SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

aap

Azure Application Proxy

The azure application proxy provides access to internal urls for your mobile users. It allow you to provide your users with an internet accessible url and it also show in your myapps.microsoft.com, making it easy accessible from your Intune Managed Browser.

Installation

From the server that will host the azure application proxy connector go to the azure portal https://portal.azure.com and:

  • Select Azure Active Directory → Application proxy.
  • Download connector and run the installation.

See here for m,ore details.

Configure Proxy

The proxy needs internet access, so you need to configure one for the connector using powershell:

PS C:\Program Files> cd '.\Microsoft AAD App Proxy Connector\'
PS C:\Program Files\Microsoft AAD App Proxy Connector> .\ConfigureOutBoundProxy.ps1
 
cmdlet ConfigureOutBoundProxy.ps1 at command pipeline position 1
Supply values for the following parameters:
ProxyAddress: http://proxy:8080
 
 
Name            : system.net
LocalName       : system.net
NamespaceURI    :
...<cut>....
OuterXml        : <proxy />
BaseURI         :
PreviousText    :
 
The outbound proxy has been successfuly configured for the connector

The settings can be checked in the file C:\Program Files\Microsoft AAD App Proxy Connector:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <runtime>
    <gcServer enabled="true" />
  </runtime>
  <appSettings>
    <add key="TraceFilename" value="AadAppProxyConnector.log" />
  </appSettings>
  <system.net>
    <defaultProxy>
      <proxy proxyaddress="http://proxy:8080" bypassonlocal="True" usesystemdefault="True" />
    </defaultProxy>
  </system.net>
</configuration>

Add On Premise Application

You can add an On Premise application quite simple. Just go to Azure Active Directory → Enterprise Applications → New Application and choose to add an On Premise Application.

You can usually leave all the defaults but I recommend to tweak the external url a little to make it easier to remember for you users.

Single Sign On

If you want to add your internal SharePoint I recommend you read and follow this article. This article is based on creating a SPN for the service account for sharepoint.

Single Server SSO

If your internal application only runs on one server there is also a more simple solution, being to add a SPN for the server. Follow these steps to add single sign on for a simple one server application:

Add SPN

With an administrator account give the following command:

setspn -a HTTP/intranet intranetserver

Note that the “intranet” will show up later on the application server for the kerberos delegation and the “intranetserver” part is the server where the internal app is running.

Kerberos Delegation

With an administrator account start “Active Directory Users and Computers” and locate the computer object for the application proxy server. Click on the delegation tab and set the delegations accordingly:

  • Trust this computer for delegation to specified services only
    • Use any authentication protocol

And click add to locate the SPN service for HTTP and add it:
aap01.jpg

Setup SSO in Enterprise App

Now the last step you need to do is enable and configure SSO in the Enterprise App in Azure AD. To do so, go to the Enterprise Application and click on Single Sign On and select “Integrated Windows Authentication”. Now fill in the SPN and leave the Delegated Login Identity on User Principal Name:
aap02.jpg

Resources

You could leave a comment if you were logged in.
aap.txt · Last modified: 2021/09/24 00:24 (external edit)