Part 4 - Protecting NDES with Azure AD Application Proxy

In the past few months I published a series of posts on setting up certificate distribution to mobile devices. In summary this is what was discussed:

Part 1 – First tips and tricks on how to troubleshoot and check existing ConfigMgr/SCEP/NDES infrastructures.
Part 2 – After many asks for clarity, a full guide on how to install and troubleshoot ConfigMgr/SCEP/NDES.
Part 3– Using an additional reverse proxy in a DMZ in front of NDES. The reverse proxy of choice was Windows Server 2012 R2 with the Web Application Proxy role installed.

In this Part 4 we will discuss a cool solution that just have been made possible!

The Azure AD Application Proxy
Azure AD Application Proxy lets you publish applications, such as SharePoint sites, Outlook Web Access and other web application, inside your private network and provides secure access to users outside your network via Azure. The team has recently updated the Azure AD Application Proxy to allow NDES usage, great news!

Azure AD Application Proxy is built on Azure and gives you a massive amount of network bandwidth and server infrastructure to have better protection against DDOS attacks and superb availability. Furthermore there is no need to open external firewall ports to your on premise network and no DMZ server is required. All traffic is originated inbound. For a complete list of outbound ports take a look at this MSDN page.

Important notes:

Azure AD Application Proxy is a feature that is available only if you are using the Premium or Basic editions of Azure Active Directory. For more information, see Azure Active Directory Editions .
If you have
Enterprise Mobility Suite (EMS) licenses you are eligible of using this solution.
The Azure AD Application Proxy connector only installs on a Windows Server 2012 R2 Operating system, this is also a requirement of the NDES server anyway.

The architecture of this solution could look as follows:


Installation steps
During the next steps I assume you already got certificate distribution to work, if not please consult Part 2 on this topic.

1. On your PC browse to http://manage.windowsazure.comand login with an account that has Administrative permissions in your Azure AD tenant.

2. On the left side navigate to “Active Directory” and select the desired directory. clip_image004

3. After your Azure Active Directory is selected, hit the “Configure” section.clip_image006

4. Scroll down to the “Application Proxy” and hit the “enabled” button. Afterwards download the Application Proxy connector (AADApplicationProxyConnectorInstaller.msi) to your local PC and transfer it to the NDES server.clip_image008

5. On your NDES server(*), start the installation by executing the previously downloaded AADApplicationProxyConnectorInstaller.msi. Follow the wizard like shown in the print screens below.

(*) Important note: the connector could be installed on any server within your corporate network with access to NDES. It does not have to be installed on the NDES server itself.



6. During the installation wizard you will be prompted to authenticate to you Azure AD tenant by providing Azure AD Administrative credentials

7. If all goes well, you should be looking at this success message.clip_image016

8. Go back to your Azure management portal ( but this time go to the “Application” section as illustrated in the next screenshot. clip_image018

9. After selecting the “Add” button select the option to “Publish an application that will be accessible from outside your network”. Enter a descriptive name and hit the arrow button to proceed. clip_image020

10. In the next dialog look at the following three things:

  • Make sure you change “preauthentication method” to “Passthrough”. It’s not possible to use any form of pre-authentication, the protocol used for Certificate Requests (SCEP) does not provide such option.
  • Enter the internal URL/FQDN of your NDES server on which you installed the connector earlier.
  • Copy the provided “External URL” to your clipboard.

Hit the checkmark to save your application.

11. Test whether you can access your NDES server via the Azure AD Application proxy by pasting the link from step 10 into a browser. You should see a default IIS welcome pageclip_image024

12. As a final test, add the mscep.dll path to the existing URL you pasted in the previous step:**certsrv/mscep/mscep.dll**

13. You should receive a “HTTP Error 403 – Forbidden”.clip_image026

14. The last step is to change the NDES URL provided (via Microsoft Intune) to devices, this could either be in System Center Configuration Center or in Intune Cloud.

a. For System Center Configuration Center go to the Certificate Registration Point (CRP) and adjust the URL, this is what devices reach out to and present their challenge.


b. For Intune Cloud Only a.k.a. Intune Standalone, either Edit or Create a new SCEP policy and add the new URLclip_image030

Hope this post helped you use Azure AD Application Proxy in combination with NDES, please consider leaving a reply if it did!