Benefits of the Azure AD Application Proxy

Given the increase in home and remote working recently, there is a drive to allow people to access applications on the internal network from anywhere. Those accessing apps from outside the internal network may be using corporate devices, their own devices, mobile devices or a mixture. Access needs to happen in a productive way whilst also maintaining security.

One option is to set up a Virtual Private Network (VPN) for access to such applications, however this can mean a lot of infrastructure cost, server configuration, network configuration, and client configuration. A VPN often has a lot of pre-requisites, is complex to set up and has a cost of ongoing maintenance and support. Connections to a VPN normally mean using a corporate managed device. Once in though, often you can access all areas! Happy days if you’re a hacker.

Enter the Azure AD Application Proxy. This Azure service in conjunction with some on premises agents allows apps hosted on premises to be “published”. These can then potentially be accessed by your users who are outside the corporate network. Also, by using this method, access can be beefed up using available security controls in Azure AD. The following sections give a brief summary of the App proxy:

How do I set it up?

It is relatively straightforward. At a high level, the setup is as follows: 

  • Azure Licenses are required. At the time of writing, Azure App proxy is included with Azure P1 and P2 licensing.
  • The App proxy connector from the Azure portal (this is a very light weight agent) should be downloaded and installed on premises. Several servers and several connectors can be configured, and arranged into groups.
  • Connector servers should have access to and be located close to the apps they are publishing.
  • Allow outbound access to TCP 80 and  443 on the connector servers, and to the appropriate Microsoft URLs.

How does it work?

The following sketch summarises at a high level how the App Proxy service and connector works:

Azure App Proxy connection flow

Step 1 – “Dave” wants to connect to an on-premises app from outside the corporate network. He uses the URL or the tile from the MyApps portal.
 

Step 2 – The application access attempt gets directed to an Azure sign in page. Azure AD controls such as conditional access policies can be applied here. If Dave meets the requirements and signs in successfully, Azure AD sends a token back to him.


Step 3 – Dave’s client sends to the token to the App proxy Service in Azure, which passes the request on to the App proxy connector on the internal network.
 

Step 4 – App proxy connector will perform any additional authentication required for Dave.
 

Step 5 – The connector sends the request to the on-premises app.
 

Step 6 – A token response is sent back from the App via the Proxy connector and service; Dave can get to the app from outside the corporate network.

What does it support?

The Azure App Proxy works with on premises Apps that support:

  • Integrated Windows Authentication.
  • Header based authentication.
  • Forms / password-based authentication.
  • SAML.

What are the key benefits?

Security and cost.

  • Security – installed App proxy connectors on premises make outbound connections only. Therefore placement of infrastructure in DMZs is not required and inbound connections into firewalls do not need to be configured.
  • Security – Connections to apps are authenticated, and apps published with pre-authentication will not allow traffic to pass through the app proxy service to those application servers on the internal network without a valid token – this helps to block some attack types as only authenticated connections can access the back end.
  • Security – By using the Azure service, Conditional access rules can be applied when users are connecting to an application, for example requiring MFA, being in a certain country, or having a certain risk score and those connections can be further monitored by tools such as Microsoft Cloud App Security.
  • Security – Applications can be published via the proxy and configured on a case-by-case basis, giving a greater degree of control over what we are allowing access to. Often with VPN configurations once you are on you have got access to most of the corporate network.
  • Cost – The cost of standing up the App proxy with associated license requirements in Azure is more favourable than the combined total of all the components of standing up a VPN.

About the author