Introduction:
Azure application proxy is a service used to establish a remote connection to on-premise web applications securely. It also provides a variety of single sign-on options. It is straightforward to use, cost-effective, and importantly it is more secure.
Prerequisite:
Azure AD Premium P1 or P2 license required.
How does the Azure Application proxy work?
Azure application proxy is introduced to provision the remote user access to the internal on-premise applications, we can also say it can replace the VPN or reverse proxy. It is highly recommended, that the internal user within the corporate network should not use an application proxy because it can cause performance issues with unnecessary traffic.
There are two main components in the Azure application proxy workflow
- Application proxy service
- Application proxy connector
1. Application proxy service
Application proxy service provides an external endpoint to the user who tries to connect with on-premise internal applications. The user will be pre-authenticated when they access this endpoint with the Azure active directory, and this service will validate the token.
2. Application proxy connector
The application proxy connector is installed in the on-premise web server. It is responsible to route the incoming HTTP request to the respective web application. If the SSO is enabled the connector will perform any authentication on behalf of the user.
Workflow of Azure application proxy
- When the user tries to access the external endpoint, it will direct the user to the Azure AD sign-in page
- Once the user successfully signed in, the Azure AD will send a token to the users.
- The client will send the token to the Azure application proxy service. It receives the user principal name and security principal name from the token. Finally, it will send the request to the application proxy connector.
- If any SSO (Single Sign-On) is enabled the connector will perform any authentication on behalf of the user.
- The connector will route the request to the respective internal web application
- Finally, the response is sent through the connector and App proxy service to the user.
Step-by-step process to configure Azure app proxy
Step 1: Log in to the Azure portal
Step 2: Go to Azure Active Directory, and select Application Proxy from Manage Blade.
Step 3: Download the connector service
Step 4: Install the Application Proxy connector in the web server.
Step 5: Make sure TLS 1.2 is enabled on the web server. Once the connector is installed, the server detail will be listed in the default group.
Step 6: Once the connection has been established, you can see the active status
Step 7: Click on Configure an app.
Step 8: In the configure an app screen, provide the name for the application, and give the internal URL. It should be the web application’s internal URL hosted on the web server.
Note: URL with IP will throw validation error e.g., http://22.55.120.179/
External URL will be generated from Azure based on the Name of the application;
Note: We can use our custom domain for the External URL.
Click on save once you provide the internal URL and application name. Leave the Pre-Authentication to Azure Active Directory.
Pre-Authentication is very important. Microsoft recommends setting Azure Active Directory as a Pre- Authentication to make sure the users are authenticated before accessing the application. The passthrough option will skip the Azure AD authentication process.
Step 9: Jump to External application and select recently created Azure application proxy app, select users and groups under manage blade and add the users or group who can access this application
Step 10: Select the Application proxy option from the manage blade.
Copy the external URL, when you browse the external URL, it will start from the pre-authentication step.
After completing the pre-authentication, the Azure app connector on-premise will route the request to the respected web application.
Summary:
We have seen what is Azure application proxy, its advantages, and how to configure it to establish a remote connection between the client and the on-premise web application securely. We will see more about application proxy in my future article.
Reference:
Remote access to on-premises apps – Azure AD Application Proxy – Microsoft Entra | Microsoft Learn
