Step by Step Guide | Setup Azure Application Proxy to secure your IaaS environment
In this entry I want to give you insights on how to setup the Azure Application Proxy to secure your IaaS environment. While my older entry will give you an overview on the architecture is this a more hands on experience on how to setup the architecture. So what do you need before you can start?
You need to have Azure AD Premium, which you can test 30 days for free.
- You need a VNet consisting of the following: Domain Controller and a RDS-Farm.
- For a quick setup deployment with all the stuff you need, you can use this Quick-start Template
After you deployed the template we can get started:
Step One: Activate Azure AD Premium
1. Go into your Azure AD tenant and activate the trial:
2. Assign an Azure AD Premium license to a user:
Note: If you don’t assign a Azure AD Premium license to a user, the Azure AD Application Proxy feature is not available!
Step two: Register the “RD Web Access” Website as an Azure Application Proxy app
1. Add a new application to Azure AD:
2. Choose the new method that is now available:
3. In the new window, enter internal RD Web Access Website Url:
Note: Choose “Azure AD” a an pre-authentication method
4. Follow the guide Azure provides:
Note: You can install the Proxy connector on the same vm on which the “RD Web Access” website is hosted or a different one. As long as the maschine can access a couple of MS-addresses and can reach the “RD Web Access” Website its fine. If you need more information browse: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-troubleshoot/ to be sure that you configured every correct run the connection troubleshooting wizard
5. While we are working with self signed certificate toggle the switch “translate header” to “No”!
Step three (optional): Configure Connector groups
If you want to setup multiple RDS-Farms in different IaaS environments you need to create multiple connector groups, which you can manage in in the “configure” page of the Azure AD site:
Note: For High Availability simply deploy multiple Proxy connectors in you Vnet!
Step four: Register the “RPC” Website as an Azure Application Proxy app
6. Repeat the tasks described in Step two the “RPC” Website which is used by the RD Gateway. But use the authentication method: “Pass-through” instead of “Azure AD”.
Step five: Delete Public IP
Delete the Public IP that is assigned to your RD Gateway by the Template. The Proxy connector does not need a public IP as Joe Stocker pointed out in his blog here
- Use Integrated Windows authentication for SSO
- Setup Azure MFA for more security
- Use this setup for legacy apps you deployed in a Cloud Service
- User will authenticate using Azure AD therefor you have a single identity (provider)!
- Use this setup for Sharepoint Farms! Kirk Evans wrote a very good article about this topic as you can see here!