Monday, 7 December 2015

Externally publish an internal web app with Azure Application Proxy

EMS Landing page

The Azure Application Proxy allows you to externally publish your internal web apps seamlessly and in a very straightforward manner. You don't need to configure any complicated networking in advance. There are just a couple of steps involved in this process:
  1. Prerequisites
  2. Azure AD Application connector
  3. Add and publish web app
1. Prerequisites

There are a few prerequisites so that you can implement the solution.
  • You need to have an Azure Global Administrator account.
  • You need Active Directory Premium licenses for the users that will consume the published app.
  • The server on which the connector is to be installed requires Windows Server 2012 R2 or later.
  • Turn off IE Enhanced Security on the server (installation of connector only).
  • The ports in the screenshot below must be opened outbound from this server to

A port tester can be used to verify the connectivity between the server and Azure.

Execute the tool from

Port test results.

2. Azure AD Application connector

Open your Azure directory and select Configure.

Scroll down to the Application Proxy section. Select "Download now".

Note the requirements and download the connector.

Install the connector as administrator on your local server.

Click Install.

The connector installs.

Log in to Azure when prompted.

The Azure Application Proxy has been installed.

Note the new services that have been installed.
  • Microsoft AAD Application Proxy Connector
  • Microsoft AAD Application Proxy Connector Updater

Now back in the Azure Portal select "Manage Connections".

Verify that the connector is active.

3. Add and publish web app

Now we must add the application to Azure and publish to users.

Navigate to the Azure applications.

Select to "Add an application".

In this case we should choose "Publish an application that will be accessible from the outside of your network".

Enter the app details. Enter a name and the internal URL of the app. Choose Azure AD as the pre-authentication method.

The app has now been added. Select "Assign accounts" to publish to users. Select the user group you require.

That's it. You have now externally published the app. It's so easy to do.

Now have a look at the properties of the app. You will see the external URL. This is based on the app name that you configured previously.

You can now access the app externally or through the MyApps Panel.

Configure Single Sign-on (optional)

You can now optionally configure SSO as follows:
  • Configure the app to use Integrated Windows Authentication (IWA)
  • Create a Service Principal Name  (SPN) for the app
  • Enable the Application Proxy Connector to impersonate users in AD against your app (delegate control in properties of the server computer account)
  • Configure the Azure app to use IWA
  • Enter an internal application SPN in Azure (see below)

I hope this helps. Until next time....

No comments:

Post a Comment