forefront uag/tmg web application proxy + ad fs
TRANSCRIPT
Spark the future.
May 4 – 8, 2015Chicago, IL
Enable Your On-Premises Apps for the Cloud with Microsoft Azure Active Directory Application Proxy Meir MendelovichProgram Manager, Microsoft@MMendelovich
BRK3864
Application Access Scenarios
Forefront UAG/TMGWeb Application Proxy
+AD FS
Empower Enterprise Mobility
Protect your data
Enable your users
User IT
Unify your environment
People-centric approach
Devices Apps Data
Empower Enterprise Mobility
Protect your data
Enable your users
User IT
Unify your environment
People-centric approach
Devices Apps Data
Benefits
Azure Active
Directory
On-Premises
Applications
Remote Access as a ServiceEasily publish your on-prem applications to users outside the
corporate network
Extend Azure AD to on-premUtilize Azure AD as a central management point for all your apps
How it worksConnectors are deployed on corpnet
Multiple connectors can be deployed for redundancy and scale
The connector auto connects to the cloud service
User connects to the cloud service that routes their traffic to the resources via the connectors
Azure Active Directory
App AppApp
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxyhttps://sales-
contoso.msappproxy.net
http://sales
https://sales.contoso.com
Cloud scale for your on-prem appsAzure Active Directory
App AppApp
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxy
Access Panel Portal
Authentication + MFA
Reporting & Auditing
Security Monitoring
Authorization
4.9M organizations
1B-2B Authentications /
Day
430M identitiesSSO to 2,477 SaaS apps & Office 365
Multi Factor Authentication
Access Panel portal & app
Office 365 portal
Self-service workflow
Authorization based on user or groups
Reports, auditing and security monitoring based on big data and machine learning.More…
Demo
Directory prep:
1. Create a new directory
2. Create users and groups
3. Request Azure AD Premium trial on “licenses” tab
4. Assign the Azure AD Premium seats to users (including
admins)
Optional: add your domain name
Demo
App Proxy setup:1. Turn on App Proxy on the “configure” tab2. Download, install and register the connector3. Add a new proxy app4. Assign Users to appUse it
Demo
http://myapps.microsoft.comUsername: [email protected]: password1!
Optional steps (part 1):
- Add to Office 365 App Launcher
- Use Azure AD self-service
- Multi-factor authentication (MFA)
Demo
Cloud Scale SecurityAll HTTP/S traffic is terminated in the cloud blocking most HTTP level attacks such as the Heartbleed bug.
Unauthenticated traffic filtered in the cloud – will not arrive on-prem.
No incoming connections to the corporate network – only outgoing connection to the Azure AD Application Proxy service
Internet facing service always up to date with latest security patches and server upgrades
Login abnormalities detection, reporting and auditing by Azure AD
Azure Active Directory
App AppApp
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxyhttps://sales-
contoso.msappproxy.net
SSO from the cloudSingle Sing-on experience from Azure Active Directory to on-prem applications
Connectors use the Azure AD token data to impersonate as the end user to the backend applications using Kerberos Constrained Delegation (KCD)
Support any application that uses Integrated Windows Authentication (IWA) such as SharePoint, Outlook Web Access and CRM.
No need to change the backend applications
No need to install agents on backend applications
No need to expose on-prem apps directly to the Internet
Azure Active Directory
App AppApp
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxy
Azure AD Token: [email protected]
Kerberos Ticket: [email protected]
Use your own domain nameWhy?
1. Domain name recognized by your users
2. Replace existing solutions / well known URLs
3. Have same internal and external URLs• Notifications and e-mail links just work• Some applications won’t work otherwise
How?
4. Upload a certificate with private key that covers the custom domain name (regular, wildcard or SAN)
5. Create a CNAME record in the external DNS to point to the msappproxy.net address
Azure Active Directory
App
Corp
ora
te
Netw
ork
Connector Connector
Application Proxy
sales-contoso.msappproxy.net
sales.contoso.com
sales.contoso.com
External DNS
Internal DNS
Optional steps (part 2):
- Login UI branding
- Custom domains
- SSO to backend using IWA/KCD
Demo
What is nextEnable different login name (UPN) for on-prem and cloudUtilizing Alternate Login ID the same way it is implemented in AD FS
Assign connectors for appsDifferent sets of connectors serves different applications. Network optimization for multi-geo and isolated
networks
Additional SSO methods for more applications
More control, management and health monitoring of connectors
Improved portal experience – customizing icons and more…
Learn more on Application Proxy
Application Proxy MSDN documentation:http://aka.ms/ProxyDoc
Application Proxy blog:http://aka.ms/proxy
Contact us: [email protected]
Related ContentBRK3863: Identity and Access Management Everywhere
Wednesday 10:45pm room E271
BRK3851: Real Customer Stories for Azure Premium
Wednesday 3:15pm room S501
BRK3862: Extending On-Premises Directories to the Cloud Made Easy with Azure AD ConnectBRK3865: How Microsoft Azure AD Helps Prevent, Detect and Remediate Attacks to Your EnterpriseBRK3867: Microsoft Identity Platform for Developers: Overview and RoadmapBRK3854: How Microsoft IT Manages Identity in a Hybrid Cloud WorldBRK3332: Microsoft Azure Active Directory and Windows 10: Better Together for Work or SchoolBRK4850: Developing Web and Cross Platform Mobile Apps with Azure Active DirectoryBRK3873: Protecting Windows and Microsoft Azure AD with Privileged Access ManagementBRK3857: Upgrading from FIM to Microsoft Identity Manager and Azure Active Directory
Ignite Azure Challenge Sweepstakes
Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!
Aka.ms/MyAzureChallenge
Enter this session code online: BRK3864
NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.
Drill down:1. Basic Connectivity
Contoso corpnetDMZ
Contoso corpnetDMZ
SettingsUpdates
Contoso corpnetDMZ
http://webapp1/
Contoso corpnetDMZ
http://webapp1/
https://app1-contoso.msappproxy.net/
Contoso corpnetDMZ
http://webapp1/
https://app1-contoso.msappproxy.net/
Contoso corpnetDMZ
http://webapp1/
https://app1-contoso.msappproxy.net/
Drill down:2. Preauthentication
http://app1-contoso.msappproxy.net/
Contoso corpnetDMZ
Drill down:3. Single Sign On
Token: [email protected]
Contoso corpnetDMZ
Token: [email protected]
Kerberos Ticket: [email protected]
Kerberos Ticket: [email protected]
Works better with Office365Seamless single-sign-on from all Office 365 apps
Add on-prem apps Office365 App Launcher.
Same identity and security infrastructure for your on-prem apps and Office365