The way we connect to our work environments has been drastically changed as more companies go remote. Recently at Cireson, we’ve had multiple clients engage us about all of the options we have to expose an on-premises System Center Service Manager (SCSM) and Cireson Service Manager Portal (SMP) instance outside of the their secure network. This prompted us to come up with some best practices on creating a hybrid environment – but first let’s dig into defining some terms and pre-requisites

In this blog series, we will be discussing a couple different approaches. These approaches are:  

  1. Azure Application ProxyThis method is a combination of on-premises infrastructure and Azure AD to allow users to sign into the portal (onsite/remote) with one identity. There is no need for additional VPN or additional web content servers in a DMZ. 
  2. DMZ with External AccessThis includes deploying a web content server in the DMZ, a load balancer, and reverse proxy. There is another blog post that details this method here. 

Before we dive into the details of each approach, the first part of this series will simply define some terms and set the stage for what we will discuss. In the second part, we will dive into the Hybrid Environment approach using an Azure Application Proxy. Note that the DMZ with External Access was already covered in a Cireson blog, so it is recommended to check that out as an extension to this series (link above). 

What is Azure Active Directory and How is it Different from Active Directory? 

Active Directory Domain Services (AD DS, or simply AD) is a Microsoft technology used by administrators to create and manage domains, users, computers, and other devices on a network. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information. AD stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information. 

Azure Active Directory (Azure AD, or AAD) is Microsoft’s cloud-based identity and access management service, which help your employees sign in and access internal and external company resources. External resources include products such as Microsoft 365, Azure Portal, and thousands of other SaaS applications. Internal resources include but are not limited to apps on your corporate network and intranet, along with any cloud apps developed by your own organization.  

Azure AD is not and was not built to be a cloud replacement for Active Directory (AD). Azure AD is not simply a directory or domain controller in the cloud. As mentioned earlier, Azure AD is an Identity and Access Management (IAM) tool for cloud and hybrid environments. Think of Azure AD as an extension of AD, not a replacement 

What is a Hybrid Environment? 

Hybrid environment refers to a combination of computers, users, services, and storage consisting of on-premises infrastructure (AD), and cloud services (Azure AD). For Instance, you may host most of your application servers on-prem but use Azure SQL Database in the cloud. This combination is referred to as a hybrid environment. 

What is a Hybrid Identity? 

During these times of remote work, it has become more important than ever that businesses use a combination of cloud/on-premises applications to reach their employees. Employees require access to both environments, and this can be difficult to achieve; however, using Azure AD as an extension of AD we can create a solution where there is one identity for authentication across your hybrid environment. 

 

 

Azure AD Connect 

This is a connector that is downloaded and installed on-premises to synchronize Active Directory to Azure AD and Microsoft Office 365. With this tool Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications. 

Azure App Proxy Pre-Requisites  

If the pre-requisites are met  the App Proxy is secure, dynamic, and doesn’t require any third-party VPN or Server in the DMZ to manage. The pre-requisites are as follows: 

  1. AD Connect installed and configured with Password Hash synchronization or Pass-Through Authentication sign on method 
  2. On Premise server to host an application proxy connector 

In Part 2 of this blog post we will be going into a deep dive on setting up a Hybrid SCSM/Portal environment with an Azure App Proxy. 

If you have any questions about the topics covered in this blog – please feel free to reach out to use at team@cireson.com.