Microsoft released recently as part of Azure AD Premium the Application Proxy. (AP)
With Windows Server 2012 R2 Microsoft released the Web Application Proxy (WAP) which is the new reverse proxy component that you can use to publish internal resources to the internet. The WAP you will typically place on the DMZ which is most of the time an extra complexity. Because of that Microsoft has released AP into Azure to easy integrate the same service without the need of putting a component on your DMZ.
Be aware that AP only supports http(s) applications today.
I’m not gonna explain how you need to set this up and what the requirements are. This is already explained here:
In this blog I will focus more on troubleshooting.
The issue I was facing was the following. I publish an internal application into Azure but when I tried to open the Application from “myapps.microsoft.com” I saw an error page like this.
The troubleshooting steps
Connection to Azure Service OK?
As described in the article above some firewall ports needs to be opened to make sure the AP Connector can talk correctly with the Azure Service.
So that’s the first thing to check, can we access the Azure Service correctly? To verify that use the following URLs to see if the required communication ports are open and if you can reach the Azure Service. Open this URL from the browser on the machine where you have installed the AP Connector.
https://test.bootstrap.msappproxy.net:8080/bootstrap (you should be prompted for a certificate)
http://testport.cloudapp.net/ (you should see green check marks)
What is the Event Viewer telling you?
The best logging of Azure Application Proxy you can find the in the eventvwr. As you can see some dedicated folders are created.
I saw the error below, where the AP has problems to download the latest configuration.
So despite of the fact my firewall ports were OK I still had an issue with the communication between the AP Connector and the Azure Service.
The AP Service
If you install the AP Connector two services are installed. Of course you check if these are running correctly.
The ROOT Cause
My customer had a PROXY Configuration that only allowed internet traffic generated by domain accounts. I didn’t notice that by testing the two URLs above because I was a domain user at that time entering the URLs into a browser. So the traffic that the connector is generating between the Azure Service is working via the Network Service Account…
Make sure the Connector Ignores proxy Settings! So how do you that?
1) Go the installation path of your AP Connector –> C:\Program Files\Microsoft AAD App Proxy Connector.
2) Edit the follwing file: ApplicationProxyConnectorService.exe.config
3) Add the following (in bold) at the end of the file:
<?xml version=”1.0″ encoding=”utf-8″ ?>
<add key=”TraceFilename” value=”AadAppProxyConnector.log” />
4) Restart the Microsoft AAD Application Proxy Connector Service
You should see immediately that errors are disappearing in your Event Viewer:
As from now your application should be reachable from “myapps.microsoft.com”
Actually nothing new, be careful with Proxy Servers!
Till next time!