Publish On-Premise SharePoint Site using Azure AD Web application proxy

1.      Introduction

Azure Active Directory Application Proxy is a software-based reverse proxy service that can provide safe remote access to on-premise applications from anywhere around the globe. We can avoid the infrastructure burden of adding new servers and opening firewall ports or DMZ networks to manage these services. Also, through this proxy, we have the choice to configure single sign-on in addition to secure remote access of our On-Premise SharePoint Web Application.

In this blog, we are going to look at how we can easily publish our on-premise SharePoint application for external users, without adding new servers and opening ports to an internal network.

AAP diagram from Microsoft

AAP diagram from Microsoft.

 Typically, SharePoint sites, Outlook Web Access, Citrix Director (for those Citrix clients) and many other line-of-business web applications are deployed inside the local area network in an organization. With Azure AD Web Application Proxy, these applications can be integrated and published for external users.

2.      Prerequisites

To execute the configuration, the following resources are required:

  • SharePoint 2013 or newer farm.
  • Azure AD tenant with Azure AD Basic, Premium P1 or Premium P2 subscription.
  • Proxy Connector (a piece of software) installed on Windows Server 2012 R2 or 2016, which has access to the internal web applications that are being published along with access to the Application Proxy services in Azure cloud.
  • Proxy Connector servers and the applications that need to be published should have the same domain if you are using SSO via Kerberos Constrained Delegation.
  • The following ports must be open from the Proxy Connector (v1.5.132.0 and later) to Azure:
    • 80 – Used to download certificate revocation lists (CRLs) while validating SSL certificates.
    • 443 – Used for outbound communication with the Application Proxy service.

There are two URLs required for the configuration of Application Proxy with SharePoint;

  • External URL for external users accessing SharePoint from internet
  • Internal URL for accessing SharePoint Farm from internal LAN environment

3.      Create Application in Azure for application Proxy

Now, let's move on to the process of creating the application in Azure for application proxy!

  1. Open azure.com and navigate to Azure Active Directory-> Application Proxy -> click on Download Connector Service -> accept the Terms and Conditions to proceed to the Download.

Azure Active Directory

  1. Copy and install AADApplicationProxyConnectorInstaller.exe file in the SharePoint Application Server to Install the Proxy Connector Services.

Install the Proxy Connector Services

  1. Sign in to Microsoft Azure to complete the installation

3. Sign in to Microsoft Azure

azure active directory

  1. Be sure to verify whether the following two services are installed and running successfully

Microsoft ADD Application verify

  1. Go back to the Azure Portal and click Configure an App and enter SharePoint on-premise Web application details.

    SharePoint on-premise Web application

    Now configure SharePoint Alternate Access Mappings

SharePoint Alternate Access Mappings

 

4.      Test the Product

  1. Open any browser and enter the external URL e.g https://spportal-alphabold.msappproxy.net/
  2. Root Site should be accessible after entering the credentials.

test Azure Web Application Proxy

SharePoint will be accessible to you without any external requirements. You will have effectively eliminated the need for additional hardware/software or opening the network traffic on edge firewall which can be a security loophole.

5.      Conclusion

Using Azure Web Application Proxy, we can publish any internal web application over the internet! We can also enable strict control through an additional layer of security by enabling SSO and Azure AD Authentication.

In the next blog, I will be configuring Server to Server integration between on-premise SharePoint and Dynamics 365 online environment, which requires SharePoint on-premise to be accessible over the internet on https protocol. Stay tuned!

Happy publishing!

2 thoughts on “Publish On-Premise SharePoint Site using Azure AD Web application proxy”

  1. Hello,

    I implemented AAD App Proxy to access my Sharepoint on-prem server. It work fine and I could access Office documents with Office 2016.

    Just upgraded to Office 365 (desktop apps) and now I could not open anymore Office files from Sharepoint (network error). Did you notive any issue with the Office 365 Desktop app ?

    Thanks 🙂

  2. Hi Gabriel,

    Can you please share more details, as well as error screenshot? Does your on-perm office online server published as well ?

Leave a Reply

Your email address will not be published. Required fields are marked *