Technical Documentation
Using Azure Microsoft Entra ID Application Proxy for MFA and SSO
Summary
Microsoft Entra ID Application Proxy (formerly known as Azure Active Directory Application Proxy) provides secure remote access to on-premises web applications. After a single sign-on to Microsoft Entra ID, users can access both cloud and on-premises applications through an external URL or an internal application portal.
Microsoft Entra ID Application Proxy can be used in a Nasuni environment to provide additional security to Nasuni’s Web Access and Nasuni Management Console (NMC) UI. A simple example is leveraging Microsoft Entra ID’s Multi-Factor Authentication (MFA) support. More complex scenarios involve robust Conditional Access policies that enforce geographic limitations and client security posture checks.
Important: For a customer to use Microsoft Entra ID Application Proxy, the customer must have Microsoft Entra ID, Application Proxy, and either Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (AAD DS).
Note: As of June 2020, Microsoft Entra ID App Proxy and Conditional Access requires a Microsoft Entra ID P1 or P2 license.
Architecture
Microsoft Entra ID Application Proxy makes use of a connector installed on a Windows Server in the customer’s network. The connector creates outbound connections to the Application Proxy Service in Microsoft Entra ID. This does not require the customer to open any inbound ports on their firewall.
User is directed to the Microsoft Entra sign-in page.
After successful sign-in (client passes all conditional access policies), a token is returned to the user.
The client sends the token to the Application Proxy Service, which passes it along to the Application Proxy Connector.
The Connector performs any additional authentication required with on-premises Active Directory.
The Connector sends the request to the Edge Appliance or NMC.
The Edge Appliance’s or NMC’s response is sent via the Connector back to the user.
Limiting Access Outside of Microsoft Entra ID Application Proxy
In order to limit access to the Nasuni admin interface from clients not traversing Microsoft Entra ID Application Proxy, firewall rules in the network or at the appliance level can be used.
Note: Before configuring the firewall rules, ensure that you are able to access the NMC or Edge Appliance via Microsoft Entra ID Application Proxy. After changing the firewall, if you have issues accessing the NMC or Edge Appliance, run the “resetfirewall” command on the Service console of the NMC or Edge Appliance to allow any host to connect to the UI again.
To limit access to the Nasuni Management Console web interface from clients not traversing Microsoft Entra ID App Proxy, follow these steps:
Log in to the NMC and click “Console Settings”.
In the navigation pane on the left, click “Firewall”.
In the “UI Hosts” field, enter the IP addresses of the servers running the App Proxy Connector.
Click “Save Firewall Settings”.
To limit access to the Nasuni Edge Appliance admin interface from clients not traversing Microsoft Entra ID Application Proxy, follow these steps:
Log in to the Edge Appliance’s admin interface and click “Configuration”.
Select “Firewall” from the menu.
In the “Filer GUI Hosts” field, enter the IP addresses of the servers running the App Proxy Connector.
Click “Save Firewall Settings”.
Publishing a Nasuni App
Before an app can be published with Microsoft Entra ID Application Proxy, you need the necessary Microsoft Entra ID P1 or P2 license. Also, user accounts must be synchronized from an on-premises directory, or created directly within Microsoft Entra ID. License acquisition and Microsoft Entra ID Sync are not covered in this documentation.
App Proxy Connector
The App Proxy Connector must be installed on a Windows server running Windows Server 2016 or later. The connector must be able to connect to the Microsoft Entra ID App Proxy service running in Azure, via TCP/80 and TCP/443, and to the Nasuni appliances to be published via Microsoft Entra ID App Proxy. The server running the connector should be as close to the Nasuni appliances as possible to ensure the best performance. Multiple connectors can be deployed for high availability and performance.
Installing the Connector
Sign in to the Azure portal.
In the left navigation panel, click Microsoft Entra ID.
Under Manage, click Application proxy.
Click Download connector service.
Read the Terms of Service., then click Accept terms & Download.
After the download completes, run the executable wizard.
Follow the instructions in the wizard to install the service. You are prompted to link the connector to your Azure tenant by logging into Azure.
Adding the Nasuni App
To add the Nasuni app, follow these steps:
Sign in to the Azure portal.
In the left navigation panel, click Microsoft Entra ID.
Click Enterprise applications, and then click New application.
In the On-premises applications section, click Add an on-premises application.
In the Add your own on-premises application section, provide the following information about your Nasuni app:
Field | Description |
Name | The name of the Nasuni app, such as “Nasuni Web Access” or “Nasuni Management Console”. |
Internal URL | The URL for the Nasuni app, such as https://webaccess_filer/ or https://nmc. |
External URL | The address for users to access the app from outside your network. |
Pre Authentication | Setting this to Microsoft Entra ID requires users to authenticate with Microsoft Entra ID first, thereby allowing you to enforce access policies, including MFA. |
Connector Group | Used to help you organize multiple connectors and apps by region, network, or purpose. Select Default or the appropriate group. |
Click Add.
After adding the application, you can provide a custom logo by going to the Properties of the application and uploading a Logo.
Installing a Certificate
If you are using a custom external URL, you must upload an appropriate certificate after creating the app. Follow these instructions:
Sign into the Azure portal.
Click Microsoft Entra ID → Enterprise applications → All applications.
From the list, select the Nasuni app.
Click Application Proxy.
At the bottom of the settings pane, click “Click here to upload a certificate”.
Supply the appropriate certificate and password (if the certificate is password protected) and click “Upload Certificate”.
Single Sign-on (SSO) with Password Vaulting
Nasuni supports using Microsoft Entra ID App Proxy Password Vaulting for SSO. With password vaulting, users sign in once to the Nasuni appliance. After that, Microsoft Entra ID stores their sign-in information and automatically fills in the login form on behalf of the user. The automatic filling in of the form requires the access panel browser extension to be installed on the client (see link at the end of the document).
Setting Up Password Vaulting
To set up password vaulting, follow these steps:
Sign into the Azure portal.
Click Microsoft Entra ID → Enterprise applications → All applications.
From the list, select the Nasuni app.
Click Application Proxy.
Change the Pre Authentication type to Passthrough, then click Save.
Click Single sign-on.
For the SSO mode, choose Password-based Sign-on.
For the Sign-on URL, enter the URL for the login page of the Nasuni appliance.
Click Save.
Click Application Proxy.
Change the Pre Authentication type to Microsoft Entra ID, and click Save.
Click Users and Groups.
Assign users to the application by clicking Add user.
To pre-define credentials for a user, select the box next to the user name, and click Update credentials.
Click Microsoft Entra ID → App registrations → All applications.
From the list, select the Nasuni app.
Click Branding.
Update the Home page URL with the Sign on URL from the Password SSO page and click Save.
Test Login
After creating the app, configuring password vaulting, and assigning the app to users, you can test the login by following these steps:
Visit https://myapplications.microsoft.com and log in as a user to whom the app has been assigned.
If the user has SSO set up, they should be logged directly into their account and see their assigned applications. If not, the user is prompted to log in to Microsoft Entra ID, during which the user goes through any Conditional Access polices that have been defined, such as requiring MFA.
Click the Nasuni application and a new browser window opens. The user is directed to the public URL for the application.
If this is the first time that the user accesses the application, they must supply their login credentials. These credentials are captured and used automatically for future logins.
If the credentials have already been captured, the browser extension automatically populates the username and password fields and submits the form.
Notes
Direct Access
Users can either be directed to the application portal or they can be provided with the external URL of the published application directly. If they use the external URL directly, they are prompted to authenticate with Microsoft Entra ID before accessing the Nasuni web interface.
Conditional Access
Applications published via Microsoft Entra ID App Proxy and configured for pre-authentication via Microsoft Entra ID can leverage Microsoft Entra ID’s Conditional Access policies. At their simplest, Conditional Access policies are if-then statements: if a user wants to access a resource, then they must complete an action. Some of the common inputs that can be used include:
User or group membership - target specific users or groups.
IP Location information - only allow logins from trusted IP address ranges or geographies.
Device - limit the devices from which an application can be accessed.
Real-time and calculated risk detection - integration with Microsoft Entra ID Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multi-factor authentication to reduce their risk level, or be blocked from access until an administrator takes manual action.
Depending on the input above, the administrator can define what happens to login requests. This includes:
Block access.
Grant access under certain conditions:
require MFA.
require device to be marked as compliant.
require Hybrid Microsoft Entra ID joined device.
require approved client app.
require app protection policy.
A couple of common scenarios that Conditional Access would allow a customer to address would be:
Require MFA for administrators.
Block access to Web Access from locations where the customer has no employees.
Only allow logins to Web Access from organization-managed devices.
User Credentials
Instead of having users provide their credentials on initial login, an administrator can pre-populate the credentials via the Microsoft Entra ID portal. This feature could be used to protect the local administrative account for the NMC or Edge Appliance, while still allowing users to login with the account.
To pre-populate user credentials, follow these steps:
Log in to the Microsoft Entra ID portal.
Click Enterprise Applications.
Click the Nasuni application.
Click Users and groups.
Click the user whose credentials you want to update.
Click Update Credentials in the toolbar.
In the Update Credentials pane, supply the appropriate credentials and click Save.
Useful Links
Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application
Password vaulting for single sign-on with Application Proxy:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-password-vaulting
Install the access panel browser extension:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/access-panel-extension-problem-installing
What is Conditional Access?
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Copyright © 2010-2024 Nasuni Corporation. All rights reserved.