Enabling secure Access via Azure’s Application Proxy
Now we will make our Intranet web application securely available over the public internet using Azure’s Application Proxy capability.
On the Windows server where the IIS server in running, start an elevated command prompt
Note the hostname of the machine/VM that is running IIS and the domain.
Run the command setspn to set up a service principal nam.
Next login to the “old” Azure portal
Select the Azure Active Directory icon on the left , select the Default Directory (or your active directory) and click the Add+ icon at the bottom.
In the dialog box that pops up select the “Publish an application that will be accessible from outside your network” option.
Next enter a name for your application , the internal URL and the pre-authentication method you want. In this case we’re using Azure Active Directory as our local Active Directory is already sync’d with AD Connect to Azure Active Directory. (see Part 4). (The other Pre Authentication option is Pass Through)
Next we need to enable the Application Proxy
Then click the option to download the connector
Once downloaded run the AADApplicationProxyConnectorInstaller
Follow the install process until the option to Run the connector troubleshooter appears, run the troubleshooter
Conform all is ok – if not you may need to open some outbound ports
Check the Application Proxy Connector local services are running
Back in the Azure portal
Next in the portal navigate to your applications, select the Intranet application and use the configure option, make a note of the new external (Intranet) URL for your application.
Scroll down and set the SPN name we defined earlier using the setspn.exe command
If you’d like users to be able to see this application in their myapps.microsoft.com portal select the self-service option
Next – click the Users and Groups option, notice a default group has been created for this application, you can also use any of the other groups if you want to.
Next navigate back to the Default Directory and select Groups and select the group automatically created for the Intranet application.
Add any members you wish to this group
Now try to access your application using the new external URL. Logging in using one of the users you allowed in the group above.
If this doesn’t work it may be because you have already logged in as a user who was not in the list of users your defined in the applications group
If required start a new in-private browser and login as one of the users defined in the group
This should then log you in to your internal application from the external URL.
If you defined the self-service application then the application can also be listed on myapps.microsoft.com (if it isn’t listed select Get more applications and select it form the list)
And that’s it – we’re accessing an internal Intranet application using a public endpoint provided by Azure Application Proxy, our connection is authenticated using sync’d credentials and communication is securely setup between the on-premise application proxy connector and the Azure Cloud.