How to deploy Entra ID Application Proxy (Manual)

Entra ID Application Proxy is a service that enables remote access to applications from any device with a web browser without the need for a VPN. It provides secure access to on-premises applications by proxying requests through the Azure cloud. One of the other features is that Entra secures your on-prem environment with all integrated security measures from Microsoft including conditional access policies.

image 51

In this manual I will show you how to the deploy Entra ID Application Proxy and how to configure it.

Prerequisites

  • Azure Entra ID Tenant
  • Azure Entra ID Premium 1 or 2 for all users accessing the Application.
  • Application Administrator Role
  • Local admin on the Windows Server

Time to deploy the connector: 15 minutes.

STEP 1: Go to the Azure Portal: https://portal.azure.com and go to Entra ID. From there click on Application proxy

image

From the new tab click on Download connector service and on the right slide Accept & Download the connector service.

image 1

Now go to your application server, or create a dedicated proxy server for this purpose and start the installer. Agree with the license terms and conditions and click on Install

image 2

On the login screen login in with the credentials from an admin account with enough permissions

image 35

After the login the installation completes in seconds.

image 34

STEP 2: Configure the application proxy

Go back to the Azure Portal, and again go to application proxy

image 36

First start with creating a New Connector Group. For redundancy purposes you can install 2 connectors and join them in the same Connector Group. For this demo we will just do one. Create the new connector group and select your just installed connector to be joined to the group.

image 38

When ready you should see an overview like below. Now lets configure the app. Click on Configure an app.

image 39

From the new webpage fill in all required fields. From top to bottom:

  • Name: Fill in a name for this application
  • Internal URL: This is an url that is resolvable from your machine hosting the application proxy.
  • External URL: Fill in the desired application URL. You can use a custom domain, or use one of the default Microsoft domains.
  • Pre Authentication: For security reasons I always recommend to use Microsoft Entra ID. When using a company device single sign-on will be used for login.
  • Connector group: Select the just created connector group.
  • SSL Certificate: This field might me grayed out, when using a custom domain you will need to upload a certificate to avoid certificate errors.

When using your own domain copy the cname entry at the bottom of the page. Ending with .msappproxy.net

image 40

When using a custom domain, create a cname record with an entry to your cname entry copied from the step above.

Now go to Entra ID, go to Enterprise applications, All applications and search for your newly created application.

image 41

Go to Application Proxy, you will get the option to add an SSL certificate when using a custom domain.

image 45

Now continue to Users and groups and add the users and groups that you want to grant access to this application

image 42

Select the users/groups.

image 43

When completed, you can now browse to the application. For this demo I just used my test Pi Hole admin console. You should now be able to see your internal application from the internet.

image 44

Troubleshooting

In some cases you might encounter some troubles installing the connector. This might be caused by Internet Explorer security settings or other reasons.

image 3

To resolve and troubleshoot use the following commands, this will install the connector without logging in during the installation:

MicrosoftEntraPrivateNetworkConnectorInstaller.exe REGISTERCONNECTOR="false"

cd "C:\Program Files\Microsoft Entra private network connector"
.\RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft Entra private network connector\Modules\" -moduleName "MicrosoftEntraPrivateNetworkConnectorPSModule"
image 37

Now continue with step 2 from the manual.

CREDITS: Valentijn de Pagter for the troubleshooting steps.

Add a Comment

Your email address will not be published. Required fields are marked *