Azure Application Proxy – Part 5

Enabling secure Access via Azure’s Application Proxy

Now we will make our Intranet web  application securely available over the public internet using Azure’s Application Proxy capability.
On the Windows server where the IIS server in running, start an elevated command prompt


Note the hostname of the machine/VM that is running IIS and the domain.


Run the command setspn to set up a service principal nam.


Next login to the “old” Azure portal

Select the Azure Active Directory icon on the left , select the Default Directory (or your active directory) and click the Add+ icon at the bottom.


In the dialog box that pops up select the “Publish an application that will be accessible from outside your network” option.


Next enter a name for your application , the internal URL and the pre-authentication method you want. In this case we’re using Azure Active Directory as our local Active Directory is already sync’d with AD Connect to Azure Active Directory. (see Part 4).  (The other Pre Authentication option is Pass Through)


Next we need to enable the Application Proxy



Then click the option to download the connector


Once downloaded run the AADApplicationProxyConnectorInstaller


Follow the install process until the option to Run the connector troubleshooter appears, run the troubleshooter


Conform all is ok – if not you may need to open some outbound ports


Check the Application Proxy Connector local services are running


Back in the Azure portal


Next in the portal navigate to your applications, select the Intranet application and use the configure option, make a note of the new external (Intranet) URL for your application.


Scroll down and set the SPN name we defined earlier using the setspn.exe command


If you’d like users to be able to see this application in their portal select the self-service option


Next – click the Users and Groups option, notice a default group has been created for this application, you can also use any of the other groups if you want to.


Next navigate back to the Default Directory and select Groups and select the group automatically created for the Intranet application.


Add any members you wish to this group


Now try to access your application using the new external URL. Logging in using one of the users you allowed in the group above.

If this doesn’t work it may be because you have already logged in as a user who was not in the list of users your defined in the applications group


If required start a new in-private browser and login as one of the users defined in the group


This should then log you in to your internal application from the external URL.


If you defined the self-service application then the application can also be listed on  (if it isn’t listed select Get more applications and select it form the list)


And that’s it – we’re accessing an internal Intranet application using a public endpoint provided by Azure Application Proxy, our connection is authenticated using sync’d credentials and communication is securely setup between the on-premise application proxy connector and the Azure Cloud.

Azure Application Proxy – Part 3

Setting up the Application in IIS

Assuming you have just installed IIS. Stop the default web application.


Add a new website for our application.


Specify a web site name – and select the path C:\www\intranet-app1 (the path we shared earlier in part 2).


After clicking “OK” you will get a warning about port 80’s binding. This can be ignored as we have stopped the default web site that was using it.


At this point if you try to access the application it will show an authentication error:


We need to do some further setup to allow our chosen Authentication method. Enable kernel mode authentication on the Intranet-App1:


Enable Windows Authentication


Next Browse to the website – and you should be prompted to perform a domain login: (If you log straight in without being prompted, it may be because you are already logged into the domain, in that case start a private browsing session and retry.)



You should now see the website page you created in Visual Studio


Up to this point you have an application running on your Intranet, authenticating using your own Active Directory credentials.

In Part 4 we’ll enable Azure Application Proxy  to make this application securely available to external (Internet) users.



Azure Application Proxy – Part 2

To perform these steps, you’re going to need a domain joined Windows Server with IIS installed.

There are a few different ways to deploy a web application, perhaps the simplest is to deploy it using a file share.

Create a root folder for your IIS web site (C:\www) and within this root folder create and share a sub-folder for the intranet-app1 application we have just built:


Map the share to ta network drive on the machine you’ve used for Visual Studio


In the main Visual Studio window – select the Intranet-app1, right click and select Publish …


In the Publish dialog box select the Custom option, enter a new custom profile name, click OK and then click Next


Now select File System as the publish method and set the target location to the file share network drive location we set up previously. Click Publish


If you now resize the Output window in Visual Studio you should see the web application deploying successfully.


In Part 3 we’ll configure the IIS server to support our authentication choice.


Azure Application Proxy – In Action

This blog post demonstrates how to use Azure Application Proxy.

Azure Application Proxy enables you to take an internal web application and make it securely available outside of your organisation. A few different authentication options can be enabled for your internal application to help secure it:

  • If your application does not use and form of sign-in then Azures Active Directory (AAD) sign-in can be added to the public endpoint Azure Application Proxy provides.
  • Pass through, relying on you on premise  authentication.
  • If your application does use Active Directory sign-in then you have the option to set up and use AAD based single sign-on. This post demonstrates that option.

If you would like to test the scenario described above, you may want to firstly create a simple application rather than using a real application. Part 1 of this blog shows how to do that using Visual Studio. If you already have a web application that authenticated against your local Active Directory, you can skip Parts 1,2 and 3. If you already have your Azure Active Directory synchronized with your local domain you can skip through Part 4 as well.

Part 1 – Creating a simple application with Visual Studio

Part 2 – Publishing the Application to a local IIS server

Part 3 – Setting up IIS for Authentication

Part 4 – Set up your Local Domain and Directory Synchronization

Part 5 – Enable Azure Application Proxy






Azure Application Proxy – Part 1

Part 1. Creating a simple application in Visual Studio

If you don’t already have Visual Studio you can download and install the community edition for free from here.

Start Visual Studio and create a simple web application:

When Visual Studio has started select  File -> New -> Project 


Then select a ASP.NET Web Application, ensure Application Insights is not selected, enter a name for your project (“intranet-app1” in my case) and click OK.


On the next screen select Web Forms unselect the Host in the Cloud button if it is selected and then click the Change Authentication button.


In the Change Authentication dialog – select the Windows Authentication option and click OK


Back on the select a template box click OK


Next on the main Visual Studio workspace select Default.aspx from the Solution Explorer window on the right hand side. Right click and select View Designer


In the main window for Default.aspx – click around ASP.NET and change the default text to something you will recognize.


Finally Build (or Rebuild) the solution


Now we’re ready to Publish this application which is covered in Part 2