Forum Discussion

ARAIMBAULT's avatar
ARAIMBAULT
Copper Contributor
Sep 27, 2024
Solved

AAD application proxy : access from external issue

Hello, I have published an application with SAML SSO. from internal, it works fine. When I connect to https://myapp, all is ok.   I have set up an external Url  : https://myapp.my_custom_external...
azure ad application proxy
SSO
  • ARAIMBAULT's avatar
    ARAIMBAULT
    Oct 01, 2024

    Ok it works now
    I ve got a fortigate, with webfilter or other security profile, it does not work, i had to open Internet services.

    Like this : 

    thanks for help.

ARAIMBAULT's avatar
ARAIMBAULT
Copper Contributor
Sep 30, 2024

Jamesscarr 

I cannot change custom domain to msappproxy.net domain, i have to create another application.
I will test.

 

 

Yes proxy agent is online.

ARAIMBAULT's avatar
ARAIMBAULT
Copper Contributor
Sep 30, 2024
I have tested with an msappproxy.net domain.
I get error AADSTS50011 and if i update application registration, i get a timeout.
So, it's the same.
  • ARAIMBAULT's avatar
    ARAIMBAULT
    Copper Contributor
    Oct 01, 2024

    Ok it works now
    I ve got a fortigate, with webfilter or other security profile, it does not work, i had to open Internet services.

    Like this : 

    thanks for help.

  • ARAIMBAULT's avatar
    ARAIMBAULT
    Copper Contributor
    Sep 30, 2024
    I have tested, it is a firewall issue.
    Web filter issue to for precision.
    I followed this page but it miss some websites : https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-connectors
    have you got the new prerequisites?
    thanks.
  • ARAIMBAULT's avatar
    ARAIMBAULT
    Copper Contributor
    Sep 30, 2024

    Sorry, i have recheck and i can see thios error.

  • ARAIMBAULT's avatar
    ARAIMBAULT
    Copper Contributor
    Sep 30, 2024
    I have tested with DNS resolution for the external URL, timeout too.
    There is no error message in agent log.
    Seems that MS entra can't connect to agent, even when agent can connect to MS entra.
  • ARAIMBAULT's avatar
    ARAIMBAULT
    Copper Contributor
    Sep 30, 2024

    HEllo,
    My firewall has an IP, supposed 10.11.12.13. this is the connector external IP BUT port 443 is redirected to vpnssl webpage. Could it be an explanation?

  • Jamesscarr's avatar
    Jamesscarr
    Copper Contributor
    Sep 30, 2024
    That makes sense, seems like your app needs that external DNS name. It might be worth checking your internal DNS record to see what the target destination is. if it is different from what you set in Entra, it might be worth changing the one in Entra to match the on-prem one. It might be worth changing the timeout in the Entra ID app to long timeout.

    Also, have you checked the event logs on your server hosting the agent?

Resources