In today’s post, we will be discussing how to set up remote access to an on-premises SCSM and Cireson instance, using Azure tools. The goal is to allow employees to access their organization’s Cireson Service Manager Portal externally, without requiring complex infrastructure or a VPN. Some of the other ways to approach this are addressed in Part 1 of this series.
For our deep dive today, we are under the impression that all pre-requisites have been met from Part 1, which includes Azure AD Connect installed and synchronized. The components that we will be installing and configuring today include Azure Application Proxy and Enterprise Application. For this demo we have the Cireson portal set up for Windows Authentication and we are going to configure Azure for pre-authentication to allow for SSO using Azure credentials. There are quite a few configurations, such as passthrough, Single Sign-on (SSO), and Multi-Factor Authentication, and we will cover some of those as well. Let’s dive in!
Installation of the Azure Application Proxy
Step 1: In the Azure portal go the Azure Active Directory.
Next, open the Application Proxy tab.
Step 2: Download connector service and accept terms of service.
Step 3: Install the Application proxy connector on an on-premises server (AppProxy01.test.lab in this case). This can be on the web content server or on its own dedicated server. To install the connector right click AADApplicationProxyConnectorInstaller.exe and run as Administrator.
Step 4: Accept the license terms and conditions and select install.
Step 5: Enter the credentials of a global admin.
Step 6: Verify the setup was successful. There are three things to look for to determine if this was installed correctly.
- Setup Successful on window
2. Verify the two services were installed
3. Go to the Azure portal > Azure Active Directory > Application Proxy and verify that 1) your connector shows up 2) Status is Active/Green 3) Enable Application Proxy
Create the Azure Enterprise Application
Step 1: Go to the Azure Portal > Azure Active Directory > Enterprise applications > + New Application
Step 2: Select Add an on-premises application
Step 3: Configure Enterprise Application (Cireson Portal)
- Name – Display name of the application.
- Internal URL – This is the URL to access the application from inside your private network.
- External URL – This is the URL to access the application from outside your private network. To access your application using a custom domain you must configure a CNAME entry in your DNS provider which points your desired external URL to the provided msappproxy.net URL.
- Pre Authentication – Defines how the Application Proxy pre-authenticates users before providing access to the application on your private network. You have two options here Passthrough and Azure Active Directory (AAD)
- A) Passthrough exposes the Cireson portal externally and allows users to sign in directly using an on-premise account. Passthrough is best used when the Cireson portal is configured to use forms authentication.
- B) AAD forces users to authenticate using O365 account and therefore use SSO or multifactor authentication methods.
- Connector Group – You can associate this application with a specific connector group. This enables you to isolate applications per network and connector.
Step 4: Specify which Azure AD users are allowed to access your new Enterprise Application. To achieve this open Azure portal > Azure Active Directory > Enterprise Application > and select your app.
Step 6: Select Assign users and groups.
Step 7: Select Add User and Add any users or groups needed to access the Cireson Application from the Azure AD.
Step 8: Set up single Sign on. To achieve this open Azure portal > Azure Active Directory > Enterprise Application > and select your app.
Step 9: Select Windows Integrated Authentication.
Step 10: Configure SSO mode.
- Internal Application SPN – This is the service principal name of the internal network application. This SPN will be used by application proxy to provide SSO to your private network application.
- **The SPN should not be a URL. SPN syntax is <service class>/<host>:<port>/<service name>.**
- Delegated Login Identity – This enables you to define the delegated identity to be sent for authentication in your on-premises AD when there is a disparity between user login identities.
Step 11: Set Multi-Factor Authentication (Optional). Select conditional Access from Azure portal > Azure Active Directory > Enterprise Application > Your App.
Step 12: Select New Policy (Optional).
Step 13: Configure Conditional Access (Optional).
- Name – Policy name
- Users and groups – Users this policy will apply to
- Cloud apps or actions – The application this policy applies to
- Grant – Block access or select additional requirements which need to be met to allow access. In this case Multi-Factor authentication.
Step 14: Enable policy and Save (Optional).
Step 15: Configure computer delegation for the application proxy server. This gives the app proxy server the rights to impersonate users that are authenticated in Azure with the Cireson web content server. In my case, AppProxy01.test.lab needs delegation to SCSM.test.lab. To achieve this in on-premises Active Directory follow these steps:
- Find the computer AppProxy01 > Delegation tab
- Select Trust this computer for delegation to specified services only
- Select use any authentication protocol
- Select the add button and locate the Cireson web content server
- Select Service Type = http
6. Select OK and finish
With this complete you are now ready to test out the newly published Cireson portal using a combination of on-premises infrastructure and Azure. Keep in mind that it may take some time for the AD delegation to take effect. To verify access, go to myapps.microsoft.com and select on the Cireson portal application.
It should open right up!
As you can see, setting up the Azure App Proxy and Enterprise Application were quick, and the requirements to do so were lean. We have some additional layers of security using this approach, such as specifying which users have access to the application and streamlined multifactor authentication. The flow of traffic from the internet to your Service Manager Portal instance is clearly defined, trackable, and easy to disable if need be. All-in-all, it’s a great approach to consider when you have a need to access your Service Manager Portal instance externally.