Author: Carlos A Lopez (Twitter: @CLopezDC)

Azure Application Proxy – Step by step to setup an on-premises web application

Carlos A Lopez (Twitter: @CLopezDC) AAD Connect, Azure, Microsoft Security

Over the last months, and as we continue migrating our client’s on-premises infrastructure to the cloud, Azure Active Directory’s Application Proxy has become a very power tool used by organization looking into closing their VPN access, migrating workloads to the cloud, and reducing their on-premises footprint. While this is not the final solution for removing the on-premises services, it does serve as a steps to removing the relationship or need of VPN and connectivity to on-premises services, especially for organization that are transitioning from local AD to AzureAD-Joined devices. Azure application provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.

Licenses Requirements: With Azure Active Directory Premium P2 you can gain access to advanced security features, richer reports and rule based assignments to applications. Your end users will benefit from self-service capabilities and customized branding.

Azure AD Application Proxy is:

  • Simple to use. Users can access the on-premises applications the same way they access Microsoft 365 and other SaaS apps integrated with Azure AD.
  • Secure. On-premises applications can use Azure’s authorization controls and security analytics. Including Conditional Access and MFA. Also, Application Proxy doesn’t require you to open inbound connections through your firewall or VPN.
  • Cost-effective. To use Application Proxy, you don’t need to change the network infrastructure or install additional appliances in your on-premises environment.

Install and register a connector

To use Application Proxy, install a connector on each Windows server you’re using with the Application Proxy service.

To install the connector:

  1. Sign in to the Azure portal as an application administrator of the directory that uses Application Proxy.
  2. In left navigation panel, select Azure Active Directory.
  3. Under Manage, select Application proxy.
  4. Select Download connector service.
  • Read the Terms of Service. When you’re ready, select Accept terms & Download.
  • At the bottom of the window, select Run to install the connector. An install wizard opens.
  • Follow the instructions in the wizard to install the service. When you’re prompted to register the connector with the Application Proxy for your Azure AD tenant, provide your application administrator credentials.

Add an on-premises app to Azure AD

Now that you’ve prepared your environment and installed a connector, you’re ready to add on-premises applications to Azure AD.

  1. Sign in as an administrator in the Azure portal.
  2. In the left navigation panel, select Azure Active Directory.
  3. Select Enterprise applications, and then select New application.
  4. Select Add an on-premises application button which appears about halfway down the page in the On-premises applications section. Alternatively, you can select Create your own application at the top of the page and then select Configure Application Proxy for secure remote access to an on-premise application.
  5. In the Add your own on-premises application section, provide the following information about your application:
  6. Name: The name of the application that will appear on My Apps and in the Azure portal.
  7. Internal URL: The URL for accessing the application from inside your private network.
  8. External URL: The address for users to access the app from outside your network. If you don’t want to use the default Application Proxy domain, read about custom domains in Azure AD Application Proxy.
  9. Pre Authentication: How Application Proxy verifies users before giving them access to your application.
  10. Azure Active Directory: Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. I recommend keeping this option as the default so that you can take advantage of Azure AD security features like Conditional Access and Multi-Factor Authentication.

Connector Group: Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose. If you don’t have any connector groups created yet, your app is assigned to Default.

Best Practices for Azure Application Proxy

  1. Physically locate the connector server close to the application servers to optimize performance between the connector and the application.
  2. The connector server and the web applications servers should belong to the same Active Directory domain or span trusting domains.
  3. Install multiple connector servers on-premises to avoid a single point of failure.
  4. Configure FQDN and DNS records internally and do not use IP addresses.
  5. Make sure your connector servers have full internet access and can reach the Microsoft network.
  6. Use conditional access to secure access to your environment.
  7. Configure SSO to enhance the end-user experience

Azure Application Proxy for RDS (Finally fully supported)

Carlos A Lopez (Twitter: @CLopezDC) Office365

This is a continuation of one of my past blogs. Finally this came out, and I am excited about this announcement. The new Azure Application Proxy for RDS permits the clients to use App Proxy with RDS to reduce the attack surface of the RDS deployment by enforcing pre-authentication and Conditional Access policies like requiring Multi-Factor Authentication (MFA) or using a compliant device before users can access RDS, if using conditional access. App Proxy also doesn’t require to open inbound connections through your firewall, Yeah!!!.

To use the RDS web client with App Proxy, first you need to upgrade to App Proxy version, 1.5.1975.0. If you haven’t already, you will need to configure RDS to work with App Proxy. App Proxy will handle the internet facing component of your RDS deployment and protect all traffic with pre-authentication and any Conditional Access policies in place. For steps on how to do this, see my previous blog.

Why we should not use a free conferencing tools or services for business meetings

Carlos A Lopez (Twitter: @CLopezDC) Office365

Due to the pandemic, companies are turning into online meetings and conference calls to continue operating. I have been working remotely over 10 year remotely and have used multiple different tools. Similarly, over the years I have been advising companies adopting cloud solutions in a secure way. Our focus is to protect the company’ data and our user’s privacy.

We need to understand that consumerization of IT is a real challenge for organizations, especially the ones with a high cyber security awareness. Hundreds of free conference and video call tools and services were released only last month. And users are adopting these tools in their personal life to continue practicing social distancing. The challenge comes, when users adopt these free tools for their personal use and start using them in the business world.

There is another conversation about IT leadership and how to understand the end-users need to be able to provide the right set of tools that fulfill the operation’s needs. But I will leave that for a different blog post. The real issue here, is that users need to stop using consumer-grade solution for business operations. Privacy, Security and Compliance is a real need for businesses.

I would like to list the reason why, as a cloud security architect, I would recommend implementing enterprise solutions such as Microsoft Teams. Disclaimer, I use Microsoft Teams, but Cisco, LogMeIn, Adobe, etc. offer also robust and secure solutions.

  • Data Loss Preventions (DLP): Teams integrates with Microsoft DLP allowing the organization to monitor and control the data shared by users or guests. This will prevent users to from sharing personal identifiable information (PII), U.S. Financial data. Similarly, we can enforce HIPPA, PCI, and other standards compliance.
  • Real-time safe-links and safe attachment: By using Teams all chat conversations, collaboration and shared information is protected by advanced protection system powered by AI in real time. Links or documents are reviewed by a spam filtering.
  • Archiving and Data Retention Policies: Teams allow administration to retain data following the compliance policies.
  • E-Discovery and Legal-hold Integration, Audits: Compliance teams and auditor can always perform E-Discovery searches during a litigation.
  • Authentication integrated with Azure AD: Admin can enhance their Teams security by implementing sign-in risk policies, conditional access policies and even implementing multi-factor authentication preventing un-authorized access to service.

To summarize my recommendation for SMBs. which are the most vulnerable entities to malware and cyber-attacks, is to stop using free software immediately and start looking into solutions that will protect your data and your user’s privacy.