Publishing Internal Services Using Azure AD Application Proxy

Publishing internal services to external users has been something of a security nightmare for many IT departments; Microsoft now offers a solution with Azure AD App Proxy.

Gone are the days when directly publishing internal services through the firewall using a NAT rule was acceptable. Even with the advancements of integrated firewall intrusion detection and prevention, it was always best practice to use a reverse proxy as a middleman between the external user and the internal web server. Using reverse proxy technology moved the security layer from the internal server to the perimeter device/server; this meant that attacks and malicious attempts to connect were never able to reach the internal web server reducing unnecessary load and security implications. This led to improved performance of the internal resource and provided reassurance that things would remain secure.

However, Reverse Proxy services still needed firewall configuration to pass traffic from external users to the device or server, this meant careful configuration was required to guarantee traffic that should not be passed was blocked.

Microsoft now provides a new more secure way to publish services without the need for inbound firewall configuration; the Azure AD App Proxy. Released in 2016 as part of the Azure AD subscription, and continually updated, it enables secure connectivity to internal web services from external networks without the need for any reverse proxy infrastructure. Simplified implementation using an on-premises connector installed on the internal network (or DMZ) allows a broker-based connection through the Azure tenant portal. Using either Microsoft DNS and SSL certificates, or your own company DNS and SSL certificates, a connection to your internal web services can be published to your users allowing Single Sign-On to the internal application with the confidence that the security features of Azure will protect your services.

Further configuration of Conditional Access policies in Azure AD allows increased security to control access from location, device operating system, validating domain membership, Intune management compliance and enforcing Azure MFA. 

To discuss Azure AD App Proxy further, or request a demonstration, please contact EACS.