question

LiZhen-3942 avatar image
2 Votes"
LiZhen-3942 asked AhmedMahmoudAbedelMageedKhalil-1534 Suspended commented

Azure AD Connect Installation with Web Proxy

I'm trying to install Azure AD Connect. The server is behind a firewall. Internet access must go through a web proxy. I can install AADC but the problem is the health agent is disabled after installation. I tried to enable it but the Test-AzureADConnectHealthConnectivity failed.

Btw, I did configure the .Net Framework to work with the proxy. The AADC itself works as expected. AD object is synchronized to Azure AD. Just that health agent does not work.

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ShaikhSheeraz-0551 avatar image
1 Vote"
ShaikhSheeraz-0551 answered LiZhen-3942 commented

This document walks you through installing and configuring the Azure AD Connect Health Agents. You can download the agents from here.

Requirements
The following table is a list of requirements for using Azure AD Connect Health.

TABLE 1
Requirement Description
Azure AD Premium Azure AD Connect Health is an Azure AD Premium feature and requires Azure AD Premium.

For more information, see Getting started with Azure AD Premium
To start a free 30-day trial, see Start a trial.
You must be a global administrator of your Azure AD to get started with Azure AD Connect Health By default, only the global administrators can install and configure the health agents to get started, access the portal, and perform any operations within Azure AD Connect Health. For more information, see Administering your Azure AD directory.

Using Role Based Access Control you can allow access to Azure AD Connect Health to other users in your organization. For more information, see Role Based Access Control for Azure AD Connect Health.

Important: The account used when installing the agents must be a work or school account. It cannot be a Microsoft account. For more information, see Sign up for Azure as an organization
Azure AD Connect Health Agent is installed on each targeted server Azure AD Connect Health requires the Health Agents to be installed and configured on targeted servers to receive the data and provide the Monitoring and Analytics capabilities.

For example, to get data from your AD FS infrastructure, the agent must be installed on the AD FS and Web Application Proxy servers. Similarly, to get data on your on-premises AD DS infrastructure, the agent must be installed on the domain controllers.

Outbound connectivity to the Azure service endpoints During installation and runtime, the agent requires connectivity to Azure AD Connect Health service endpoints. If outbound connectivity is blocked using Firewalls, ensure that the following endpoints are added to the allowed list. See outbound connectivity endpoints
Outbound connectivity based on IP Addresses For IP address based filtering on firewalls, refer to the Azure IP Ranges.
TLS Inspection for outbound traffic is filtered or disabled The agent registration step or data upload operations may fail if there is TLS inspection or termination for outbound traffic at the network layer. Read more about how to setup TLS inspection
Firewall ports on the server running the agent The agent requires the following firewall ports to be open in order for the agent to communicate with the Azure AD Health service endpoints.

TCP port 443
TCP port 5671

Note that port 5671 is no longer required for the latest version of agent. Upgrade to the latest version so only port 443 is required. Read more about enable firewall ports
Allow the following websites if IE Enhanced Security is enabled If IE Enhanced Security is enabled, then the following websites must be allowed on the server that is going to have the agent installed.

https://login.microsoftonline.com
https://secure.aadcdn.microsoftonline-p.com
https://login.windows.net
https://aadcdn.msftauth.net
The federation server for your organization trusted by Azure Active Directory. For example: https://sts.contoso.com
Read more about how to configure IE. In case you have a proxy within your network , please see note below.
Ensure PowerShell v4.0 or newer is installed
Windows Server 2008 R2 ships with PowerShell v2.0, which is insufficient for the agent. Update PowerShell as explained below under Agent installation on Windows Server 2008 R2 Servers.
Windows Server 2012 ships with PowerShell v3.0, which is insufficient for the agent. Update the Windows Management Framework.
Windows Server 2012 R2 and later ship with a sufficiently recent version of PowerShell.
Disable FIPS FIPS is not supported by Azure AD Connect Health agents.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much for reply. But your answer appears to be quite generic. I'm seeking help in this particular scenario, i.e. setup AADC health agent behind a proxy.

0 Votes 0 ·