Azure Application Proxy – Part 5

Enabling secure Access via Azure’s Application Proxy

Now we will make our Intranet web  application securely available over the public internet using Azure’s Application Proxy capability.
On the Windows server where the IIS server in running, start an elevated command prompt


Note the hostname of the machine/VM that is running IIS and the domain.


Run the command setspn to set up a service principal nam.


Next login to the “old” Azure portal

Select the Azure Active Directory icon on the left , select the Default Directory (or your active directory) and click the Add+ icon at the bottom.


In the dialog box that pops up select the “Publish an application that will be accessible from outside your network” option.


Next enter a name for your application , the internal URL and the pre-authentication method you want. In this case we’re using Azure Active Directory as our local Active Directory is already sync’d with AD Connect to Azure Active Directory. (see Part 4).  (The other Pre Authentication option is Pass Through)


Next we need to enable the Application Proxy



Then click the option to download the connector


Once downloaded run the AADApplicationProxyConnectorInstaller


Follow the install process until the option to Run the connector troubleshooter appears, run the troubleshooter


Conform all is ok – if not you may need to open some outbound ports


Check the Application Proxy Connector local services are running


Back in the Azure portal


Next in the portal navigate to your applications, select the Intranet application and use the configure option, make a note of the new external (Intranet) URL for your application.


Scroll down and set the SPN name we defined earlier using the setspn.exe command


If you’d like users to be able to see this application in their portal select the self-service option


Next – click the Users and Groups option, notice a default group has been created for this application, you can also use any of the other groups if you want to.


Next navigate back to the Default Directory and select Groups and select the group automatically created for the Intranet application.


Add any members you wish to this group


Now try to access your application using the new external URL. Logging in using one of the users you allowed in the group above.

If this doesn’t work it may be because you have already logged in as a user who was not in the list of users your defined in the applications group


If required start a new in-private browser and login as one of the users defined in the group


This should then log you in to your internal application from the external URL.


If you defined the self-service application then the application can also be listed on  (if it isn’t listed select Get more applications and select it form the list)


And that’s it – we’re accessing an internal Intranet application using a public endpoint provided by Azure Application Proxy, our connection is authenticated using sync’d credentials and communication is securely setup between the on-premise application proxy connector and the Azure Cloud.

One thought on “Azure Application Proxy – Part 5”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s