First published on TECHNET on May 31, 2017
We're excited to announce Work Folders now supports using Azure Active Directory Application Proxy to enable remote users to securely access their files on the Work Folders server.
Work Folders supports using VPN, Web Application Proxy (WAP) or a third-party reverse proxy solution to enable remote users access to their files on the Work Folders server. These remote access solutions require expensive hardware or additional on-premises servers that need to be managed.
Benefits of using Azure AD Application Proxy
To learn more about Azure Active Directory Application Proxy, please see the following article: How to provide secure remote access to on-premises applications
To enable Work Folders access using Azure AD Application proxy, please follow the steps below.
Before you can enable Work Folders access using Azure AD Application Proxy, you need to have:
High-level overview of the steps required:
Note : If you have multiple Work Folders servers, you need to create a proxy application for each Work Folders server (repeat the steps above).
Note: If you have multiple Work Folders servers and you created multiple Work Folders proxy applications, please repeat the steps above to give the Work Folders native application access to all Work Folders proxy applications.
Note: The Work Folders native application must be set to public. Under Advanced settings, verify Treat application as a public client is set to Yes.
To learn more about the Application Proxy Connector and the outbound network ports that are required, please see the following article: Get started with Application Proxy and install the connector
The Work Folders server is configured by default to use Integrated Windows Authentication.
To verify the server is configured properly, perform the following steps:
Note : If the Work Folders environment is currently configured to use ADFS authentication, changing the authentication method from ADFS to Windows Authentication will cause existing users to fail to authenticate. To resolve this issue, the Work Folders clients will need to be re-configured to use the Work Folders proxy application URL or create another Work Folders server that will be used for Azure AD Application Proxy.
setspn -S http/workfolders.domain.com servername
Example : setspn -S http/workfolders.contoso.com 2016-wf
In the example above, the FQDN for the work folders server is workfolders.contoso.com and Work Folders server name is 2016-wf.
Note : The SPN value entered using the setspn command must match the SPN value entered in the Work Folders proxy application in the Azure portal.
You can skip this section if you're not using a self-signed certificate on the Work Folders server.
If the Work Folders server is using a self-signed certificate, you need to export the certificate on the Work Folders server and import the certificate on the App Proxy Connector server. This step is necessary for the App Proxy Connector server to communicate with the Work Folders server.
To export the certificate on the Work Folders server, follow these steps:
To import the certificate on the App Proxy Connector server, follow these steps:
Token Broker is an authentication broker that supports device registration. When using Token Broker with Azure AD Application Proxy for remote access, the client device can be registered in Azure AD when configuring the Work Folders client. Once the device is registered, device authentication will be used to access the Work Folders server.
Device registration provides the following benefits:
How to enable Token Broker
To enable Token Broker on a Windows 10 version 1703 system, enable the "Enables the user of Token Broker for AD FS authentication" group policy setting which is located under User Configuration\Administrative Templates\Windows Components\Work Folders.
For Android and iOS devices, Token Broker will be used automatically when using Azure AD Application Proxy.
How to register devices using the Work Folders client
When Token Broker is enabled on a Windows client, the user will be prompted to register their device in Azure AD when configuring the Work Folders client. If the Work Folders client is managed via group policy, the device is automatically registered in Azure AD.
For devices (Android and iOS), the device is automatically registered when configuring the Work Folders client.
How to configure a Windows 10 version 1703 client to use the Azure AD App Proxy URL:
How to configure an Android or iOS client to use the Azure App Proxy URL:
If you experience an issue when configuring or using a Work Folders client, please see our troubleshooting guide: How to troubleshoot remote access to Work Folders using Azure AD Application Proxy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.