Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing web applications Externally

Published byEugene Gardner Modified over 4 years ago

Similar presentations

Presentation on theme: "Securing web applications Externally"— Presentation transcript:

1 Securing web applications Externally
With Azure Active Directory Application Proxy.

2 Quick Survey Are You At Risk?
At your Board, are employee Web sites / applications currently internet facing (ex: SIS,Report cards,etc)? Does your Board currently use Azure Active Directory? Is your Board using office 365? Are you already using an Employee portal or gateway product to secure internal Board resources externally? Are You At Risk? Are you aware that your data could be at risk, and what are you doing about it?

3 Current site structure solution
Internet User Router DMZ Firewall Web Servers Internal Network File Server Web Server Database Server AD Server

4 The Problem Public facing site Security vulnerabilities
Increased Cyber Attacks User security Maintenance Web applications are public internet facing sites so that staff can work from home Number of vulnerabilities in OS, Webserver, Tomcat & Java continue to be discovered Cybersecurity threats are continuing to increase. Our own Board was hit with the 1st Apache Struts 2 vulnerability Need to protect staff and student data, and privacy. Depending on the time of year, it can be difficult to schedule down time. Even for security updates

5 Solution Increased Security Integration Cost
Increase security of externally available resources, with experience that users are already accustomed to Already integrates with existing technologies such as Active Directory and office 365 Reduce cost by using additional features of software that we already own. Use Azure Active Directory Application Proxy to secure Board employee sites for external use

6 What is Azure AD Application Proxy?
Easily publish your on-premises application to users outside your corporate network Can leverage benefits of Azure AD such as Multi factor authentication What is Azure AD Application Proxy? Doesn’t open access to your entire network like VPN. You control was is accessible Works across multiple devices Remote access solution for on-premises resources

7 Azure AD Architecture User Internal network Microsoft Azure Web Server
Website User Azure AD Application Proxy Microsoft Azure Active Directory Internal network Azure AD app proxy connector Azure AD connect Web Applications AD Server Web Servers

8 Initial Challenges URL name Site structure Linking to Jasper
Use same URL internally and externally Some Trillium are structured in a way that make it difficult to access top level resources (ex: css) Initial Challenges Linking to Jasper User experience Here are the main challenges that we need to overcome to make this solution viable. Issues launching Jasper Reports from Landing Page Make end user experience seamless, despite new URL’s

9 Site structure challenge
Trillium Web Secondary Achievement Shared CSS TWEBSA X Elementary Achieve X Azure can’t traverse up URL chain from published URL Web Attendance

10 Site structure solution
Trillium Web Secondary Achievement Shared CSS TWEBSA Rewrite Rule Default homepage Elementary Achieve Rewrite Rule Default homepage Web Attendance Note: Need to have Application Request Routing 3.0 installed, which you can do with the Web Platform Installer in IIS

11 Jasper redirection challenge
Microsoft Azure Microsoft Azure Active Directory User authentication Azure AD Application Proxy Use accessing Jasper Reports via landing page externally Trillium LandingPage Jasper Reports Note: Microsoft blocks this to avoid cross site scripting attacks

12 Go through basic steps and show setup in our test environment
DEMO Go through basic steps and show setup in our test environment Custom IIS sites URL rewrite rules Azure AD configurations DNS configurations More rewrite rules Core Trillium Configurations

13 Azure AD Architecture User Internal network Microsoft Azure Web Server
Website User Azure AD Application Proxy Microsoft Azure Active Directory Internal network Azure AD app proxy connector Azure AD connect Web Applications AD Server Web Servers

14 IIS Configurations (part 1)
Custom Sites Steps Web Attendance Elementatry achievement Secondary achievement Create new IIS sites to over come site structure challenges Add SSL Certs & HTTPS binding Add URL Rewrite Rules HTTP to HTTPS Default homepage redirection to appropriate sub URL Redirection to Tomcat web app For webapps with link to jasper also setup jasper rewrite rules.

15 Azure AD Architecture User Internal network Microsoft Azure Web Server
Azure AD Application Proxy Website User Microsoft Azure Active Directory Internal network Azure AD app proxy connector Azure AD connect Web Applications AD Server Web Servers

16 Azure AD Configurations
Steps Open Azure Active Directory admin center Create new On-premises application Enter Internal URL Make sure external URL matches Internal URL Add users or group who can access the app Import your SSL cert Note: if you want users to access other Trillium products such as TWebSchAdmin or Jasper Reports within apps, you also need to create apps for these in Azure.

17 Azure AD Architecture User Internal network Microsoft Azure Web Server
Website User Azure AD Application Proxy Microsoft Azure Active Directory Internal network Azure AD app proxy connector Azure AD connect Web Applications AD Server Web Servers

18 DNS Configurations Internal DNS External DNS
Add new A Host record for new url’s created Add New Alias (CName) record for new url’s created Alias name should point to the base of the url configured in IIS (ex: attendance) Fully qualified domaine name (FQDN) should point to url configured in IIS (ex: attendance.mydomain.ca) Fully qualified domaine name (FQDN) for target host should point to the Azure URL for the application. This value can be found in the application proxy page for the app. (ex:

19 Azure AD Architecture User Internal network Microsoft Azure Web Server
Website User Azure AD Application Proxy Microsoft Azure Active Directory Internal network Azure AD app proxy connector Azure AD connect Web Applications AD Server Web Servers

20 IIS Configurations (part 2)
Redirect existing URL’s to new URL’s On the default pre-existing Trillium site create URL rewrite rules to redirect users to new site URL Disable old rewrite rules that no longer apply and have been recreated in new site Note: These settings help make things seamless to end users since their favorites, saved or published url’s will still work, and simply redirect to the new ones.

21 Core Trillium Configurations
Redirect existing URL’s to new URL’s Under Trillium Security > Web Services update URL’S for elementary and secondary report card printing to new URL’s If you made made changes to URL’s found under Admin Gateway, make sure to change those as well

22 Next steps? Move Trillium web server to internal network
Since Azure AD allows us to publish internal sites outside of our network without opening holes in our firewall, we would like to move our Trillium web server out of our DMZ, and into our internal network. This will as another layer of protection for our Trillium Web applications

23 Summary Increased security Relative ease of setup
Familiar user experience Documentation & presentation available at Summary

24 Thank You Questions ? John-Rock Bilodeau bilodeauj@csviamonde.ca
Richard Therrien

Download ppt "Securing web applications Externally"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Remote Access SSL VPN Stewart Duncan Technical Manager.

Remote Access SSL VPN Stewart Duncan Technical Manager.
NETOP ONDEMAND What’s new in version 2.1? DECEMBER 09 NETOP ONDEMAND1.

NETOP ONDEMAND What’s new in version 2.1? DECEMBER 09 NETOP ONDEMAND1.
The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.

The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Managing Client Access

Managing Client Access
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.

Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.
Securing Microsoft® Exchange Server 2010

Securing Microsoft® Exchange Server 2010
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
Before: Servers Behind Firewalls Today: Servers Migrate Out Business drivers: E-Business Supply chain management CRM.

Before: Servers Behind Firewalls Today: Servers Migrate Out Business drivers: E-Business Supply chain management CRM.

Similar presentations

Ads by Google