Time to Implement Azure AD App Proxy

As more and more businesses adopt the “working from anywhere” policy, these policies also open other challenges that the business must deal with. These challenges must be met with a balanced response covering complexity, security and costs.

The global pandemic taught many companies and organizations that working from home is an option in any technology sector. Those organizations also realized it can be cheaper, more flexible and even more productive to have a remote workforce.

This new global reality also adds more complexity to the duties of the organization’s IT team. Now the IT team must allow remote access to the remote workforce while keeping in mind the security challenges the remote access will present to their infrastructure.

Implementing remote access to the organization’s network can be complex, expensive, and present insecurities. Some of the reasons behind these challenges are:

  • DMZ Configuration: To expose services to the outside world, many organizations follow the marketplace norms by implementing a DMZ, and then placing the service inside it. DMZs minimize the exposure of internal services and workload; but they can also become expensive, especially when their design requires additional hardware and software, not to mention the requirements for adequate security.
  • Application Configuration: This depends on the application and its requirements. Sometimes, organizations must split the application into two versions to accommodate external access, but keep the application secure; (i.e., some records cannot be exposed and hosted on the external application). Also, application authentication and security is something that must be taken into consideration; more about this later.
  • VPN Exposure: When you allow your workforce to access your internal services using a VPN, you must seek a method that will work on a connection with the VPN that will limit the user accessibility to the internal network, but not allow the outside world access. If there are any errors in your configurations, you will expose the entire internal network, even though you are using a VPN.

There are many other challenges, but those above are examples of the challenges to be overcome in each of the categories and organizations must balance across complexity, costs and security.

Balance your Challanges:

To keep your business functioning, but to also keep your workforce and services secure, you must find a way to balance across complexity, security and cost. The easy and fastest way to balance between these considerations is using the Azure AD Application Proxy.

To better understand Azure AD Application Proxy, let’s consider the following scenario; Organization A wants to allow a remote workforce to access the organization intranet without:

  • Redesigning the Architecture of the network
  • Redesigning the intranet web application
  • Reconfiguring the company firewall
  • Lowering the service attach network cost by exposing only one application to the outside world

The above requirement also came in addition to more robust security requirements; such as two-factor authentication, or others.

To implement a solution to achieve the above, Organization A can use an Azure AD application proxy by following the very simple steps. as shown below:

  1. Configure an Azure AD Application Proxy
  2. Download the application connector
  3. Install the connector on the application server (On-prem or cloud)
  4. Set User Permissions
  5. Done

With those steps above, Organization A was able to achieve all the objectives highlighted previously, in addition to the security requirements of two-factor authentication, without adding complexity and cost.

The diagram below is showing how the Application proxy operates:

Summary

In this blog post, I introduced you to the Azure AD Application proxy. This post is to prepare you for the next blog post where we will deploy the Application AD Proxy to allow on-premises applications to be securely accessible from the internet. To learn more about the Azure Application Proxy, click this link.

Leave a Reply