Throw away your DMZ Azure Active Directory Application Proxy deep-dive BRK3139 Throw away your DMZ Azure Active Directory Application Proxy deep-dive John Craddock Identity and security Architect XTSeminars

Throw away your DMZ Azure Active Directory Application Proxy deep-dive John Craddock @john_craddock johncra@xtseminars.co.uk Identity and security architect XTSeminars

Agenda DMZ challenge Introduction to the Azure AD Application Proxy What is the Azure AD? Publishing applications Preauthentication SSO for Windows authentication Claims-aware applications

DMZ challenges? Hardware costs Maintaining security Internet DMZ Corpnet Hardware costs Maintaining security Authenticating users at the edge Authenticating users to webservers in the DMZ Maintaining VPN access for remote workers

Microsoft 2016 4/23/2018 3:17 PM Customer evidence Azure Active Directory Application Proxy gives the Bristow Group secure remote access to core applications without the cost and complexity of using a virtual private network or other on-premises application publishing tools For the Bristow Group a leading provider of global industrial aviation services, mobility is key © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Stephen Booth, IT Solution Manager, Unilever Customer evidence “We’re also publishing more than 200 on prem web applications to the cloud with Azure Active Directory App Proxy which makes our employees lives easier since they can securely access these apps without VPN.”   Stephen Booth, IT Solution Manager, Unilever

What is the Azure AD Application Proxy ? Inside Corp Net Azure AD Application proxy On-premises connector Published website A service offered as part of Azure AD The connector only requires outbound firewall ports Multiple connectors can be deployed for fault tolerance and performance

What is Azure Active Directory? Azure subscriptions Management portal(s) Your user data REST APIs Authenticate to Office365 GRAPH APIs Azure AD Your Apps Synchronise users from your AD DS Partner apps Application gallery

Azure portals Currently some Azure AD functions can only be managed through the Classic portal

More than just an identity store… Password resets Self-service MFA Detailed reporting and auditing User enrolment with the B2C directory The Azure AD Application Proxy And more…

Prerequisites for the Azure AD Application Proxy Requires Azure AD basic or premium (P1 or P2) subscription https://www.microsoft.com/en-us/cloud-platform/azure-active-directory-features Connector must be installed on Windows Server 2102 R2 or higher Windows 8.1 or higher The on-premises firewall must be enabled for outbound traffic from the connector You can check the outbound traffic requirements by connecting, via a browser, to http://testport.cloudapp.net/ Download the connector from the Azure Portal when you enable the Application Proxy Install and register with your Azure AD tenant A troubleshooter is included as part of the install process

Required outbound ports for the connector Port Number Description 80 To enable outbound HTTP traffic for security validation. 443 To enable user authentication against Azure AD (required only for the Connector registration process) 10100 - 10120 To enable LOB HTTP responses sent back to the proxy 9352, 5671 To enable communication between the Connector toward the Azure service for incoming requests. Uses 443 when configured to use a forward proxy. 9350 Optional. To enable better performance for incoming requests. 8080 To enable the Connector bootstrap sequence and to enable Connector automatic update 9090 To enable Connector registration (required only for the Connector registration process) 9091 To enable Connector trust certificate automatic renewal Two local services run the connector

Publishing applications Applications are published through the Azure Portal Currently via the classic portal You must specify A name The internal URL of your application The preauthentication method Azure AD or Passthrough (no authentication at the proxy) All users connecting through the proxy must be Assigned a basic or premium (P1 or P2) Azure AD license Assigned to the application if preauthentication is used A user can be assigned directly to an application or indirectly via groups

Managing domain names The default external URL will be https://”name”-”tenantname”.msappproxy.net/ To use your own domain name it must be added to the Azure AD and verified For custom domain names a certificate will need to be uploaded A certificate is automatically provisioned for a default external URL *.msappproxy.net

Passthrough Typical usage providing access to Azure AD Application Proxy Published: app1 with passthrough External endpoint for application App1   Azure AD Application proxy connector Internet Azure On-premises Typical usage providing access to Web published CRL distribution points Network Device Enrolment Service (NDES) for Microsoft Intune

Demo… Getting started

Adding preauthentication Azure AD endpoint for authentication Azure AD  Possible sync AD Authentication Azure AD Application Proxy Published: app1 with preauth External endpoint for application App1   Azure AD Application proxy connector Internet Azure On-premises

Synchronizing on-premises AD accounts

Preauthentication flow Azure AD Application Proxy Preauthentication flow Secure channel Published: app1 with preauth Authenticates via Azure AD app1 Azure AD User On-premises connector Send app1 GET request Redirected to Azure AD with authentication string Authenticate user return access token and set authentication cookies Send Azure AD GET request with authentication string Return page with token ST ST Send token with app1 POST Validate token and set access cookie Redirected to app1 AzureAppProxyAccessCookie App1 authenticates user with selected method app1 GET request Page rendered Passed through secure channel

Demo… Adding preauthentication

Authenticating to applications Anonymous access Forms Basic Digest NTLMv2 Never use NTLM unless there is no alternative Kerberos via Kerberos Constrained Delegation (KCD) Claims WS-Federation, SAML, OpenID Connect

Windows authentication Azure AD endpoint for authentication Azure AD  Possible sync AD Authentication KDC Azure AD Application Proxy KCD Kerberos token injected into header Published: app1 with preauth External endpoint for application App1 Kerberos auth    Azure AD Application proxy connector Internet Azure On-premises The computer running the connector must be domain joined

On-premises AD computer account running the connector Enabling KCD Azure portal On-premises AD computer account running the connector Before you start, always check you can access the application from the intranet using Kerberos

Demo… SSO to a Windows auth application

Authentication to a claims aware application The claims aware application authenticates independently of the Azure AD Application Proxy preauthentication The claims application must be configured to use a STS The STS could be Azure AD or an on-premises AD FS server The application could be using SAML, WS-Federation or OpenID Connect as its authentication protocol To use OpenID Connect with AD FS requires 2016

Published claims app Azure AD endpoint for authentication Azure AD Possible sync   Security token service AD Authentication Azure AD Application Proxy AAD App Proxy Trust Published: app1 with preauth External endpoint for application App1 claims aware    Azure AD Application proxy connector Internet Azure On-premises

Two IdPs – no SSO Azure AD endpoint for authentication Possible sync Azure AD Application Proxy Published: app1 with preauth External endpoint for application App1 claims aware Azure AD Application proxy connector Trust Trust Azure External ADFS endpoint for authentication Web Application Proxy ADFS Internet DMZ On-premises

Claims-aware application trusts Azure AD - SSO Azure AD endpoint for authentication Azure AD Possible sync Trust AD Authentication Azure AD Application Proxy Published: app1 with preauth External endpoint for application App1 Azure AD Application Proxy connector Internet Azure On-premises

Azure AD federated SSO with AD FS Azure AD endpoint for authentication Sync Trust AD Authentication Azure AD Application Proxy Published: app1 with preauth External endpoint for application App1 claims aware Trust Azure AD Application Proxy connector Azure Trust External ADFS endpoint for authentication Web Application Proxy AD FS Internet DMZ On-premises

You can also publish Password vaulting based SSO Browser based web apps w/ forms based AuthN Rich Client Web Apps (ADAL integrated) Other apps (Clients w/o ADAL, web apps w/ special rqmts, non-HTTP apps etc) Authentication via PingAccess Password vaulting based SSO Supported if client can pass bearer token to proxy app. Combine with KCD for SSO Supported through Remote desktop publishing Supported for different authentication headers and cookies

Exciting changes are coming Microsoft has partnered with Ping Identity PingAccess facilitates the connection to more application types via the Azure AD Application Proxy Provides a mechanism to support HTTP header-based authentication for published applications Look out for release dates

To find out more Visit Download the troubleshooting whitepaper https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-get-started/ Download the troubleshooting whitepaper http://aka.ms/proxytshootpaper

Consulting services on request Johncra@xtseminars.co.uk @john_craddock John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk John Craddock Infrastructure and security Architect XTSeminars Ltd

Free IT Pro resources To advance your career in cloud technology Microsoft Ignite 2016 4/23/2018 3:17 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center www.microsoft.com/itprocareercenter Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials www.microsoft.com/itprocloudessentials Demos and how-to videos Microsoft Mechanics www.microsoft.com/mechanics Connect with peers and experts Microsoft Tech Community https://techcommunity.microsoft.com © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 4/23/2018 3:17 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/23/2018 3:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.