Web application proxy
Hem / Teknik & Digitalt / Web application proxy
The choice is based on the reliability, security, and ease of use of the web application proxy servers. Organizations use separate servers when using a web application proxy to gain access to web applications in a secure environment.
Web application proxy is a role service in Windows Server Remote Access that allows authorized devices to access published applications within a corporate network with Active Directory Federation Services (AD FS).
It also offers a reverse proxy functionality that allows users to access corporate applications on devices outside of the organization’s network through a multifactor authentication process that keeps the corporate applications safe from untrusted devices.
The proxy server also provides caching and encryption services for the organization’s applications, providing a safety barrier between corporate applications and the internet.
With features like single sign on and workplace join, the web application proxy servers provide ease of access for people within a corporate network when they have to work on the corporate applications remotely. So above under All applications click on the application and then under Application proxy click on Add SSL Certficate as shown below.
Upload the SSL certificate from your on-premise web app and be sure to also include the FQDN of the external URL as subject alternative name.
I will use here SSL certificates from my own PKI in Active Directory.
We will also explore some leading uses and important benefits of web app proxy in providing a secure channel for remote accessibility of web applications.
Read along to get insightful details about web application proxy and its role in redefining the remote accessibility of corporate networks.
Defining Web Application Proxy
Web application proxy servers are types of servers that provide a communication channel between clients and web applications.
Seamless integration with AD FS
The integration of selective access for users outside of the organization’s network becomes easy with the installation of AD FS in a web application proxy. The former joins devices with a common workplace, while the latter ensures the implementation of stricter security protocols.
Hence, a web application proxy works to create a pathway between published web applications and the end user.
Hence, the web proxy server becomes a barrier between corporate applications and the internet that allows access only to authenticated and authorized devices.
It plays an important role in improving the performance of corporate applications, and that too within a secure network. After a single sign-on to Microsoft Entra ID, users can access both cloud and on-premises applications through an external URL or an internal application portal.
Go to the application and under Application proxy we can upload the certificate as shown below.
Your administrator has configured the application to block users unless they are specifically granted (‘assigned’) access to the application
This error indicates that you have enabled pre-authentication for the application in Azure and the user which is trying to authenticate is not added under users and groups for the application to access.
Here you can see that pre-authentication is enabled for the application.
Within the application in Azure navigate to Users and groups and add the desired users which should have access to this application.
About publishing Remote Desktop (RDS) by using the Microsoft Entra Application Proxy we will see in my next post.
Links
Using Microsoft Entra application proxy to publish on-premises apps for remote users
https://learn.microsoft.com/en-us/entra/identity/app-proxy/overview-what-is-app-proxyAdd an on-premises application for remote access through application proxy in Microsoft Entra ID
https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-add-on-premises-applicationHow to configure private network connectors for Microsoft Entra Private Access and Microsoft Entra application proxy
https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-connectorsTroubleshoot application proxy problems and error messages
https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-troubleshootPublish Remote Desktop with Microsoft Entra application proxy
https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-integrate-with-remote-desktop-servicesRemote Desktop Services overview in Windows Server
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remote-desktop-services-overviewAzure AD Application Proxy
https://www.msxfaq.de/cloud/azure/azure_ad_application_proxy.htm
Deploying Windows ‘Web Application Proxy’
KB ID 0001142
Problem
This is part of a larger piece of work Im putting together on publishing Remote Desktop Services with Microsoft Web Application Proxy.
This article is simply to guide you though the process of installing the Web Application Proxy role.
Finally we can click on Create.
The application will now appear under All applications.
We also need to upload a SSL certificiate for the application. The reverse web proxy and federation service proxy work together to create a dynamic remote access role of the web application proxy that initiates, controls and manages communication between the client and the web server in a secure and efficient manner.
Some major advantages of web application proxy include better security, simple and easy remote accessibility, ease of integration with the AD FS server, and proper load balancing capabilities among the backend servers.
The two forms of preauthentication are as follows:
- AD FS preauthentication - it requires the user to log in to an Fs server before they can access published applications
- Pass-through preauthentication - it does not require users to submit their credentials before they can access applications
Web application proxy also supports single sign on (SSO) that requires users to add their credentials only once.
Enterprise Applications you will find in my following post.
Sign in to the Microsoft Entra admin center as at least an Application Administrator.
Browse to Identity > Applications > Enterprise applications.
Select New application.
Select Add an on-premises application button below.
Alternatively, you can select Create your own application at the top of the page and then select Configure application proxy for secure remote access to an on-premises application.
In the Add your own on-premises application section, provide the following information about your application:
On the Advanced tab I will leave the default settings as shown below.
However, it also raises an accessibility issue for corporate applications outside the office network. The ease of implementation offered by the AD FS makes it a favorable choice for managing communication channels between users and web servers.
Conclusion
A web application proxy is a server that allows a secure channel of communication for users to access web applications with proper authorization.
The network recognizes the authorized users and saves their relevant information to enable quick access on subsequent login attempts.
3. It ensures network isolation and the safety of its corporate applications.2. As a result, a web proxy server enables users to access applications remotely while ensuring a secure communication channel.
More about how to set up a PKI in Active Directory Certificate Services (AD CS) you will find in my following post.
And because we set for pre authentication above Microsoft Entra ID, we also need to add the users we want to authorize for the application under Users and groups as shown below.
To access my application by using custom domains we need to configure the following CNAME entry in our DNS provider.
It forwards client requests to web servers without revealing the identity of the server.