Forum Discussion
Microsoft Secure Hybrid Access: Part 1
In part one of this two-part series on Secure Hybrid Access, we take an in-depth look at using Azure AD Application Proxy to support remote access scenarios with greater security. With the recent spike in remote work, we want to enable you to support your end users as they access applications still living on the corporate network. As a result, this session walks you through how Azure AD Application Proxy works and looks at some of the accompanying mobile device scenarios.
Learn more
Here are links to the resources mentioned in this session:
- How to configure Application Proxy settings for protected browsers
- Configure real-time application access monitoring with Microsoft Cloud App Security and Azure Active Directory
- MCAS brings its real-time CASB controls to on-prem apps!
While not mentioned specifically in this session, here are some additional resources you might find helpful:
- Microsoft COVID-19 response site
- Enabling Remote Work
- Microsoft Endpoint Manager remote work blog
- Work remotely, stay secure
- 2 weeks in: what we’ve learned about remote work
Frequently asked questions
Q: Could this be used with SAP/BPC on prem where the connection back to on prem comes from an excel plugin?
A: Application Proxy is primarily meant for browser-based apps or clients that go over HTTP/HTTPS ports. If your Excel data source pulls through port 443 it should work. One thing to test is to see if it would work with pre-authentication.
Q: Can Application Proxy be used in place of SSL VPN scenarios and based on authentication further on-prem webapps can be used?
A: Yes, that’s the main use case. It is per-app pre-authenticated reverse proxy.
Q: If an internal web app based on HTTP has no HTTPS, will the app proxy secure the traffic over the internet routing from on prem back to the user?
A: Yes, external traffic will always be HTTPS – connector is the thing that will talk to the app without SSL. You also get Azure AD Conditional Access and other Azure AD protections on the external endpoint. In addition to HTTPS, you can layer on MFA and other controls/protections.
Q: In this scenario, can only managed browsers access the internal resources? It’s not accessible from other devices?
A: Correct. Your app proxy app is still an enterprise app in Azure AD, so you can apply all Conditional Access policies, including required managed app on mobile OS’s. You can apply the same access controls that your VPN concentrator probably has we well.
Q: Is it possible to app proxy a site for PC and not for mobile, outside of blocking the site on mobile? E.g. the site has full site and mobile site or site does not work properly on one medium but it does on another.
A: If you need to block mobile clients, you will need to leverage conditional access. Rather than blocking, it might be worth trying to fix them. You can try header/body translation. Responsive design sites detect your platform based on either a JavaScript code to probe your resolution or look at your user-agent string. So only cases that we saw not working well were on the detection of the client side in the web app itself. For more information, see Debug Application Proxy application issues.
Feedback
We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!