L11. Application Proxy: Secure Remote Access to On-Prem Apps
Video generating
Check back soon for the video lesson on Application Proxy: Secure Remote Access to On-Prem Apps
Deploy Entra Application Proxy for the SC-300: publish on-premises web applications to external users without VPN, configure connector groups, understand pre-authentication options, and implement Kerberos constrained delegation for seamless SSO to legacy apps.
What Is Application Proxy?
Entra Application Proxy provides secure remote access to on-premises web applications without requiring a VPN. Users access internal apps through a public URL, and Entra ID handles authentication before the traffic reaches your network. Key benefit: No inbound firewall ports need to be opened. The connector initiates outbound connections to the Application Proxy service.
Architecture
The Application Proxy architecture has three components:
- Application Proxy service: Runs in the Microsoft cloud, handles external requests
- Application Proxy connector: Lightweight agent installed on a Windows Server in your network
- On-premises application: The internal web app you want to publish
- User navigates to the external URL
- Entra ID pre-authenticates the user (MFA, Conditional Access apply here)
- A token is sent to the Application Proxy service
- The service forwards the request to the connector
- The connector accesses the on-premises application on behalf of the user
- The response returns through the same path
Connector Groups
Connectors are organized into connector groups. Each published application is assigned to a connector group. This allows you to:
- Isolate applications by network segment
- Place connectors close to the applications they serve
- Provide high availability (multiple connectors per group)
Pre-Authentication Methods
| Method | Description | When to Use |
|---|---|---|
| Entra ID | User authenticates with Entra ID first | Default; enables CA and MFA |
| Passthrough | No pre-authentication; app handles auth | Apps that manage their own authentication |
SSO to On-Premises Applications
Kerberos Constrained Delegation (KCD)
KCD enables seamless SSO to on-premises applications that use Windows Integrated Authentication (Kerberos):
- Configure the connector machine for KCD in Active Directory
- Set the connector service account SPN
- Configure the application in Entra ID with the internal app SPN
- The connector obtains a Kerberos ticket on behalf of the authenticated user
Header-Based SSO
For applications that read identity from HTTP headers, Application Proxy can inject headers (like username, email, UPN) into the request before forwarding to the application.
SAML SSO
Application Proxy can perform SAML authentication with the on-premises application, providing SSO for apps that support SAML 2.0.
Custom Domains
By default, published apps get a URL like https://app-contoso.msappproxy.net. You can configure custom domains (e.g., https://app.contoso.com) by:
- Adding a CNAME record pointing to the msappproxy.net domain
- Uploading a matching TLS certificate (wildcard or specific)
Licensing
Application Proxy requires Entra ID P1 or P2 licensing. There is no additional per-app cost: the license covers unlimited published applications.
- ✓Application Proxy requires no inbound firewall ports: connectors initiate outbound connections only
- ✓At least two connectors per connector group are recommended for high availability
- ✓Pre-authentication with Entra ID enables Conditional Access and MFA before traffic reaches your network
- ✓KCD requires the connector server to be domain-joined with delegation permissions in Active Directory
- ✓Application Proxy is included with Entra ID P1/P2 licensing: no additional per-app cost
1. What is the primary security advantage of Entra Application Proxy over traditional VPN?
2. An on-premises application uses Windows Integrated Authentication. What must be configured for SSO through Application Proxy?
3. How many connectors should be deployed per connector group for high availability?