Enabling secure Access via Azure’s Application Proxy

Now we will make our Intranet web  application securely available over the public internet using Azure’s Application Proxy capability.
On the Windows server where the IIS server in running, start an elevated command prompt

Note the hostname of the machine/VM that is running IIS and the domain.

Run the command setspn to set up a service principal nam.

Next login to the “old” Azure portal
https://manage.windowsazure.com

Select the Azure Active Directory icon on the left , select the Default Directory (or your active directory) and click the Add+ icon at the bottom.

In the dialog box that pops up select the “Publish an application that will be accessible from outside your network” option.

Next enter a name for your application , the internal URL and the pre-authentication method you want. In this case we’re using Azure Active Directory as our local Active Directory is already sync’d with AD Connect to Azure Active Directory. (see Part 4).  (The other Pre Authentication option is Pass Through)

Next we need to enable the Application Proxy

Then click the option to download the connector

Once downloaded run the AADApplicationProxyConnectorInstaller

Follow the install process until the option to Run the connector troubleshooter appears, run the troubleshooter

Conform all is ok – if not you may need to open some outbound ports

Check the Application Proxy Connector local services are running

Back in the Azure portal

Next in the portal navigate to your applications, select the Intranet application and use the configure option, make a note of the new external (Intranet) URL for your application.

Scroll down and set the SPN name we defined earlier using the setspn.exe command

If you’d like users to be able to see this application in their myapps.microsoft.com portal select the self-service option

Next – click the Users and Groups option, notice a default group has been created for this application, you can also use any of the other groups if you want to.

Next navigate back to the Default Directory and select Groups and select the group automatically created for the Intranet application.

Add any members you wish to this group

Now try to access your application using the new external URL. Logging in using one of the users you allowed in the group above.

If this doesn’t work it may be because you have already logged in as a user who was not in the list of users your defined in the applications group

If required start a new in-private browser and login as one of the users defined in the group

This should then log you in to your internal application from the external URL.

If you defined the self-service application then the application can also be listed on myapps.microsoft.com  (if it isn’t listed select Get more applications and select it form the list)

And that’s it – we’re accessing an internal Intranet application using a public endpoint provided by Azure Application Proxy, our connection is authenticated using sync’d credentials and communication is securely setup between the on-premise application proxy connector and the Azure Cloud.

Setting up the Application in IIS

Assuming you have just installed IIS. Stop the default web application.

Add a new website for our application.

Specify a web site name – and select the path C:\www\intranet-app1 (the path we shared earlier in part 2).

After clicking “OK” you will get a warning about port 80’s binding. This can be ignored as we have stopped the default web site that was using it.

At this point if you try to access the application it will show an authentication error:

We need to do some further setup to allow our chosen Authentication method. Enable kernel mode authentication on the Intranet-App1:

Enable Windows Authentication

Next Browse to the website – and you should be prompted to perform a domain login: (If you log straight in without being prompted, it may be because you are already logged into the domain, in that case start a private browsing session and retry.)

 

You should now see the website page you created in Visual Studio

Up to this point you have an application running on your Intranet, authenticating using your own Active Directory credentials.

In Part 4 we’ll enable Azure Application Proxy  to make this application securely available to external (Internet) users.

 

 

To perform these steps, you’re going to need a domain joined Windows Server with IIS installed.

There are a few different ways to deploy a web application, perhaps the simplest is to deploy it using a file share.

Create a root folder for your IIS web site (C:\www) and within this root folder create and share a sub-folder for the intranet-app1 application we have just built:

Map the share to ta network drive on the machine you’ve used for Visual Studio

In the main Visual Studio window – select the Intranet-app1, right click and select Publish …

In the Publish dialog box select the Custom option, enter a new custom profile name, click OK and then click Next

Now select File System as the publish method and set the target location to the file share network drive location we set up previously. Click Publish

If you now resize the Output window in Visual Studio you should see the web application deploying successfully.

In Part 3 we’ll configure the IIS server to support our authentication choice.

 

Part 1. Creating a simple application in Visual Studio

If you don’t already have Visual Studio you can download and install the community edition for free from here.

Start Visual Studio and create a simple web application:

When Visual Studio has started select  File -> New -> Project 

Then select a ASP.NET Web Application, ensure Application Insights is not selected, enter a name for your project (“intranet-app1” in my case) and click OK.

On the next screen select Web Forms unselect the Host in the Cloud button if it is selected and then click the Change Authentication button.

In the Change Authentication dialog – select the Windows Authentication option and click OK

Back on the select a template box click OK

Next on the main Visual Studio workspace select Default.aspx from the Solution Explorer window on the right hand side. Right click and select View Designer

In the main window for Default.aspx – click around ASP.NET and change the default text to something you will recognize.

Finally Build (or Rebuild) the solution

Now we’re ready to Publish this application which is covered in Part 2