Alex - stock.adobe.com
How to secure on-prem apps with Entra Application Proxy
There's nothing wrong with using a VPN to securely connect to on-premises web apps, but Microsoft Entra Application Proxy is an alternative with a more streamlined approach.
If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users.
Internally hosted web-based applications can be dangerous to a company's cybersecurity posture. Often, they are not enterprise-grade products, do not get proper regular maintenance and were deployed in a "set it and forget it" fashion. These on-premises web applications rarely have their access monitored and/or undergo any penetration testing on a regular basis, if at all. To reduce the attack surface, a traditional method, such as a VPN, has its place, but Microsoft Entra Application Proxy is another method for improving security, while offering a more efficient approach.
What is Microsoft Entra Application Proxy?
Entra Application Proxy, formerly Azure Active Directory Application Proxy, uses Microsoft Entra ID, formerly Azure AD, to give access to an on-premises web-based application by proxying the access request through Entra ID.
Entra Application Proxy allows anyone over the public internet -- from any device and browser -- to use single sign-on for access to an application without opening inbound connections in the corporate firewall.
There is no additional software required to run at the user end. Once authenticated at a browser login prompt, the user can access the application. If the application has its own authentication requirements, then the user sees a prompt at the app layer.
You can further secure access by requiring users to meet conditional access rules, such as limiting connections to certain countries by IP address, forcing multifactor authentication or limiting access to a certain Entra ID group. Pointing these policies at groups gives you an easy way to audit who has access to the application by checking the users who are in the linked group.
What are the reasons to use Entra Application Proxy instead of a VPN?
Historically, as more people worked remotely and needed access to these web applications, the next logical step was to use a VPN to create a secure connection over the internet to the remote device as if it were on the internal network.
The VPN method works but presents its own problems, including complex setups, such as working out the split-tunneling aspect to determine which data should go through the corporate network versus straight to the internet.
A VPN also introduces bandwidth and latency issues. For example, a user in the United States who tries to do work from Australia has a long distance for their data to travel back and forth. The VPN endpoints need enough capacity available to service all users on the VPN at their peak, or the lag leads to a poor end-user experience. There are security considerations on how a user installs and logs in to the VPN, as well as how they block malicious parties from doing the same.
Using Entra Application Proxy can bring potential cost savings in both licensing and administrative effort if a switch to Entra Application Proxy leads to the removal of your VPN.
You can get reports on the logins and usage of each application, which might not be available with alternatives to Entra Application Proxy. This is another way to raise security by following the principle of least privilege.
What are the Microsoft Entra Application Proxy prerequisites?
To use Entra Application Proxy, the user needs a Microsoft Entra ID P1 or P2 -- formerly Azure AD Premium P1 or P2 -- subscription.
Microsoft bundles Microsoft Entra ID P1 -- standalone pricing is $6 per user, per month -- in the following Microsoft 365 subscriptions: E3, F1, F3, Enterprise Mobility + Security E3 and Business Premium.
Microsoft bundles Microsoft Entra ID P2 -- standalone pricing is $9 per user, per month -- in the following Microsoft 365 subscriptions: E5, E5 Security, Enterprise Mobility + Security E5, F5 Security and F5 Security + Compliance.
The licensing covers as many web interfaces as you need, but there is a limit of 500 transactions per second for a single application and 750 transactions per second across the organization.
You also need Microsoft Entra ID set up with access to an Application Administrator account -- or an account with equivalent access. You get this license with Entra ID.
Network bandwidth requirements vary based on the on-premises web application. If you have no VPN and are not externalizing the application, there should be considerations around maximum bandwidth requirements at peak times of use by remote workers.
How do you set up Microsoft Entra Application Proxy?
The configuration of Entra Application Proxy requires just a few simple steps.
First, install an Entra Application Proxy connector on Windows Server 2012 R2 or newer. For high availability purposes, consider installing a second Entra Application Proxy connector on another server.
The connector requires a sign-in to an account with elevated privileges. Ideally, this server should be close on the network to the server that hosts the web application front end to reduce latency. The connector and the web application must be in the same AD or in multiple AD systems with a trust set up between them.
You must open the standard 80 and 443 ports for outbound traffic.
Refer to Microsoft's documentation for other requirements.
After the configuration, the connector status appears in the Microsoft Entra portal under Identity > Applications > Enterprise applications > Application proxy.
Next, add your on-premises web application to Entra ID. Include configuration information, such as the application on the Entra ID portal with specifics, including the internal URL and external URL for outside users to find the application. You have several optional settings related to application timeouts and certificate settings to further customize the way Entra Application Proxy works.
When complete, a user enters the external URL and authenticates with Microsoft Entra ID. If they pass the conditional access checks, they get access to the internal web application in a much more secure and controlled manner.
Adam Fowler is a principal solutions architect for a Microsoft partner with more than 20 years of experience in IT. He is well versed in systems administration, cybersecurity, infrastructure and project management, and operational services. Fowler has worked as an IT director and customer success account manager at Microsoft.
