Anda di halaman 1dari 37

“We’re also publishing more than 200 on prem web

applications to the cloud with Azure Active Directory


App Proxy which makes our employees lives easier since
they can securely access these apps without VPN.”

Stephen Booth, IT Solution Manager, Unilever


Azure AD
Application
proxy

Inside Corp Net


Management portal(s)

REST APIs

GRAPH APIs

Synchronise users
from your AD DS
https://www.microsoft.com/en-us/cloud-platform/azure-active-directory-features
Port Number Description
80 To enable outbound HTTP traffic for security validation.
To enable user authentication against Azure AD (required only for the Connector registration
443
process)
10100 - 10120 To enable LOB HTTP responses sent back to the proxy
To enable communication between the Connector toward the Azure service for incoming
9352, 5671
requests. Uses 443 when configured to use a forward proxy.
9350 Optional. To enable better performance for incoming requests.
8080 To enable the Connector bootstrap sequence and to enable Connector automatic update
9090 To enable Connector registration (required only for the Connector registration process)
9091 To enable Connector trust certificate automatic renewal
Azure AD
Application
Proxy
External
 Published: 
endpoint for App1
app1 with
application
passthrough Azure AD
Application proxy
Internet Azure connector On-premises
Azure AD  Azure AD
endpoint for
authentication Possible sync

Authentication AD
Azure AD
Application
Proxy
External Published:
 
endpoint for app1 with App1
application preauth Azure AD
Application proxy
Internet Azure connector On-premises
Preauthentication flow Azure AD
Secure channel
Application
Proxy
Published: Authenticates
Azure AD
app1 with via Azure AD app1
preauth
User On-premises
Send app1 GET request connector
Redirected to Azure AD with authentication string

Send Azure AD GET request with authentication string Authenticate user


return access token
Return page with token ST and set authentication
cookies
ST
Send token with app1 POST
Validate token and
Redirected to app1 set access cookie

AzureAppProxyAccessCookie
App1
app1 GET request authenticates
Page rendered Passed through secure channel user with
selected method
Azure AD Azure AD

endpoint for
authentication Possible sync
Authentication
AD
KDC
Azure AD KCD
Kerberos token
Application injected into header
Proxy
External Published:
  App1
endpoint for app1 with  Kerberos auth
application preauth Azure AD
Application proxy
Internet Azure connector On-premises
Kerberos
Azure AD Azure AD Possible sync

endpoint for
authentication
Authentication Security AD
Azure AD token service
AAD App
Application
Proxy Trust
Proxy
External Published:
  App1
endpoint for app1 with claims aware
application preauth
Azure AD
Application proxy
Internet Azure connector On-premises
Azure AD
endpoint for
authentication Possible sync
Authentication AD
Azure AD
Application
Proxy
External
Published: App1
endpoint for
app1 with claims aware
application Azure AD Trust
preauth
Application proxy
Azure Trust
connector

External ADFS Web


endpoint for Application ADFS
authentication Proxy

Internet DMZ On-premises


Azure AD Azure AD
endpoint for
authentication Possible sync
Authentication Trust AD
Azure AD
Application
Proxy
External Published:
endpoint for app1 with App1
application preauth Azure AD
Application Proxy
Internet Azure connector On-premises
Azure AD
endpoint for Sync
authentication
Authentication Trust AD
Azure AD
Application
Proxy
External
Published: App1
endpoint for
app1 with claims aware
application Trust
preauth Azure AD
Azure Application Proxy Trust
connector
External ADFS Web
endpoint for Application AD FS
authentication Proxy

Internet DMZ On-premises


John has designed and implemented computing systems ranging
from high-speed industrial controllers through to distributed IT
systems with a focus on security and high-availability. A key player
in many IT projects for industry leaders including Microsoft, the UK
Government and multi-nationals that require optimized IT systems.
John Developed technical training courses that have been published
worldwide, co-authored a highly successful book on Microsoft
Craddock Active Directory Internals, presents regularly at major international
conferences including TechEd, IT Forum and European summits.
Infrastructure and
security Architect John can be engaged as a consultant or booked for speaking
XTSeminars Ltd engagements through XTSeminars. www.xtseminars.co.uk
www.microsoft.com/itprocareercenter

www.microsoft.com/itprocloudessentials

www.microsoft.com/mechanics

https://techcommunity.microsoft.com
http://myignite.microsoft.com

https://aka.ms/ignite.mobileapp