Conditional Access DirectAccess & VPN Desktop Virtualization Web Application Proxy System Center...
-
Upload
chastity-williams -
Category
Documents
-
view
236 -
download
1
Transcript of Conditional Access DirectAccess & VPN Desktop Virtualization Web Application Proxy System Center...
Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application ProxyMeir Mendelovich & Arieh Bibliowicz, Program Managers, AD Product Group
EM-B318
Application Proxies OverviewAzure AD Application Proxy: Preview and FutureWindows Server Web Application Proxy: Q&A
Agenda
Application Proxies Overview
Microsoft Remote Access Solutions
Conditional Access
DirectAccess & VPN
Desktop Virtualization
Web Application Proxy
System Center
Intune
Conditional Access Scenarios
Web Application Proxy
Azure AD Application Proxy
Motivation
Azure Active
Directory
On-Premises
Applications
Remote Access as a ServiceEasily publish your on-prem applications to users outside the
corporate network
Extend Azure AD to on-premUtilize Azure AD as a central management point for all your apps
Remote Access as a ServiceEasy to deploy and operate: minimal on-prem footprintSecure remote access to business applications with zero DMZ on-prem infrastructure deployment and no network infrastructure change.
Deep integration with Azure Active DirectoryRichness of AAD capabilities and experiences: IW access panel discovery and SSO, central application management across SaaS and on-prem, machine learning traffic analysis, multifactor authentication, analytics and reporting.Available for AAD Premium customers.
More secure to the business: pre-DMZ protectionAll security verifications are outside of the organization premises done in cloud scale. DDoS attacks will not influence your business.
How it worksConnectors are deployed on corpnet
Multiple connectors can be deployed for redundancy and scale
The connector auto connects to the cloud service
User connects to the cloud service that routes their traffic to the resources via the connectors
Azure Active Directory
Resource ResourceResource
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxy
https://sales-contoso.msappproxy.com
http://sales
Integrate on-prem apps with Azure ADEnd-user portal – Access Panel
Azure AD authentication capabilities:Username and password synced from on-prem AD
Federated login to on-prem or other federation servers
Multi-factor authentication
Customized login screen
Authorization based on user or groups
SSO to Office365, thousands of SaaS apps and all applications integrated with AAD
Reports, auditing and security monitoring based on big data and machine learning.
Azure Active Directory
Resource ResourceResource
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxy
Access Panel Portal
Authentication + MFA
Reporting & Auditing
Security Monitoring
Authorization
Cloud Scale SecurityAll HTTP/S traffic is terminated in the cloud blocking most HTTP level attacks.
Unauthenticated traffic filtered in the cloud – will not arrive on-prem.
No incoming connections to the corporate network – only outgoing connection to the Azure AD Application Proxy service
Internet facing service always up to date with latest security patches and server upgrades
Login abnormalities detection, reporting and auditing by Azure AD
Azure Active Directory
Resource ResourceResource
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxy
https://sales-contoso.msappproxy.com
http://sales
Demo
https://myapps.microsoft.com/
User: [email protected]: Pass1234
What is keeping us busy
What is keeping us busyService General Availability before the end of this year
SSO to on-prem IWA (Kerberos) applications using cloud credentialsMake your existing on-prem IWA application accessible from anywhereUsers login with AAD, credentials are translated by the connectors.
Custom domain publishing (app1.contoso.com)Use your own domain for the published applications URLAvoid the need for link translation with split-brain DNS
Monitoring and managing of connectors from the cloudOnce installed and registered – zero administration on the connectors
Advanced monitoring and auditing capabilitiesAzure AD is the single point of auditing for all apps
Windows Server Web Application Proxy
Part of Windows Server vNext along AD FS vNext
Web Application Proxy is the obvious choice to publish Office servers:
Allow TMG and UAG customers to move to Web Application Proxy
Web Application Proxy vNext
Publish more apps:Preauthentication for HTTP Basic protocols such as Exchange ActiveSync. Can enforce device registration.Wildcard publishing to support to ease SharePoint 2013 apps (https://*.sp-apps.contoso.com) Allow HTTP publishing (not HTTPS)Built-in HTTP HTTPS redirectionRemote Desktop Gateway (RDG) publishing
Less effort:Improved service log for complete audit trail and improved error handlingNew debug log for better troubleshootingEnable application editing in the UIPropagate client IP address to backend application
Preview features in a glance
Demo
Web Application Proxy terminates the request and passes all credentials to AD FSAD FS validates, applies policy and replies with a tokenUpon success, Web Application Proxy allows the request to pass to backendWeb Application Proxy caches the token for future use
HTTP Basic / ActiveSync – How it works
Web Application
Proxy
AD FS
Backend(Exchange or
other)
Credentials
HTTPS with Basic Auth / client cert.
ADToken
HTTPS with Basic Auth
Wildcard PublishingIn Windows Server 2012 R2, Web Application Proxy allowed publishing only by whitelisting specific domain names.In vNext, it allows publishing using wildcard domains:
https://*.spapps.contoso.com http://*.spapps.int/
Useful for:- SharePoint 2013 apps publishing.- Organizations that doesn’t want to whitelist published
applications – publish bulk of sites at once.
HTTP Publishing and HTTP RedirectionHTTP Publishing: publish apps with no SSL. Only for pass-through apps.HTTP Redirection: redirect users that wrongly type HTTP address to the correct HTTPS address.
Web Applicatio
n Proxy
http://non-secure.contoso.com/
https://secure.contoso.com/http://secure.contoso.com/
Blogs:AD Team blog: http://blogs.technet.com/b/ad/ Application Proxies blog: http://blogs.technet.com/b/applicationproxyblog/
MSDN Documentation:Azure AD App Proxy: http://msdn.microsoft.com/en-us/library/azure/dn768219.aspx Web Application Proxy: http://technet.microsoft.com/en-us/library/dn584107.aspx
Contact Us:Meet us at Ask The Experts eventFeedback [email protected]
Related content
Related content
Microsoft Solutions Experience Location (MSE)
Tue, Oct 28 3:15 PM-4:30 PM EM-B214 Privileged Access Management for Active Directory
Wed, Oct 29 8:30 AM-9:45 AM EM-B316 Directory Integration: Creating One Directory with Active Directory and Azure Active Directory
Wed, Oct 29 3:15 PM-4:30 PM EM-B319 Microsoft Identity Manager vNext Overview
Wed, Oct 29 3:15 PM-4:30 PM CDP-B210 Cloud Identity: Microsoft Azure Active Directory Explained
Thu, Oct 30 10:15 AM-11:30 AM CDP-B312 Microsoft Azure Active Directory Premium, in Depth
Thu, Oct 30 12:00 PM-1:15 PM EM-B310 Active Directory + BYOD = Peace of Mind
Thu, Oct 30 5:00 PM-6:15 PM DEV-B322 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management
Fri, Oct 31 8:30 AM-9:45 AM CDP-B207 Securing Organizations: Azure Active Directory Intelligence as a Differentiator
Fri, Oct 31 10:15 AM-11:30 AM EM-B410 Advanced Active Directory Federation Services and Web Application Proxy Troubleshooting
Fri, Oct 31 2:45 PM-4:00 PM EM-B313 Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Developer Network
http://developer.microsoft.com
Enterprise Mobility Suitehttp://aka.ms/enterprisemobilitysuite
Microsoft Intunehttp://aka.ms/microsoftintune
Configuration Managerhttp://aka.ms/configmgr
Enterprise Mobility Track Resources
Hybrid Identityhttp://aka.ms/hi
Access & Info Protectionhttp://aka.ms/aip
Desktop Virtualizationhttp://aka.ms/virtualdesktop
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
How it works
Application Proxy Data FlowContoso.com corpnetDMZ
Fabrikam.com corpnetDMZ
Once Started, the connector polls the
Azure AD Application Proxy service for new
client request.
Application Proxy Data FlowDMZ
DMZ
A user sends a request to the public address of the service that is unique
per tenant and per application. e.g.
https://app1-contoso.msappproxy.net/
Contoso.com corpnet
Fabrikam.com corpnet
Application Proxy Data FlowContoso.com corpnetDMZ
Corp Net2 : Fabrikam.com
DMZ
The Azure AD Application Proxy service sends the user’s request as
payload to an available connector
Application Proxy Data FlowDMZ
DMZ
The connector sends the request to the backend
application and once there is a response, it sends it back to the Application
Proxy
Contoso.com corpnet
Fabrikam.com corpnet
Application Proxy Data FlowDMZ
DMZ
Application Proxy returns the response to the client request
Contoso.com corpnet
Fabrikam.com corpnet
Application Proxy PreauthenticationContoso.com corpnetDMZ
User sends an unauthenticated request to
an application that is configured to require
preauthentication
Application Proxy PreauthenticationContoso.com corpnetDMZ
Application Proxy redirects the user to Azure AD for
preauthentication. Nothing is sent to the
backend
Application Proxy PreauthenticationContoso.com corpnetDMZ
User is authenticated by Azure AD. This process may involve other systems, such as MFA,
depending on tenant configuration. Once
authenticated, the user is redirected back to the
Application Proxy service with the acquired token
Token: [email protected]
Application Proxy PreauthenticationContoso.com corpnetDMZ
User request arrives again, now with a valid
authentication token. Once the token is validated, the request
is sent to the backend application
Token: [email protected]
Application Proxy PreauthenticationContoso.com corpnetDMZ
Application Proxy sends the request to the
application trough the connectors and returns
the response to the client