Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application ProxyMeir Mendelovich & Arieh Bibliowicz, Program Managers, AD Product Group

EM-B318

Application Proxies OverviewAzure AD Application Proxy: Preview and FutureWindows Server Web Application Proxy: Q&A

Agenda

Application Proxies Overview

Microsoft Remote Access Solutions

Conditional Access

DirectAccess & VPN

Desktop Virtualization

Web Application Proxy

System Center

Intune

Conditional Access Scenarios

Web Application Proxy

Azure AD Application Proxy

Motivation

Azure Active

Directory

On-Premises

Applications

Remote Access as a ServiceEasily publish your on-prem applications to users outside the

corporate network

Extend Azure AD to on-premUtilize Azure AD as a central management point for all your apps

Remote Access as a ServiceEasy to deploy and operate: minimal on-prem footprintSecure remote access to business applications with zero DMZ on-prem infrastructure deployment and no network infrastructure change.

Deep integration with Azure Active DirectoryRichness of AAD capabilities and experiences: IW access panel discovery and SSO, central application management across SaaS and on-prem, machine learning traffic analysis, multifactor authentication, analytics and reporting.Available for AAD Premium customers.

More secure to the business: pre-DMZ protectionAll security verifications are outside of the organization premises done in cloud scale. DDoS attacks will not influence your business.

How it worksConnectors are deployed on corpnet

Multiple connectors can be deployed for redundancy and scale

The connector auto connects to the cloud service

User connects to the cloud service that routes their traffic to the resources via the connectors

Azure Active Directory

Resource ResourceResource

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxy

https://sales-contoso.msappproxy.com

http://sales

Integrate on-prem apps with Azure ADEnd-user portal – Access Panel

Azure AD authentication capabilities:Username and password synced from on-prem AD

Federated login to on-prem or other federation servers

Multi-factor authentication

Customized login screen

Authorization based on user or groups

SSO to Office365, thousands of SaaS apps and all applications integrated with AAD

Reports, auditing and security monitoring based on big data and machine learning.

Azure Active Directory

Resource ResourceResource

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxy

Access Panel Portal

Authentication + MFA

Reporting & Auditing

Security Monitoring

Authorization

Cloud Scale SecurityAll HTTP/S traffic is terminated in the cloud blocking most HTTP level attacks.

Unauthenticated traffic filtered in the cloud – will not arrive on-prem.

No incoming connections to the corporate network – only outgoing connection to the Azure AD Application Proxy service

Internet facing service always up to date with latest security patches and server upgrades

Login abnormalities detection, reporting and auditing by Azure AD

Azure Active Directory

Resource ResourceResource

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxy

https://sales-contoso.msappproxy.com

http://sales

Demo

https://myapps.microsoft.com/

User: juan@contoso25.onmicrosoft.comPassword: Pass1234

What is keeping us busy

What is keeping us busyService General Availability before the end of this year

SSO to on-prem IWA (Kerberos) applications using cloud credentialsMake your existing on-prem IWA application accessible from anywhereUsers login with AAD, credentials are translated by the connectors.

Custom domain publishing (app1.contoso.com)Use your own domain for the published applications URLAvoid the need for link translation with split-brain DNS

Monitoring and managing of connectors from the cloudOnce installed and registered – zero administration on the connectors

Advanced monitoring and auditing capabilitiesAzure AD is the single point of auditing for all apps

Windows Server Web Application Proxy

Part of Windows Server vNext along AD FS vNext

Web Application Proxy is the obvious choice to publish Office servers:

Allow TMG and UAG customers to move to Web Application Proxy

Web Application Proxy vNext

Publish more apps:Preauthentication for HTTP Basic protocols such as Exchange ActiveSync. Can enforce device registration.Wildcard publishing to support to ease SharePoint 2013 apps (https://*.sp-apps.contoso.com) Allow HTTP publishing (not HTTPS)Built-in HTTP HTTPS redirectionRemote Desktop Gateway (RDG) publishing

Less effort:Improved service log for complete audit trail and improved error handlingNew debug log for better troubleshootingEnable application editing in the UIPropagate client IP address to backend application

Preview features in a glance

Demo

Web Application Proxy terminates the request and passes all credentials to AD FSAD FS validates, applies policy and replies with a tokenUpon success, Web Application Proxy allows the request to pass to backendWeb Application Proxy caches the token for future use

HTTP Basic / ActiveSync – How it works

Web Application

Proxy

AD FS

Backend(Exchange or

other)

Credentials

HTTPS with Basic Auth / client cert.

ADToken

HTTPS with Basic Auth

Wildcard PublishingIn Windows Server 2012 R2, Web Application Proxy allowed publishing only by whitelisting specific domain names.In vNext, it allows publishing using wildcard domains:

https://*.spapps.contoso.com http://*.spapps.int/

Useful for:- SharePoint 2013 apps publishing.- Organizations that doesn’t want to whitelist published

applications – publish bulk of sites at once.

HTTP Publishing and HTTP RedirectionHTTP Publishing: publish apps with no SSL. Only for pass-through apps.HTTP Redirection: redirect users that wrongly type HTTP address to the correct HTTPS address.

Web Applicatio

n Proxy

http://non-secure.contoso.com/

https://secure.contoso.com/http://secure.contoso.com/

Blogs:AD Team blog: http://blogs.technet.com/b/ad/ Application Proxies blog: http://blogs.technet.com/b/applicationproxyblog/

MSDN Documentation:Azure AD App Proxy: http://msdn.microsoft.com/en-us/library/azure/dn768219.aspx Web Application Proxy: http://technet.microsoft.com/en-us/library/dn584107.aspx

Contact Us:Meet us at Ask The Experts eventFeedback aadapfeedback@microsoft.com

Related content

Related content

Microsoft Solutions Experience Location (MSE)

Tue, Oct 28 3:15 PM-4:30 PM EM-B214 Privileged Access Management for Active Directory

Wed, Oct 29 8:30 AM-9:45 AM EM-B316 Directory Integration: Creating One Directory with Active Directory and Azure Active Directory

Wed, Oct 29 3:15 PM-4:30 PM EM-B319 Microsoft Identity Manager vNext Overview

Wed, Oct 29 3:15 PM-4:30 PM CDP-B210 Cloud Identity: Microsoft Azure Active Directory Explained

Thu, Oct 30 10:15 AM-11:30 AM CDP-B312 Microsoft Azure Active Directory Premium, in Depth

Thu, Oct 30 12:00 PM-1:15 PM EM-B310 Active Directory + BYOD = Peace of Mind

Thu, Oct 30 5:00 PM-6:15 PM DEV-B322 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management

Fri, Oct 31 8:30 AM-9:45 AM CDP-B207 Securing Organizations: Azure Active Directory Intelligence as a Differentiator

Fri, Oct 31 10:15 AM-11:30 AM EM-B410 Advanced Active Directory Federation Services and Web Application Proxy Troubleshooting

Fri, Oct 31 2:45 PM-4:00 PM EM-B313 Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Developer Network

http://developer.microsoft.com

Enterprise Mobility Suitehttp://aka.ms/enterprisemobilitysuite

Microsoft Intunehttp://aka.ms/microsoftintune

Configuration Managerhttp://aka.ms/configmgr

Enterprise Mobility Track Resources

Hybrid Identityhttp://aka.ms/hi

Access & Info Protectionhttp://aka.ms/aip

Desktop Virtualizationhttp://aka.ms/virtualdesktop

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How it works

Application Proxy Data FlowContoso.com corpnetDMZ

Fabrikam.com corpnetDMZ

Once Started, the connector polls the

Azure AD Application Proxy service for new

client request.

Application Proxy Data FlowDMZ

DMZ

A user sends a request to the public address of the service that is unique

per tenant and per application. e.g.

https://app1-contoso.msappproxy.net/

Contoso.com corpnet

Fabrikam.com corpnet

Application Proxy Data FlowContoso.com corpnetDMZ

Corp Net2 : Fabrikam.com

DMZ

The Azure AD Application Proxy service sends the user’s request as

payload to an available connector

Application Proxy Data FlowDMZ

DMZ

The connector sends the request to the backend

application and once there is a response, it sends it back to the Application

Proxy

Contoso.com corpnet

Fabrikam.com corpnet

Application Proxy Data FlowDMZ

DMZ

Application Proxy returns the response to the client request

Contoso.com corpnet

Fabrikam.com corpnet

Application Proxy PreauthenticationContoso.com corpnetDMZ

User sends an unauthenticated request to

an application that is configured to require

preauthentication

Application Proxy PreauthenticationContoso.com corpnetDMZ

Application Proxy redirects the user to Azure AD for

preauthentication. Nothing is sent to the

backend

Application Proxy PreauthenticationContoso.com corpnetDMZ

User is authenticated by Azure AD. This process may involve other systems, such as MFA,

depending on tenant configuration. Once

authenticated, the user is redirected back to the

Application Proxy service with the acquired token

Token: UPN=joe@contoso.com

Application Proxy PreauthenticationContoso.com corpnetDMZ

User request arrives again, now with a valid

authentication token. Once the token is validated, the request

is sent to the backend application

Token: UPN=joe@contoso.com

Application Proxy PreauthenticationContoso.com corpnetDMZ

Application Proxy sends the request to the

application trough the connectors and returns

the response to the client