Azure AD application proxy provides secure remote access to on-premises web applications such as:
- Web applications that use Integrated Windows Authentication for authentication
- Web applications that use form-based or header-based access
- Web APIs that you want to expose to rich applications on different devices
- Applications hosted behind a Remote Desktop Gateway
- Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)
How Application Proxy works
- After the user has accessed the application through an endpoint, the user is directed to the Azure AD sign-in page.
- After a successful sign-in, Azure AD sends a token to the user's client device.
- The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. Application Proxy then sends the request to the Application Proxy connector.
- If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.
- The connector sends the request to the on-premises application.
- The response is sent through the connector and Application Proxy service to the user.
RDS server with Azure Application Proxy
Let’s configure our RDS server to use Azure AD proxy to enable the access from internet,First will look at the pre-requisites for Azure Application proxy. - Users require an AAD Premium Licence (P1 or P2)
- Application Proxy Connector machines must be enabled for TLS 1.2
- Connectors must be installed on Server 2012R2 or higher
- Connectors must be installed on a Domain Joined machine if you want single sign-on (SSO) to applications that use Integrated Windows Authentication (IWA) *
In our scenario we have a Remote service configured on a single server running on Windows server 2016, that means Both the RD Web and RD Gateway endpoints are be located on the same machine, and with a common root and it’s one of the requirement to configure RDS service with Azure application proxy.
Please refer this URL for installing and configuration your RDS service- https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure
Once you have the RDS server running, we can now configure the Azure Application Proxy .
Installing connector
You can install the connector in one of the member server
- Sign in to the Azure portal
- In left navigation panel, select Azure Active Directory.
- Under Manage, select Application proxy.
- Select Download connector service.
- Read the Terms of Service. When you're ready, select Accept terms & Download
- At the bottom of the window, select Run to install the connector. An install wizard opens.
- Follow the instructions in the wizard to install the service
- Make sure you have port 443 ,80 enabled on the server you install the connector
- Once the installation is completed login back to Azure portal and make sure the connector service is reporting to the console.
Publish the RD host endpoint
- Sign in as an administrator in the Azure portal.
- In the left navigation panel, select Azure Active Directory.
- Select Enterprise applications, and then select New application.
- In the On-premises applications section, select Add an on-premises application.
- In the Add your own on-premises application section, provide the required information about your application:
Internal URL : This is the URL to access the application from inside your private network ,in our case its https://access.infrabeast.xy .
External URL : This is the URL to access the application from outside your private network ( This will be populated by Microsoft , but you can modify)
Preauthentication method Azure Active Directory
Translate URL headers : No
- Assign users to the published RD application. Make sure they all have access to RDS, too
- Leave the single sign-on method for the application as Azure AD single sign-on disabled. Your users are asked to authenticate once to Azure AD and once to RD Web, but have single sign-on to RD Gateway.
- Select Azure Active Directory, and then App Registrations. Choose your app from the list
- Under Manage, select Branding
- Update the Home page URL field to point to your RD Web endpoint , In our case it is https://access.infrabeast.xyz/RDWeb .
Direct RDS traffic to Application Proxy
Connect to the RDS deployment as an administrator and change the RD Gateway server name for the deployment. This configuration ensures that connections go through the Azure AD Application Proxy service.
- Connect to the RDS server running the RD Connection Broker role.
- Launch Server Manager.
- Select Remote Desktop Services from the pane on the left.
- Select Overview.
- In the Deployment Overview section, select the drop-down menu and choose Edit deployment properties.
- In the RD Gateway tab, change the Server name field to the External URL that you set for the RD host endpoint in Application Proxy.
- Change the Logon method field to Password Authentication.
- Run this command for each collection. Replace <yourcollectionname> and <proxyfrontendurl> with your own information. This command enables single sign-on between RD Web and RD Gateway, and optimizes performance:
Set-RDSessionCollectionConfiguration -CollectionName "<yourcollectionname>" -CustomRdpProperty "pre-authentication server address:s:<proxyfrontendurl>`nrequire pre-authentication:i:1"
Final stage, testing your RDS application
- You could either access your application from assigned applications from Azure portal or you can use the external URL .
- The external URL will take you to office 365 and once the user is successfully authenticated the user will be redirected to the internal application page.
Future Enhancements
- Install additional connector on On-prem network for High availability
- Enable SSO for RDS users
No comments:
Post a Comment