Azure Application Proxy – Part 5

Enabling secure Access via Azure’s Application Proxy

Now we will make our Intranet web  application securely available over the public internet using Azure’s Application Proxy capability.
On the Windows server where the IIS server in running, start an elevated command prompt

appproxyp5-1-cmd

Note the hostname of the machine/VM that is running IIS and the domain.

appproxyp5-2-hostname

Run the command setspn to set up a service principal nam.

appproxyp5-3-setspn

Next login to the “old” Azure portal
https://manage.windowsazure.com

Select the Azure Active Directory icon on the left , select the Default Directory (or your active directory) and click the Add+ icon at the bottom.

appproxyp5-4-add

In the dialog box that pops up select the “Publish an application that will be accessible from outside your network” option.

appproxyp5-5-outside

Next enter a name for your application , the internal URL and the pre-authentication method you want. In this case we’re using Azure Active Directory as our local Active Directory is already sync’d with AD Connect to Azure Active Directory. (see Part 4).  (The other Pre Authentication option is Pass Through)

appproxyp5-6-addapp

Next we need to enable the Application Proxy

appproxyp5-7-enappproxy

appproxyp5-8-enabled

Then click the option to download the connector

appproxyp5-9-download

Once downloaded run the AADApplicationProxyConnectorInstaller

appproxyp5-10-exe

Follow the install process until the option to Run the connector troubleshooter appears, run the troubleshooter

appproxyp5-11-proxyinst

Conform all is ok – if not you may need to open some outbound ports

appproxyp5-12-troubleshoot

Check the Application Proxy Connector local services are running

appproxyp5-13-services

Back in the Azure portal

appproxyp5-14-running

Next in the portal navigate to your applications, select the Intranet application and use the configure option, make a note of the new external (Intranet) URL for your application.

appproxyp5-15-config1

Scroll down and set the SPN name we defined earlier using the setspn.exe command

appproxyp5-16-config2

If you’d like users to be able to see this application in their myapps.microsoft.com portal select the self-service option

appproxyp5-17-config3

Next – click the Users and Groups option, notice a default group has been created for this application, you can also use any of the other groups if you want to.

appproxyp5-18-group

Next navigate back to the Default Directory and select Groups and select the group automatically created for the Intranet application.

appproxyp5-19-usergroup1

Add any members you wish to this group

appproxyp5-20-usergroup2

Now try to access your application using the new external URL. Logging in using one of the users you allowed in the group above.

If this doesn’t work it may be because you have already logged in as a user who was not in the list of users your defined in the applications group

appproxyp5-21-noaccess

If required start a new in-private browser and login as one of the users defined in the group

appproxyp5-22-login

This should then log you in to your internal application from the external URL.

appproxyp5-23-loggedin

If you defined the self-service application then the application can also be listed on myapps.microsoft.com  (if it isn’t listed select Get more applications and select it form the list)

appproxyp5-24-myapp

And that’s it – we’re accessing an internal Intranet application using a public endpoint provided by Azure Application Proxy, our connection is authenticated using sync’d credentials and communication is securely setup between the on-premise application proxy connector and the Azure Cloud.

One thought on “Azure Application Proxy – Part 5”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s