Internet DMZ Corpnet Were also publishing more than
Internet DMZ Corpnet
“We’re also publishing more than 200 on prem web applications to the cloud with Azure Active Directory App Proxy which makes our employees lives easier since they can securely access these apps without VPN. ” Stephen Booth, IT Solution Manager, Unilever
Azure AD Application proxy Inside Corp Net
Azure subscriptions Management portal(s) Authenticate to REST APIs GRAPH APIs Office 365 Your user data Azure AD Synchronise users from your AD DS Your Apps Partner apps Application gallery
https: //www. microsoft. com/en-us/cloud-platform/azure-active-directory-features
Port Number 80 443 10100 - 10120 9352, 5671 9350 8080 9091 Description To enable outbound HTTP traffic for security validation. To enable user authentication against Azure AD (required only for the Connector registration process) To enable LOB HTTP responses sent back to the proxy To enable communication between the Connector toward the Azure service for incoming requests. Uses 443 when configured to use a forward proxy. Optional. To enable better performance for incoming requests. To enable the Connector bootstrap sequence and to enable Connector automatic update To enable Connector registration (required only for the Connector registration process) To enable Connector trust certificate automatic renewal
External endpoint for application Internet Azure AD Application Proxy Published: app 1 with passthrough Azure AD Application proxy connector App 1 On-premises
Azure AD endpoint for authentication Possible sync AD Authentication Azure AD Application Proxy External endpoint for application Internet Published: app 1 with preauth Azure AD Application proxy connector App 1 On-premises
Preauthentication flow Azure AD Application Proxy Published: app 1 with preauth User Secure channel Authenticates via Azure AD app 1 On-premises connector Send app 1 GET request Redirected to Azure AD with authentication string Send Azure AD GET request with authentication string Return page with token ST ST Authenticate user return access token and set authentication cookies Send token with app 1 POST Redirected to app 1 Validate token and set access cookie Azure. App. Proxy. Access. Cookie app 1 GET request Page rendered Passed through secure channel App 1 authenticates user with selected method
Azure AD endpoint for authentication Possible sync Authentication External endpoint for application Internet KCD Azure AD Application Proxy Published: app 1 with preauth Azure KDC AD Kerberos token injected into header Azure AD Application proxy connector App 1 Kerberos auth On-premises
Kerberos
Azure AD endpoint for authentication Authentication External endpoint for application Internet Azure AD App Application Proxy Published: app 1 with preauth Azure Possible sync AD Security token service Trust Azure AD Application proxy connector App 1 claims aware On-premises
Azure AD endpoint for authentication Possible sync AD Authentication External endpoint for application Azure AD Application Proxy Published: app 1 with preauth Azure External ADFS endpoint for authentication Web Application Proxy Internet DMZ Azure AD Application proxy connector App 1 claims aware Trust ADFS On-premises
Azure AD endpoint for authentication Possible sync Authentication AD Trust Azure AD Application Proxy External endpoint for application Published: app 1 with preauth Internet Azure App 1 Azure AD Application Proxy connector On-premises
Azure AD endpoint for authentication Sync Authentication External endpoint for application Trust AD Azure AD Application Proxy Published: app 1 with preauth Azure External ADFS endpoint for authentication Web Application Proxy Internet DMZ App 1 claims aware Azure AD Application Proxy connector Trust AD FS On-premises
John Craddock Infrastructure and security Architect XTSeminars Ltd John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including Tech. Ed, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www. xtseminars. co. uk
www. microsoft. com/itprocareercenter www. microsoft. com/itprocloudessentials www. microsoft. com/mechanics https: //techcommunity. microsoft. com
http: //myignite. microsoft. com https: //aka. ms/ignite. mobileapp
- Slides: 37