In this video, Pete Zerger demonstrates how to securely publish internal web applications, without creating a single inbound firewall rule, using Azure Active Directory App Proxy. Learn how you can publish and secure your line-of-business web applications
- [Instructor] Now we're going to publish an internal web application using the Azure Active Directory, App Proxy. Azure AD App Proxy is a feature that's available in Azure AD Premium that enables secure remote access for web applications hosted on-premises even for web apps written before the cloud. App Proxy is an Azure based service that leverages connectors you install on-premises to securely publish your web apps to the internet. It's easier to set up than traditional firewall rules and you don't have to rewrite your applications.
We'll begin by adding a connector. I'm logged into the Azure portal, I've selected my default directory and that will select now, Application Proxy. I'm logged in on a virtual machine in my environment where I'll install the connector. At lower scale, this virtual machine can be a multi-purpose machine and if you'd like redundancy, you can install the connector on multiple VMs and App Proxy will handle the load balancing automatically. I'll download the connector at the simple installer, which installs a slim windows service.
So you'll see here I have my connector already installed and now I'm going to head over to Enterprise Apps and I'm going to configure an application. So I need to get the URL of my internal app, I'm going to use an internally published copy of Advanced Threat Analytics from Microsoft which is an on-premises post threat defense app so purely on-premises today. And I'm going to publish that through the App Proxy.
So I'll click the Add button in Enterprise Apps, which will bring up the full list and I'm going to click On-premises application. This will bring up an additional wizard for me where I'm asked for the internal URL. I'll give this a friendly name, and you'll notice as I tap through the fields, the external URL is populated for me. It has a Microsoft provided domain suffix. If I control DNS, I can choose my own custom DNS name as well. I'm going to pre-authenticate, but I won't be using single sign on here, I have an application here that uses forms based auth but I'll still be able to secure this using my Azure Active Directory credentials.
So I've provided my base URL, I'll click the Add button which will create the copy of my now published on-premises application through Azure AD App Proxy and I can walk through and provide some additional configuration. I'll find my Enterprise App. Now here you see my ATA Console app that I've published and I've published this previously because the policy can take just a few minutes to take effect. But let's walk through our settings and perform some additional configurations.
So you'll see in the Properties area here, I have an area where I can upload a custom logo if I wish. In the User and Groups area, I can assign permissions to access this application externally and you'll see that I've granted access to only one user, my Pete Zerger account in the kinetecoinc Azure AD. Now I've disabled single sign on here because I'm dealing with an app that uses forms based auth, I'll look at my provisioning screen here, this looks fine and I'll now click on App Proxy and you'll notice here the internal URL that I provided in some of the pre-populated fields that the wizard filled in for me.
So now I have all of the bare necessities in place. Really what I need is just the URL that my users will use to access this application. And so I'll make a copy of that application, now I'm logged in as Pete Zerger here, who has access to that app and when I put in that URL, I should now be redirected to my internal Advanced Threat Analytics console but now from the internet. Now let's try this as a different user so I'll log in as, let's say Don Funk, who's another kinetecoinc user but Don was not granted access if you recall to the App Proxy, I'll put that same URL in and Don's going to try to access and you'll see here that he cannot access because he's not authorized.
I'm publishing this application to the internet securely and limiting access based on permissions I've assigned in Azure Active Directory and that quickly, I've securely published an internal line of business application without adding any additional inbound firewall rules. So as you can see Azure Ad App Proxy gives your users a consistent authentication experience across modern and legacy web apps enabling your end users ease of access with a single username and password.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups