8 Motivation Remote Access as a Service Extend Azure AD to on-prem Easily publish your on-prem applications to users outside the corporate networkExtend Azure AD to on-premUtilize Azure AD as a central management point for all your appsOn-Premises ApplicationsAzure Active Directory
9 Remote Access as a Service Easy to deploy and operate: minimal on-prem footprintSecure remote access to business applications with zero DMZ on-prem infrastructure deployment and no network infrastructure change.Deep integration with Azure Active DirectoryRichness of AAD capabilities and experiences: IW access panel discovery and SSO, central application management across SaaS and on-prem, machine learning traffic analysis, multifactor authentication, analytics and reporting.Available for AAD Premium customers.More secure to the business: pre-DMZ protectionAll security verifications are outside of the organization premises done in cloud scale.DDoS attacks will not influence your business.
10 How it works Connectors are deployed on corpnet Multiple connectors can be deployed for redundancy and scaleThe connector auto connects to the cloud serviceUser connects to the cloud service that routes their traffic to the resources via the connectorsAzure Active DirectoryApplication ProxyDMZCorporate NetworkConnectorConnectorResourceResourceResource
11 Integrate on-prem apps with Azure AD End-user portal – Access PanelAzure AD authentication capabilities:Username and password synced from on-prem ADFederated login to on-prem or other federation serversMulti-factor authenticationCustomized login screenAuthorization based on user or groupsSSO to Office365, thousands of SaaS apps and all applications integrated with AADReports, auditing and security monitoring based on big data and machine learning.Azure Active DirectoryAuthorizationReporting & AuditingSecurity MonitoringAuthentication + MFAApplication ProxyAccess PanelPortalDMZCorporate NetworkConnectorConnectorResourceResourceResource
12 Cloud Scale SecurityAll HTTP/S traffic is terminated in the cloud blocking most HTTP level attacks.Unauthenticated traffic filtered in the cloud – will not arrive on-prem.No incoming connections to the corporate network – only outgoing connection to the Azure AD Application Proxy serviceInternet facing service always up to date with latest security patches and server upgradesLogin abnormalities detection, reporting and auditing by Azure ADAzure Active DirectoryApplication ProxyDMZCorporate NetworkConnectorConnectorResourceResourceResource
16 What is keeping us busyService General Availability before the end of this yearSSO to on-prem IWA (Kerberos) applications using cloud credentialsMake your existing on-prem IWA application accessible from anywhereUsers login with AAD, credentials are translated by the connectors.Custom domain publishing (app1.contoso.com)Use your own domain for the published applications URLAvoid the need for link translation with split-brain DNSMonitoring and managing of connectors from the cloudOnce installed and registered – zero administration on the connectorsAdvanced monitoring and auditing capabilitiesAzure AD is the single point of auditing for all apps
18 Web Application Proxy vNext Part of Windows Server vNext along AD FS vNextWeb Application Proxy is the obvious choice to publish Office servers:Allow TMG and UAG customers to move to Web Application Proxy
19 Preview features in a glance Publish more apps:Preauthentication for HTTP Basic protocols such as Exchange ActiveSync. Can enforce device registration.Wildcard publishing to support to ease SharePoint 2013 apps (Allow HTTP publishing (not HTTPS)Built-in HTTP HTTPS redirectionRemote Desktop Gateway (RDG) publishingLess effort:Improved service log for complete audit trail and improved error handlingNew debug log for better troubleshootingEnable application editing in the UIPropagate client IP address to backend application
21 HTTP Basic / ActiveSync – How it works Web Application Proxy terminates the request and passes all credentials to AD FSAD FS validates, applies policy and replies with a tokenUpon success, Web Application Proxy allows the request to pass to backendWeb Application Proxy caches the token for future useADAD FSCredentialsTokenWeb Application ProxyBackend(Exchange or other)HTTPS with Basic Auth / client cert.HTTPS with Basic Auth
22 Wildcard PublishingIn Windows Server 2012 R2, Web Application Proxy allowed publishing only by whitelisting specific domain names.In vNext, it allows publishing using wildcard domains:Useful for:SharePoint 2013 apps publishing.Organizations that doesn’t want to whitelist published applications – publish bulk of sites at once.
23 HTTP Publishing and HTTP Redirection HTTP Publishing: publish apps with no SSL. Only for pass-through apps.HTTP Redirection: redirect users that wrongly type HTTP address to the correct HTTPS address.Web Application Proxy