps.
Azure AD App Proxy provides single sign-on to apps that use integrated Windows authentication or claims-aware apps. If your app uses integrated Windows Auth, App Proxy impersonates the user using Kerberos constrained delegation to provide single sign-on. And if you have claims-aware apps that trust Azure AD, single sign-on works because the user was already authenticated by Azure AD. Which means this solution works in cloud, synchronized and federated identity models.
App Proxy also supports a variety of advanced scenarios, including publishing apps on separate networks, publishing through existing proxies and publishing native client apps. In publishing apps on separate networks, the basic concept is that each application proxy connector is assigned to a separate group. All the connectors that belong to the same group are load balanced automatically. The admin can create new groups and change these assignments in the Azure portal to support multiple publishing scenarios on multiple networks.
You can configure the connectors to by-pass your on premises outbound proxies or use an outbound proxy to access the Azure AD App Proxy. Connectors can be configured to use authenticated outbound proxies as well. App Proxy can also publish native client apps. And while App Proxy is widely used to publish browser applications such as Sheer Point, outlet web access, and custom line of business apps, these native apps differ from the web apps because they get installed on a device.
For example, you create a mobile app to connect to your custom API published through Azure AD App Proxy. This is done by supporting Azure AD issued tokens that are sent in standard HTTP authorization request headers. So with Azure AD App Proxy, we can publish our on-premises apps securely, even apps written before the cloud.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups