How to deploy Entra ID Application Proxy (Manual)
Entra ID Application Proxy is a service that enables remote access to applications from any device with a web browser without the need for a VPN. It provides secure access to on-premises applications by proxying requests through the Azure cloud. One of the other features is that Entra secures your on-prem environment with all integrated security measures from Microsoft including conditional access policies.
In this manual I will show you how to the deploy Entra ID Application Proxy and how to configure it.
Prerequisites
- Azure Entra ID Tenant
- Azure Entra ID Premium 1 or 2 for all users accessing the Application.
- Application Administrator Role
- Local admin on the Windows Server
Time to deploy the connector: 15 minutes.
STEP 1: Go to the Azure Portal: https://portal.azure.com and go to Entra ID. From there click on Application proxy
From the new tab click on Download connector service and on the right slide Accept & Download the connector service.
Now go to your application server, or create a dedicated proxy server for this purpose and start the installer. Agree with the license terms and conditions and click on Install
On the login screen login in with the credentials from an admin account with enough permissions
After the login the installation completes in seconds.
STEP 2: Configure the application proxy
Go back to the Azure Portal, and again go to application proxy
First start with creating a New Connector Group. For redundancy purposes you can install 2 connectors and join them in the same Connector Group. For this demo we will just do one. Create the new connector group and select your just installed connector to be joined to the group.
When ready you should see an overview like below. Now lets configure the app. Click on Configure an app.
From the new webpage fill in all required fields. From top to bottom:
- Name: Fill in a name for this application
- Internal URL: This is an url that is resolvable from your machine hosting the application proxy.
- External URL: Fill in the desired application URL. You can use a custom domain, or use one of the default Microsoft domains.
- Pre Authentication: For security reasons I always recommend to use Microsoft Entra ID. When using a company device single sign-on will be used for login.
- Connector group: Select the just created connector group.
- SSL Certificate: This field might me grayed out, when using a custom domain you will need to upload a certificate to avoid certificate errors.
When using your own domain copy the cname entry at the bottom of the page. Ending with .msappproxy.net
When using a custom domain, create a cname record with an entry to your cname entry copied from the step above.
Now go to Entra ID, go to Enterprise applications, All applications and search for your newly created application.
Go to Application Proxy, you will get the option to add an SSL certificate when using a custom domain.
Now continue to Users and groups and add the users and groups that you want to grant access to this application
Select the users/groups.
When completed, you can now browse to the application. For this demo I just used my test Pi Hole admin console. You should now be able to see your internal application from the internet.
Troubleshooting
In some cases you might encounter some troubles installing the connector. This might be caused by Internet Explorer security settings or other reasons.
To resolve and troubleshoot use the following commands, this will install the connector without logging in during the installation:
MicrosoftEntraPrivateNetworkConnectorInstaller.exe REGISTERCONNECTOR="false"
cd "C:\Program Files\Microsoft Entra private network connector"
.\RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft Entra private network connector\Modules\" -moduleName "MicrosoftEntraPrivateNetworkConnectorPSModule"
Now continue with step 2 from the manual.
CREDITS: Valentijn de Pagter for the troubleshooting steps.