Azure Active Directory Application Proxy is a software-based reverse proxy service that can provide safe remote access to on-premise applications from anywhere around the globe. We can avoid the infrastructure burden of adding new servers and opening firewall ports or DMZ networks to manage these services. Also, through this proxy, we have the choice to configure single sign-on in addition to secure remote access of our On-Premise SharePoint Web Application.
In this blog, we are going to look at how we can easily publish our on-premise SharePoint application for external users, without adding new servers and opening ports to an internal network.
AAP diagram from Microsoft.
Typically, SharePoint sites, Outlook Web Access, Citrix Director (for those Citrix clients) and many other line-of-business web applications are deployed inside the local area network in an organization. With Azure AD Web Application Proxy, these applications can be integrated and published for external users.
To execute the configuration, the following resources are required:
- SharePoint 2013 or newer farm.
- Azure AD tenant with Azure AD Basic, Premium P1 or Premium P2 subscription.
- Proxy Connector (a piece of software) installed on Windows Server 2012 R2 or 2016, which has access to the internal web applications that are being published along with access to the Application Proxy services in Azure cloud.
- Proxy Connector servers and the applications that need to be published should have the same domain if you are using SSO via Kerberos Constrained Delegation.
- The following ports must be open from the Proxy Connector (v18.104.22.168 and later) to Azure:
- 80 – Used to download certificate revocation lists (CRLs) while validating SSL certificates.
- 443 – Used for outbound communication with the Application Proxy service.
There are two URLs required for the configuration of Application Proxy with SharePoint;
- External URL for external users accessing SharePoint from internet
- Internal URL for accessing SharePoint Farm from internal LAN environment
3. Create Application in Azure for application Proxy
Now, let's move on to the process of creating the application in Azure for application proxy!
- Open azure.com and navigate to Azure Active Directory-> Application Proxy -> click on Download Connector Service -> accept the Terms and Conditions to proceed to the Download.
- Copy and install AADApplicationProxyConnectorInstaller.exe file in the SharePoint Application Server to Install the Proxy Connector Services.
- Sign in to Microsoft Azure to complete the installation
- Be sure to verify whether the following two services are installed and running successfully
- Go back to the Azure Portal and click Configure an App and enter SharePoint on-premise Web application details.
Now configure SharePoint Alternate Access Mappings
4. Test the Product
- Open any browser and enter the external URL e.g https://spportal-alphabold.msappproxy.net/
- Root Site should be accessible after entering the credentials.
SharePoint will be accessible to you without any external requirements. You will have effectively eliminated the need for additional hardware/software or opening the network traffic on edge firewall which can be a security loophole.
Using Azure Web Application Proxy, we can publish any internal web application over the internet! We can also enable strict control through an additional layer of security by enabling SSO and Azure AD Authentication.
In the next blog, I will be configuring Server to Server integration between on-premise SharePoint and Dynamics 365 online environment, which requires SharePoint on-premise to be accessible over the internet on https protocol. Stay tuned!