Microsoft Security

Azure Application Proxy – Step by step to setup an on-premises web application

Carlos A Lopez (Twitter: @CLopezDC) AAD Connect, Azure, Microsoft Security

Over the last months, and as we continue migrating our client’s on-premises infrastructure to the cloud, Azure Active Directory’s Application Proxy has become a very power tool used by organization looking into closing their VPN access, migrating workloads to the cloud, and reducing their on-premises footprint. While this is not the final solution for removing the on-premises services, it does serve as a steps to removing the relationship or need of VPN and connectivity to on-premises services, especially for organization that are transitioning from local AD to AzureAD-Joined devices. Azure application provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.

Licenses Requirements: With Azure Active Directory Premium P2 you can gain access to advanced security features, richer reports and rule based assignments to applications. Your end users will benefit from self-service capabilities and customized branding.

Azure AD Application Proxy is:

  • Simple to use. Users can access the on-premises applications the same way they access Microsoft 365 and other SaaS apps integrated with Azure AD.
  • Secure. On-premises applications can use Azure’s authorization controls and security analytics. Including Conditional Access and MFA. Also, Application Proxy doesn’t require you to open inbound connections through your firewall or VPN.
  • Cost-effective. To use Application Proxy, you don’t need to change the network infrastructure or install additional appliances in your on-premises environment.

Install and register a connector

To use Application Proxy, install a connector on each Windows server you’re using with the Application Proxy service.

To install the connector:

  1. Sign in to the Azure portal as an application administrator of the directory that uses Application Proxy.
  2. In left navigation panel, select Azure Active Directory.
  3. Under Manage, select Application proxy.
  4. Select Download connector service.
  • Read the Terms of Service. When you’re ready, select Accept terms & Download.
  • At the bottom of the window, select Run to install the connector. An install wizard opens.
  • Follow the instructions in the wizard to install the service. When you’re prompted to register the connector with the Application Proxy for your Azure AD tenant, provide your application administrator credentials.

Add an on-premises app to Azure AD

Now that you’ve prepared your environment and installed a connector, you’re ready to add on-premises applications to Azure AD.

  1. Sign in as an administrator in the Azure portal.
  2. In the left navigation panel, select Azure Active Directory.
  3. Select Enterprise applications, and then select New application.
  4. Select Add an on-premises application button which appears about halfway down the page in the On-premises applications section. Alternatively, you can select Create your own application at the top of the page and then select Configure Application Proxy for secure remote access to an on-premise application.
  5. In the Add your own on-premises application section, provide the following information about your application:
  6. Name: The name of the application that will appear on My Apps and in the Azure portal.
  7. Internal URL: The URL for accessing the application from inside your private network.
  8. External URL: The address for users to access the app from outside your network. If you don’t want to use the default Application Proxy domain, read about custom domains in Azure AD Application Proxy.
  9. Pre Authentication: How Application Proxy verifies users before giving them access to your application.
  10. Azure Active Directory: Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. I recommend keeping this option as the default so that you can take advantage of Azure AD security features like Conditional Access and Multi-Factor Authentication.

Connector Group: Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose. If you don’t have any connector groups created yet, your app is assigned to Default.

Best Practices for Azure Application Proxy

  1. Physically locate the connector server close to the application servers to optimize performance between the connector and the application.
  2. The connector server and the web applications servers should belong to the same Active Directory domain or span trusting domains.
  3. Install multiple connector servers on-premises to avoid a single point of failure.
  4. Configure FQDN and DNS records internally and do not use IP addresses.
  5. Make sure your connector servers have full internet access and can reach the Microsoft network.
  6. Use conditional access to secure access to your environment.
  7. Configure SSO to enhance the end-user experience

Prevent Data Leakage using Exchange Online Transport Rules and Raise the Office365 Secure Score

Carlos A Lopez (Twitter: @CLopezDC) AAD Connect, Cloud Security, Exchange Online, Microsoft Security, Office365 , , ,

Over the last month, two clients contacted me requesting immediate support to mitigate and stop the data leakage caused by compromised credentials of specific users in Office365 and Exchange Online. The use of Multi-Factor Authentication has become a best practice and could have prevented this situation. However, there are other security controls that we recommend putting in place to prevent data leakage from Office365.

The bad actors’ “modus operandi” it is usually the same. After compromising the account, hackers access the compromised mailbox using OWA or perhaps Outlook, and setup multiple mailboxes rules. Some of these rules are to exfiltrate data of the organization such as auto-forwarding or send phishing emails to saved contacts and expand their malicious activity. Usually, the last mailbox rules we have identified is to automatically delete their activity from the “Sent Items” folder so it will be unnoticeable by the user.

One of the ways we can help stop data exfiltration from client created rules is using Exchange Transport Rules. Implementing a Transport Rule based around the following can stop emails that are set to be Auto-Forwarded to an external address.

In summary you create a rule based on the following logic.

  • IF The Sender is located ‘Inside the organization’
  • AND IF The Recipient is located ‘Outside the organization’
  • AND IF The message type is ‘Auto-Forward’
  • THEN Reject the message with the explanation ‘External Email Forwarding via Client Rules is not permitted’.

Transport Rule

This will stop delivery of the Auto-Forward message and issue an NDR message to the sender. Exceptions can be also created if needed.

Similarly, this will help you to increase your Office365 Secure Score which now has a new security control called ‘Client Rules Forwarding Blocks’ that implements a Transport Rule to help mitigate client created rules that Auto-Forward to external addresses.

Azure Authentication, Identity, and Access Management Best Practices (The Series)

Carlos A Lopez (Twitter: @CLopezDC) Cloud Security, Exchange, Exchange Online, Hybrid Migration, Microsoft Security, Office365

Over the years, I have seen how authentication processes have been evolving into what it is and what we know today. My clients already in the cloud or looking into adopting the cloud are constantly asking me about the “Best Practices” to secure their Microsoft cloud adoption. This is why I have decided to write this blog post series of Microsoft Cloud authentication, Identity and Access Management.

Network firewalls used to be considered the perimeter defense of the network. But with cloud services, that perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Today, enterprises are starting to understand that identity needs to be the primary perimeter for security. This is a shift from the traditional focus on network security. Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management, and identity protection into a single solution.

Best Practice

  1. Centralized Identity Management (Best Practice 1/10)
  2. Enable single sign-on for the Microsoft Cloud (Best Practice 2/10)
  3. Enable Conditional Access (Best Practice 3/10)
  4. Enable self-service Password reset with Azure AD Premium (Best Practice 4/10)
  5. Enable Conditional Access for cloud access. (Best Practice 5/10)
  6. Enforce multi-factor verification for users (Best Practice 6/10)
  7. Use role-based access control (Best Practice 7/10)
  8. Turn on Azure AD Privileged Identity Management (Best Practice 8/10)
  9. Define at least two emergency access accounts. (Best Practice 9/10)
  10. Ensure all critical admin roles have a separate account for administrative tasks (Best Practice 10/10)