Azure Application Proxy: Notes from the field

March 10, 2015 at 11:54 am in Uncategorized by nsienaert

Hi All,

Introduction

Microsoft released recently as part of Azure AD Premium the Application Proxy. (AP)

With Windows Server 2012 R2 Microsoft released the Web Application Proxy (WAP) which is the new reverse proxy component that you can use to publish internal resources to the internet. The WAP you will typically place on the DMZ which is most of the time an extra complexity. Because of that Microsoft has released AP into Azure to easy integrate the same service without the need of putting a component on your DMZ.

Be aware that AP only supports http(s) applications today.

I’m not gonna explain how you need to set this up and what the requirements are. This is already explained here:

https://msdn.microsoft.com/en-us/library/azure/dn768214.aspx

In this blog I will focus more on troubleshooting.

The problem

The issue I was facing was the following. I publish an internal application into Azure but when I tried to open the Application from “myapps.microsoft.com”  I saw an error page like this.

wap2

The troubleshooting steps

Connection to Azure Service OK?

As described in the article above some firewall ports needs to be opened to make sure the AP Connector can talk correctly with the Azure Service.

So that’s the first thing to check, can we access the Azure Service correctly? To verify that use the following URLs to see if the required communication ports are open and if you can reach the Azure Service. Open this URL from the browser on the machine where you have installed the AP Connector.

https://test.bootstrap.msappproxy.net:8080/bootstrap (you should be prompted for a certificate)

http://testport.cloudapp.net/ (you should see green check marks)

What is the Event Viewer telling you?

The best logging of Azure Application Proxy you can find the in the eventvwr. As you can see some dedicated folders are created.

I saw the error below, where the AP has problems to download the latest configuration.

WAP1

So despite of the fact my firewall ports were OK I still had an issue with the communication between the AP Connector and the Azure Service.

The AP Service

If you install the AP Connector two services are installed. Of course you check if these are running correctly.

WAP3

The ROOT Cause

My customer had a PROXY Configuration that only allowed internet traffic generated by domain accounts. I didn’t notice that by testing the two URLs above because I was a domain user at that time entering the URLs into a browser. So the traffic that the connector is generating between the Azure Service is working via the Network Service Account…

The Solution

Make sure the Connector Ignores proxy Settings! So how do you that?

1) Go the installation path of your AP Connector –> C:\Program Files\Microsoft AAD App Proxy Connector.
2) Edit the follwing file: ApplicationProxyConnectorService.exe.config

3) Add the following (in bold) at the end of the file:

<?xml version=”1.0″ encoding=”utf-8″ ?>
<configuration>
<appSettings>
<add key=”TraceFilename” value=”AadAppProxyConnector.log” />
</appSettings>
<system.net>
<defaultProxy enabled=”false”>
</defaultProxy>
</system.net>
</configuration>

4) Restart the Microsoft AAD Application Proxy Connector Service

You should see immediately that errors are disappearing in your Event Viewer:

wap4

As from now your application should be reachable from “myapps.microsoft.com”

Conclusion:

Actually nothing new, be careful with Proxy Servers!

Till next time!

@nsienaert

MVP Small