Configure ADFS to work externally without having a WAP Server (configure Azure app proxy to publish ADFS externally)

Overview:

Screenshot 2022-05-27 141620

Azure Application proxy provides single sign-on (SSO) and secure remote access for web applications hosted on-premises environments without complexities. This makes your life easier as you won’t need those complicated reverse proxies or Web Application proxies (WAP) that are usually sit in the DMZ.

Objective:

In this scenario, the idea is to guide you through on how to publish ADFS service externally so that users can access your applications outside of the internal network. This will also be beneficial for public user scenario such as Azure AD users and Azure B2B. The known approach to publish ADFS externally is “to have a Web Application Proxy” server configured in DMZ but that’s very time consuming and over complicated for basic requirements (unless you have specific needs to depend on WAP or Reverse proxy).

This post assumes that you have an ADFS server/s configured and in the running conditions as we won’t be going through that part of the configuration on this one.

Prerequisites:

  • Active directory domain and DNS configured in your on-premise environment
  • ADFS Server installed, configured and running
  • Verifiable public domain name (i.e. mscloudjournal.com)
  • Public SSL certificate binding is done in the ADFS server
  • Azure tenancy with Azure AD Premium P1 or P2 license

Step1: Download and install proxy connector in the desired server

First thing is first, let’s download the proxy connector tool from Azure. Simply login to your Azure tenancy and navigate to Azure Active Directory –> Application Proxy –> Hit that nice little button to download the latest version of the tool.

Copy across this to your ADFS server (or any desired server that you’re planning to run this connector. You do not need a dedicated server for this as it’s a very lightweight service).

image

Once copied across to the desired server (ADFS server itself in this case), run the tool to begin the process.

image

Next, you’ll be prompted to sign in to Azure AD. Make sure you have appropriate privileges to run this operation in Azure AD.

image

It won’t take more than a couple of minutes.

image

And there we have the greenlight. Simply close this wizard now and switch back to Azure AD.

image

Hit refresh and you’ll notice our brand new connector is now up and running in Azure. And we also have a public IP assigned to it by Azure.

image

Step2: Configure an App in Azure

Now to configure an app using the option given in the top ribbon. Hit “Configure an app” to begin.

image

image

Input the details below to suit your environment’s naming. Choose “Passthrough” for Pre-authentication method and the rest can be defaults unless you have a specific need.

image

And that’s it! our new on-premises application is created successfully.

image

Step3: Adding the DNS CNAME record

Now we need a DNS record to point the traffic to Azure App Proxy service endpoint. This is done in the DNS repository so you’ll need the access to your domain’s hosting provider (i.e. Godaddy) to add a DNS pointing record.

image

The record will look something like this. Point to needs to be the address we saw in Azure ending with “msappproxy.net” (this is the proxy service endpoint for Azure). Add a new CNAME record as shown below and amend the naming to suit your record.

image

Step4: Binding the exported certificate

Now lets head over to “Enterprise Applications” –> All applications –> select the app one we created in the previous step (ADFS External Publishing Proxy) –> Application Proxy.

image

Here you get the certificate upload option. This certificate is taken from the ADFS server. Follow the next step to obtain this from the server.

image

Export the certificate from the ADFS server

Login to your relevant on-premises server (ADFS server in my case) and open mmc (type “mmc” in the run command and enter) and add the certificate snap-in to the mmc console.

image

Chose the right certificate that binds to the ADFS service URL and right click –> All tasks –> Export

image

image

You need both certificate + the private key so export it from the certificate export wizard in the server itself.

image

image

image

Choose “AES256-SHA256” for encryption and check the password option to enter a password.

image

Give the cert a name and save it in a secure space. We will upload this to the app we created in Azure, next.

image

Now lets switch back to Azure AD –> Enterprise Applications –> All applications –> select the app one we created in the previous step (ADFS External Publishing Proxy) –> Application Proxy.

Scroll down and click on the option that allows you to upload the certificate.

image

Chose the file we exported (.pfx) and input the same password specified when exporting it –> hit upload.

image

It should like below if everything went well.

image

image

And, that’s it ! we should now be able to test it out.

Step5: Testing the external accessibility

To test it, simply try to access the ADFS signon URL from a external network and if you can see the following screen with a validated certificate, you’re all done !

https://adfs.yourdomain.com/adfs/ls/idpinitiatedsignon

image

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s