您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

通过 Azure Active Directory 应用程序代理远程访问本地应用程序Remote access to on-premises applications through Azure Active Directory's Application Proxy

Azure Active Directory 应用程序代理提供对本地 Web 应用程序的安全远程访问。Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. 单一登录到 Azure AD 后,用户可以通过外部 URL 或内部应用程序门户访问云端和本地的应用程序。After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. 例如,应用程序代理可以为远程桌面、SharePoint、Teams、Tableau、Qlik 和业务线 (LOB) 应用程序提供远程访问和单一登录功能。For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint, Teams, Tableau, Qlik, and line of business (LOB) applications.

Azure AD 应用程序代理的特性:Azure AD Application Proxy is:

  • 简单易用Simple to use. 用户可以像访问 O365 以及其他与 Azure AD 集成的 SaaS 应用一样访问本地应用程序。Users can access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD. 无需更改或更新应用程序即可使用应用程序代理。You don't need to change or update your applications to work with Application Proxy.

  • 安全Secure. 本地应用程序可以使用 Azure 的授权控制和安全分析功能。On-premises applications can use Azure's authorization controls and security analytics. 例如,在本地应用程序可以使用条件性访问和双重验证。For example, on-premises applications can use Conditional Access and two-step verification. 应用程序代理不要求通过防火墙打开入站连接。Application Proxy doesn't require you to open inbound connections through your firewall.

  • 经济高效Cost-effective. 本地解决方案通常需要设置和维护隔离区 (DMZ)、边缘服务器或其他复杂的基础结构。On-premises solutions typically require you to set up and maintain demilitarized zones (DMZs), edge servers, or other complex infrastructures. 应用程序代理在云中运行,易于使用。Application Proxy runs in the cloud, which makes it easy to use. 若要使用应用程序代理,无需更改网络基础结构或在本地环境中安装其他设备。To use Application Proxy, you don't need to change the network infrastructure or install additional appliances in your on-premises environment.

什么是应用程序代理?What is Application Proxy?

应用程序代理是 Azure AD 的一项功能,它使用户能够从远程客户端访问本地 Web 应用程序。Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. 应用程序代理包括在云中运行的应用程序代理服务和在本地服务器上运行的应用程序代理连接器。Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server. Azure AD、应用程序代理服务和应用程序代理连接器协同工作,将用户登录令牌从 Azure AD 安全地传递到 Web 应用程序。Azure AD, the Application Proxy service, and the Application Proxy connector work together to securely pass the user sign-on token from Azure AD to the web application.

应用程序代理适用于:Application Proxy works with:

  • 使用 Windows 集成身份验证方法进行身份验证的 Web 应用程序Web applications that use Integrated Windows Authentication for authentication
  • 使用基于窗体或基于标头的访问的 Web 应用程序Web applications that use form-based or header-based access
  • 想要公开给不同设备上丰富应用程序的 Web APIWeb APIs that you want to expose to rich applications on different devices
  • 托管在远程桌面网关后面的应用程序Applications hosted behind a Remote Desktop Gateway
  • 与 Active Directory 身份验证库 (ADAL) 集成的富客户端应用Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)

应用程序代理支持单一登录。Application Proxy supports single sign-on. 有关支持的方法的详细信息,请参阅选择单一登录方法For more information on supported methods, see Choosing a single sign-on method.

对于允许远程用户访问内部资源,建议应用程序代理。Application Proxy is recommended for giving remote users access to internal resources. 应用程序代理,将适用于 VPN 或反向代理。Application Proxy replaces the need for a VPN or reverse proxy. 这不被专为企业网络上的内部用户。It is not intended for internal users on the corporate network. 这些不必要地使用应用程序代理的用户可能会引入意外和不良性能问题。These users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues.

应用程序代理的工作原理How Application Proxy works

下图显示了 Azure AD 和应用程序代理如何共同向本地应用程序提供单一登录。The following diagram shows how Azure AD and Application Proxy work together to provide single sign-on to on-premises applications.

AzureAD 应用程序代理关系图

  1. 在用户通过终结点访问应用程序后,将其定向到 Azure AD 登录页面。After the user has accessed the application through an endpoint, the user is directed to the Azure AD sign-in page.
  2. 成功登录后,Azure AD 向用户的客户端设备发送令牌。After a successful sign-in, Azure AD sends a token to the user's client device.
  3. 客户端将令牌发送到应用程序代理服务,该服务检索令牌中的用户主体名称 (UPN) 和安全主体名称 (SPN)。The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. 然后,应用程序代理将请求发送到应用程序代理连接器。Application Proxy then sends the request to the Application Proxy connector.
  4. 如果已配置单一登录,则连接器代表用户执行所需的任何其他身份验证。If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.
  5. 连接器将请求发送到本地应用程序。The connector sends the request to the on-premises application.
  6. 通过连接器和应用程序代理服务将响应发送给用户。The response is sent through the connector and Application Proxy service to the user.
组件Component 描述Description
终结点Endpoint 终结点是 URL 或最终用户门户The endpoint is a URL or an end-user portal. 用户可通过访问外部 URL 访问位于你网络外部的应用程序。Users can reach applications while outside of your network by accessing an external URL. 网络内的用户可以通过 URL 或最终用户门户访问应用程序。Users within your network can access the application through a URL or an end-user portal. 当用户转到其中一个终结点时,将在 Azure AD 中进行身份验证,并通过连接器路由到本地应用程序。When users go to one of these endpoints, they authenticate in Azure AD and then are routed through the connector to the on-premises application.
Azure ADAzure AD Azure AD 使用存储在云端的租户目录执行身份验证。Azure AD performs the authentication using the tenant directory stored in the cloud.
应用程序代理服务Application Proxy service 应用程序代理服务作为 Azure AD 的一部分在云中运行。This Application Proxy service runs in the cloud as part of Azure AD. 它将登录令牌从用户传递到应用程序代理连接器。It passes the sign-on token from the user to the Application Proxy Connector. 应用程序代理在收到请求时转发任何可访问的标头,并根据其协议将标头设置为客户端 IP 地址。Application Proxy forwards any accessible headers on the request and sets the headers as per its protocol, to the client IP address. 如果传入代理的请求已有该标头,则将客户端 IP 地址添加到逗号分隔列表的末尾,该地址为标头的值。If the incoming request to the proxy already has that header, the client IP address is added to the end of the comma separated list that is the value of the header.
应用程序代理连接器Application Proxy Connector 连接器是可在网络内的 Windows Server 上运行的轻型代理。The connector is a lightweight agent that runs on a Windows Server inside your network. 连接器管理云端应用程序代理服务与本地应用程序之间的通信。The connector manages communication between the Application Proxy service in the cloud and the on-premises application. 它只使用出站连接,因此不需要开放任何入站端口或在 DMZ 中放置任何对象。The connector only uses outbound connections, so you don't have to open any inbound ports or put anything in the DMZ. 连接器是无状态的,可根据需要从云中提取信息。The connectors are stateless and pull information from the cloud as necessary. 有关连接器的详细信息(例如,它们如何均衡负载和执行身份验证),请参阅了解 Azure AD 应用程序代理连接器For more information about connectors, like how they load-balance and authenticate, see Understand Azure AD Application Proxy connectors.
Active Directory (AD)Active Directory (AD) Active Directory 在本地运行,对域帐户执行身份验证。Active Directory runs on-premises to perform authentication for domain accounts. 配置单一登录后,连接器会与 AD 通信以执行所需的任何其他身份验证。When single sign-on is configured, the connector communicates with AD to perform any additional authentication required.
本地应用程序On-premises application 最后,用户便可以访问本地应用程序。Finally, the user is able to access an on-premises application.

后续步骤Next steps

若要开始使用应用程序代理,请参阅教程:添加一个本地应用程序以通过应用程序代理进行远程访问To start using Application Proxy, see Tutorial: Add an on-premises application for remote access through Application Proxy.

请参阅 应用程序代理博客,了解最新资讯和更新For the latest news and updates, see the Application Proxy blog