Presentation is loading. Please wait.

Presentation is loading. Please wait.

Throw away your DMZ Azure Active Directory Application Proxy deep-dive

Published byGiles Johns Modified over 6 years ago

Similar presentations

Presentation on theme: "Throw away your DMZ Azure Active Directory Application Proxy deep-dive"— Presentation transcript:

1 Throw away your DMZ Azure Active Directory Application Proxy deep-dive
BRK3139 Throw away your DMZ Azure Active Directory Application Proxy deep-dive John Craddock Identity and security Architect XTSeminars

2 Throw away your DMZ Azure Active Directory Application Proxy deep-dive
John Identity and security architect XTSeminars

3 Agenda DMZ challenge Introduction to the Azure AD Application Proxy
What is the Azure AD? Publishing applications Preauthentication SSO for Windows authentication Claims-aware applications

4 DMZ challenges? Hardware costs Maintaining security
Internet DMZ Corpnet Hardware costs Maintaining security Authenticating users at the edge Authenticating users to webservers in the DMZ Maintaining VPN access for remote workers

5 Microsoft 2016 4/23/2018 3:17 PM Customer evidence Azure Active Directory Application Proxy gives the Bristow Group secure remote access to core applications without the cost and complexity of using a virtual private network or other on-premises application publishing tools For the Bristow Group a leading provider of global industrial aviation services, mobility is key © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Stephen Booth, IT Solution Manager, Unilever
Customer evidence “We’re also publishing more than 200 on prem web applications to the cloud with Azure Active Directory App Proxy which makes our employees lives easier since they can securely access these apps without VPN.”   Stephen Booth, IT Solution Manager, Unilever

7 What is the Azure AD Application Proxy ?
Inside Corp Net Azure AD Application proxy On-premises connector Published website A service offered as part of Azure AD The connector only requires outbound firewall ports Multiple connectors can be deployed for fault tolerance and performance

8 What is Azure Active Directory?
Azure subscriptions Management portal(s) Your user data REST APIs Authenticate to Office365 GRAPH APIs Azure AD Your Apps Synchronise users from your AD DS Partner apps Application gallery

9 Azure portals Currently some Azure AD functions can only be managed through the Classic portal

10 More than just an identity store…
Password resets Self-service MFA Detailed reporting and auditing User enrolment with the B2C directory The Azure AD Application Proxy And more…

11 Prerequisites for the Azure AD Application Proxy
Requires Azure AD basic or premium (P1 or P2) subscription Connector must be installed on Windows Server 2102 R2 or higher Windows 8.1 or higher The on-premises firewall must be enabled for outbound traffic from the connector You can check the outbound traffic requirements by connecting, via a browser, to Download the connector from the Azure Portal when you enable the Application Proxy Install and register with your Azure AD tenant A troubleshooter is included as part of the install process

12 Required outbound ports for the connector
Port Number Description 80 To enable outbound HTTP traffic for security validation. 443 To enable user authentication against Azure AD (required only for the Connector registration process) To enable LOB HTTP responses sent back to the proxy 9352, 5671 To enable communication between the Connector toward the Azure service for incoming requests. Uses 443 when configured to use a forward proxy. 9350 Optional. To enable better performance for incoming requests. 8080 To enable the Connector bootstrap sequence and to enable Connector automatic update 9090 To enable Connector registration (required only for the Connector registration process) 9091 To enable Connector trust certificate automatic renewal Two local services run the connector

13 Publishing applications
Applications are published through the Azure Portal Currently via the classic portal You must specify A name The internal URL of your application The preauthentication method Azure AD or Passthrough (no authentication at the proxy) All users connecting through the proxy must be Assigned a basic or premium (P1 or P2) Azure AD license Assigned to the application if preauthentication is used A user can be assigned directly to an application or indirectly via groups

14 Managing domain names The default external URL will be
To use your own domain name it must be added to the Azure AD and verified For custom domain names a certificate will need to be uploaded A certificate is automatically provisioned for a default external URL *.msappproxy.net

15 Passthrough Typical usage providing access to
Azure AD Application Proxy Published: app1 with passthrough External endpoint for application App1 Azure AD Application proxy connector Internet Azure On-premises Typical usage providing access to Web published CRL distribution points Network Device Enrolment Service (NDES) for Microsoft Intune

16 Demo… Getting started

17 Adding preauthentication
Azure AD endpoint for authentication Azure AD Possible sync AD Authentication Azure AD Application Proxy Published: app1 with preauth External endpoint for application App1 Azure AD Application proxy connector Internet Azure On-premises

18 Synchronizing on-premises AD accounts

19 Preauthentication flow
Azure AD Application Proxy Preauthentication flow Secure channel Published: app1 with preauth Authenticates via Azure AD app1 Azure AD User On-premises connector Send app1 GET request Redirected to Azure AD with authentication string Authenticate user return access token and set authentication cookies Send Azure AD GET request with authentication string Return page with token ST ST Send token with app1 POST Validate token and set access cookie Redirected to app1 AzureAppProxyAccessCookie App1 authenticates user with selected method app1 GET request Page rendered Passed through secure channel

20 Demo… Adding preauthentication

21 Authenticating to applications
Anonymous access Forms Basic Digest NTLMv2 Never use NTLM unless there is no alternative Kerberos via Kerberos Constrained Delegation (KCD) Claims WS-Federation, SAML, OpenID Connect

22 Windows authentication
Azure AD endpoint for authentication Azure AD Possible sync AD Authentication KDC Azure AD Application Proxy KCD Kerberos token injected into header Published: app1 with preauth External endpoint for application App1 Kerberos auth Azure AD Application proxy connector Internet Azure On-premises The computer running the connector must be domain joined

23 On-premises AD computer account running the connector
Enabling KCD Azure portal On-premises AD computer account running the connector Before you start, always check you can access the application from the intranet using Kerberos

24 Demo… SSO to a Windows auth application

25 Authentication to a claims aware application
The claims aware application authenticates independently of the Azure AD Application Proxy preauthentication The claims application must be configured to use a STS The STS could be Azure AD or an on-premises AD FS server The application could be using SAML, WS-Federation or OpenID Connect as its authentication protocol To use OpenID Connect with AD FS requires 2016

26 Published claims app Azure AD endpoint for authentication Azure AD
Possible sync Security token service AD Authentication Azure AD Application Proxy AAD App Proxy Trust Published: app1 with preauth External endpoint for application App1 claims aware Azure AD Application proxy connector Internet Azure On-premises

27 Two IdPs – no SSO Azure AD endpoint for authentication Possible sync
Azure AD Application Proxy Published: app1 with preauth External endpoint for application App1 claims aware Azure AD Application proxy connector Trust Trust Azure External ADFS endpoint for authentication Web Application Proxy ADFS Internet DMZ On-premises

28 Claims-aware application trusts Azure AD - SSO
Azure AD endpoint for authentication Azure AD Possible sync Trust AD Authentication Azure AD Application Proxy Published: app1 with preauth External endpoint for application App1 Azure AD Application Proxy connector Internet Azure On-premises

29 Azure AD federated SSO with AD FS
Azure AD endpoint for authentication Sync Trust AD Authentication Azure AD Application Proxy Published: app1 with preauth External endpoint for application App1 claims aware Trust Azure AD Application Proxy connector Azure Trust External ADFS endpoint for authentication Web Application Proxy AD FS Internet DMZ On-premises

30 You can also publish Password vaulting based SSO
Browser based web apps w/ forms based AuthN Rich Client Web Apps (ADAL integrated) Other apps (Clients w/o ADAL, web apps w/ special rqmts, non-HTTP apps etc) Authentication via PingAccess Password vaulting based SSO Supported if client can pass bearer token to proxy app. Combine with KCD for SSO Supported through Remote desktop publishing Supported for different authentication headers and cookies

31 Exciting changes are coming
Microsoft has partnered with Ping Identity PingAccess facilitates the connection to more application types via the Azure AD Application Proxy Provides a mechanism to support HTTP header-based authentication for published applications Look out for release dates

32 To find out more Visit Download the troubleshooting whitepaper
Download the troubleshooting whitepaper

33

34 Consulting services on request
@john_craddock John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. John Craddock Infrastructure and security Architect XTSeminars Ltd

35 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 4/23/2018 3:17 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Please evaluate this session
4/23/2018 3:17 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 4/23/2018 3:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Throw away your DMZ Azure Active Directory Application Proxy deep-dive"

Similar presentations

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Windows Azure Insights for the Enterprise IT Pro John Craddock Infrastructure and Identity Architect XTSeminars AZR301.

Windows Azure Insights for the Enterprise IT Pro John Craddock Infrastructure and Identity Architect XTSeminars AZR301.
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.

Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Identity; What you need to know to be in the Microsoft Cloud

Identity; What you need to know to be in the Microsoft Cloud
C# and VB code-focused development with Visual Studio

C# and VB code-focused development with Visual Studio
2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,

2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,
BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.

BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.
Enterprise grade security in your Hadoop clusters on Azure

Enterprise grade security in your Hadoop clusters on Azure
Microsoft Ignite 2016 4/30/2018 9:28 PM BRK3174

Microsoft Ignite /30/2018 9:28 PM BRK3174
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016
Azure Active Directory - Business 2 Consumer

Azure Active Directory - Business 2 Consumer
Transform yourself and build your IT cloud career path

Transform yourself and build your IT cloud career path
Deliver business insights with Microsoft Dynamics AX and Power BI

Deliver business insights with Microsoft Dynamics AX and Power BI
Azure AD Application Proxy

Azure AD Application Proxy
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence

Similar presentations

Ads by Google