In Microsoft Azure Active Directory you can publish web based (SaaS) applications and websites in a few different ways. The easiest way is via the Azure App Gallery, in that case you have added the application in just a few steps. If the application is not available in the Azure App Gallery you can add it manually. When adding the application manually you can either add cloud hosted web apps and websites or on-premise hosted web apps and websites.
The additional advantage of publishing on-premise web apps / website is that in many cases it is a good alternative for per-app-VPN connections from mobile devices. That’s why I want to show you how to publish an internal website (intranet) in this blog.
My demo environment
In my demo environment I have installed a new Windows 2016 server (EMS01.cec.local) with IIS configured. I created a simple website which serves as an intranet page for this demo 😊
As you can see the URL for this intranet page is; https://ems01.cec.local.
Installing the Application Proxy
Before you can publish internal websites / apps the Application Proxy needs to be installed on a local server that has access to the web app. Login to the Azure Portal to download the installation file.
Navigate to: Azure Active Directory > Enterprise Applications > Application proxy
Click on Download a connector
Click on Accept terms & Download
Run the installer and check I agree to the license terms and conditions (if you do) and click Install
Login with an Azure Global Administrator. After login, the Application Proxy will be register with your Azure tenant.
Click Close
Go back to the Application proxy page. As you can see the Application Proxy server is displayed as Connector with the status Active. Click on Configure an app to publish the first on-premise web app or site.
Fill in the following information;
Name: The name of the published on-premise web app or site (in my case Intranet)
Internal Url : In my case https://ems01.cec.local (this is the server where the on-premise web app or site is hosted)
External Url : Here you can configure the external URL, by default this ends with .msappproxy.net, but you can change this to your own external website (you have to configure additional DNS records in that case).
You also can configure the Pre Authentication method and the Connector Group (if you have multiple Application Proxy servers configured in a HA group).
Click the Add button to publish this application to Azure AD.
The final step is to assign this web application or site to a group of users. Therefor open the Users and groups tab and click Add user
Click Users and groups and select the user or group you want to assign this web app or site to. Click Select and Assign.
Optionally you can change the icon, and if it’s a web application, you can also configure the user provisioning, self-service and Single sign-in (SSO).
Test the results
Lets test the results. I will test it on a Windows 10 device outside the network that has no direct access to the server that host the Intranet website.
Open the Microsoft MyApps portal.
The “Intranet” is displayed between the applications.
As you can see, the internal Intranet website is displayed from a .msappproxy.net address outside the network.
6 comments. Leave new
Hi,
Thank you for sharing this, it is really helpful and well described.
I have one question, please. if I have more than 10 internal websites, do I need to install the connector on each web server or it is enough to have one stand-alone server with connector installed and use this server as a proxy to other websites.
Thank you
Omar
Hi Omar,
One connector is enough, although two is recommended for a HA configuration.
Regards,
Robin
Thanks Robin. I have already built two and all good.
Regards
Omar
Hi Carl, I have followed the above article but when testing from a web browser and managed browser outside of network i am getting below error message. Can you suggest where the error could be.
This site can’t be reached proxy.eecindia.onmicrosoft.com’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN
Hi ,
I ‘ve 10 onpremise applications.
Do i need to install connector for each application or i can install one connector in one webserver. Please help.
Or can i install one connector in different machine?
One connector is minimum as long as this connector has full access to every on-premise application (two connectors are recommended for High Availability).