Posted on

Testing Azure Active Directory Application Proxy with Apache Web Server

Hello Folks!

Feeling great to be back from this weeny sabbatical. A few days back, I was working with this client of mine who wanted one of their intranet apps to be accessible outside their network. I suggested them to use Azure AD Application Proxy to publish their applications outside their network but ended up being trapped in my own complicacies. They were using Apache Web Server to design and code their web applications and I had no prior experience in publishing any applications other than those that were based on IIS. This haunted me until the day I myself tested publishing an Apache based web application outside the intranet. This blog post is solely fabricated to conclude that your application proxy connector server must have an HTTPS connection to the applications that you intend to publish. See this link for further details–> Azure AD Application Proxy. In the rest of the blog post, I will cover “How to test Azure AD Application proxy with Apache Web Server in your test environment“.

Prerequisites:

  1. A Microsoft Azure AD basic or premium subscription and an Azure AD directory for which you are a global administrator.
  2. Two VMs will be required to test this scenario.
    On one VM, web application will be installed. This application(here) will be an apache based web application(Apache installation steps shown ahead).
    On second VM, Azure AD Proxy Connector will be installed. The Connector maintains an outbound connection from within your network to the proxy service. When users access a published application, they proxy uses this connection to provide access to the application.
    Make sure that both the VMs are on the same network and can ping each other.
    Note: Make sure your VM on which connector is to be installed is running a Windows Server 2012 R2 or Windows 8.1 or higher OS.
  3. If a firewall is placed in the path, make sure the firewall is open to allow HTTPS (TCP) requests that originate from the Connector to the Application Proxy. Make sure to open all the following ports to outbound traffic:
    Port Number Description
    80 To enable outbound HTTP traffic for security validation.
    443 To enable user authentication against Azure AD (required only for the Connector registration process)
    10100 – 10120 To enable LOB HTTP responses sent back to the proxy
    9352, 5671 To enable communication between the Connector toward the Azure service for incoming requests.
    9350 Optional, to enable better performance for incoming requests
    8080 To enable the Connector bootstrap sequence and Connector automatic update
    9090 To enable Connector registration (required only for the Connector registration process)
    9091 To enable Connector trust certificate automatic renewal

Step 1: Installing Apache HTTP Server Project on Web App Server VM(1st VM):

Since, the Apache HTTP Server Project itself does not provide binary releases of software, only source code.

If you cannot compile the Apache HTTP Server yourself, you can obtain a binary package from numerous binary distributions available on the Internet.

Popular options for deploying Apache httpd, and, optionally, PHP and MySQL, on Microsoft Windows, include:

In this example, we will work with XAMPP.You can download the setup from this link–> Download XAMPP.

After downloading, Install XAMPP Server on your first VM.

  1. Click OK on the prompt appeared on double clicking the XAMPP Setup.2015-12-23_01-04-39
  2. Choose default settings and click next.2015-12-23_01-08-13
  3. Choose a desired folder and click next.2015-12-23_01-12-29
  4. Follow the setup steps and click next until your installations starts. The setup will start unpacking setup files. After the unpacking is completed, click the checkbox and press Finish.2015-12-23_01-19-22
  5. This will open the XAMPP Control Panel. Click the start button corresponding to Apache module.2015-12-23_01-23-23.png
  6. Close the XAMPP Control Panel. Try accessing the localhost in internet explorer by typing:

    http://localhost

    2015-12-23_01-27-12

     

  7. Now your sample Apache Web Application has been successfully built and published in the intranet. You can confirm this by going to your 2nd VM on which Azure AD connector  will be installed. Since these two VMs are in the same network, you can access the Apache web application using internet explorer or any other browser in the 2nd VM by typing:

    http://<your VM1’s name>
    For example: http://apacheservervm
    To know the name of your host, you can go to cmd and type ‘whoami’.

  8. This confirms that your connector VM can send HTTPS requests to Web Server VM.2015-12-23_10-16-32

Step 2: Enabling Azure AD Application Proxy connector using 2nd VM.

All of the following steps should be performed in the 2nd VM on which we will later install the proxy connector.

  1. Login to Azure Management Portal using your Azure credentials or your Azure AD credentials. Navigate to your Azure Active Directory and click on configure tab.2015-12-23_11-17-21
  2. Scroll down to the application proxy section and Enable Application Proxy Services for the current directory. 2015-12-23_11-20-12

Step 3: Installing the Proxy Connector
(To be performed in 2nd VM again)

  1. Download the connector by clicking on Download now button. Save the setup file locally and launch it by double clicking on it. Once the setup starts, you will be prompted to enter the AD credentials. Enter your azure AD global administrator credentials and proceed.2015-12-23_12-07-42
  2. To confirm whether your installation was successful or not, go to services in the 2nd VM and confirm that Microsoft AAD Application Proxy Connector service is running.2015-12-23_12-28-21

Step 4: Configuring Azure AD proxy connector to point to webserver.

  1. Go to Applications tab in your Azure AD and click on add ribbon at the bottom.2015-12-23_12-36-32
  2. Click Publish an application that will be accessible from outside your network.2015-12-23_12-41-01.png
  3. Enter the details of the application including the internal URL.
    You can choose from two authentication options available. In this blog post, I will be using Passthrough so that app is accessible to any user whether inside or outside of my organization. Click the tick button.2015-12-23_12-44-48
  4. In your applications tab, choose the application that you just initiated.2015-12-23_12-52-14.png
  5. In the configure tab, scroll down and note down the External URL.2015-12-23_13-01-22
  6. In any PC whether inside or outside of your intranet, you will be able to access the intranet application using the URL generated in azure portal above.2015-12-23_13-08-17

Congrats! You have successfully published your intranet Apache web application using proxy connector.

 

Leave a comment