透過 Azure Active Directory 應用程式 Proxy 遠端存取內部部署應用程式Remote access to on-premises applications through Azure Active Directory's Application Proxy

Azure Active Directory 應用程式 Proxy 為內部部署 Web 應用程式提供安全的遠端存取。Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. 單一登入 Azure AD 後,使用者可以透過外部 URL 或內部應用程式入口網站存取雲端和內部部署應用程式。After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. 例如,應用程式 Proxy 可以為遠端桌面、SharePoint、Teams、Tableau、Qlik 和企業營運 (LOB) 應用程式提供遠端存取和單一登入。For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint, Teams, Tableau, Qlik, and line of business (LOB) applications.

Azure AD 應用程式 Proxy:Azure AD Application Proxy is:

  • 用法簡單Simple to use. 使用者可以使用和 O365 以及其他與 Azure AD 整合之 SaaS 應用程式相同的存取方式,來存取內部部署應用程式。Users can access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD. 您不需要變更或更新應用程式,即可使用應用程式 Proxy。You don't need to change or update your applications to work with Application Proxy.

  • 安全Secure. 內部部署應用程式可以使用 Azure 的授權控制項和安全性分析。On-premises applications can use Azure's authorization controls and security analytics. 例如,內部部署應用程式可以使用條件式存取和雙步驟驗證。For example, on-premises applications can use Conditional Access and two-step verification. 應用程式 Proxy 不需要您穿過防火牆開啟輸入連線。Application Proxy doesn't require you to open inbound connections through your firewall.

  • 符合成本效益Cost-effective. 內部部署解決方案則一般需要您設定及維護周邊網路 (DMZ)、Edge Server 或其他複雜的基礎結構。On-premises solutions typically require you to set up and maintain demilitarized zones (DMZs), edge servers, or other complex infrastructures. 應用程式 Proxy 在雲端中執行,這使其更容易使用。Application Proxy runs in the cloud, which makes it easy to use. 若要使用應用程式 Proxy,您不需要變更網路基礎結構,或在內部部署環境中安裝額外的設備。To use Application Proxy, you don't need to change the network infrastructure or install additional appliances in your on-premises environment.

什麼是應用程式 Proxy?What is Application Proxy?

應用程式 Proxy 是 Azure AD 的一項功能,可讓使用者從遠端用戶端存取內部部署 Web 應用程式。Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. 應用程式 Proxy 包括在雲端中執行的應用程式 Proxy 服務,和在內部部署伺服器上執行的應用程式 Proxy 連接器。Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server. Azure AD、應用程式 Proxy 服務和應用程式 Proxy 連接器,可以將使用者登入權杖從 Azure AD 安全地傳遞至 Web 應用程式。Azure AD, the Application Proxy service, and the Application Proxy connector work together to securely pass the user sign-on token from Azure AD to the web application.

應用程式 Proxy 適用於:Application Proxy works with:

  • 使用整合式 Windows 驗證來進行驗證的 Web 應用程式Web applications that use Integrated Windows Authentication for authentication
  • 使用表單架構或標頭型存取的 Web 應用程式Web applications that use form-based or header-based access
  • 您想要公開給不同裝置上豐富應用程式的 Web APIWeb APIs that you want to expose to rich applications on different devices
  • 裝載在遠端桌面閘道之後的應用程式Applications hosted behind a Remote Desktop Gateway
  • 與 Active Directory Authentication Library (ADAL) 整合的豐富型用戶端應用程式Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)

應用程式 Proxy 支援單一登入。Application Proxy supports single sign-on. 如需有關支援的方法的詳細資訊,請參閱選擇單一登入方法For more information on supported methods, see Choosing a single sign-on method.

應用程式 Proxy 並建議能讓遠端使用者存取內部資源。Application Proxy is recommended for giving remote users access to internal resources. 應用程式 Proxy 會取代適用於 VPN 或反向 proxy 的需求。Application Proxy replaces the need for a VPN or reverse proxy. 它並不適用於內部公司網路上的使用者。It is not intended for internal users on the corporate network. 這些不必要地使用應用程式 Proxy 的使用者會造成非預期且不想要的效能問題。These users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues.

應用程式 Proxy 的運作方式為何How Application Proxy works

下圖顯示顯示 Azure AD 和應用程式 Proxy 一起運作,以向內部部署應用程式提供單一登入的方式。The following diagram shows how Azure AD and Application Proxy work together to provide single sign-on to on-premises applications.

Azure AD 應用程式 Proxy 圖表

  1. 使用者透過端點存取應用程式之後,系統會將使用者導向至 Azure AD 登入頁面。After the user has accessed the application through an endpoint, the user is directed to the Azure AD sign-in page.
  2. 成功登入之後,Azure AD 會向使用者的用戶端裝置傳送權杖。After a successful sign-in, Azure AD sends a token to the user's client device.
  3. 用戶端會將權杖傳送至應用程式 Proxy 服務,該服務會取出權杖的使用者主體名稱 (UPN) 和安全性主體名稱 (SPN)。The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. 然後,應用程式 Proxy 會將要求傳送至應用程式 Proxy 連接器。Application Proxy then sends the request to the Application Proxy connector.
  4. 如果您已設定單一登入,則連接器會代表使用者執行其他任何所需的驗證。If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.
  5. 連接器會將要求傳送至內部部署應用程式。The connector sends the request to the on-premises application.
  6. 回應會透過應用程式 Proxy 服務與連接器傳送給使用者。The response is sent through the connector and Application Proxy service to the user.
元件Component 描述Description
端點Endpoint 端點可以是 URL 或使用者入口網站The endpoint is a URL or an end-user portal. 使用者可以藉由存取外部 URL,來連線網路外部的應用程式。Users can reach applications while outside of your network by accessing an external URL. 您網路內的使用者可以透過 URL 或使用者入口網站存取應用程式。Users within your network can access the application through a URL or an end-user portal. 使用者存取這些端點的其中一個時,會在 Azure AD 中進行驗證,然後透過連接器路由至內部部署應用程式。When users go to one of these endpoints, they authenticate in Azure AD and then are routed through the connector to the on-premises application.
Azure ADAzure AD Azure AD 使用儲存在雲端中的租用戶目錄執行驗證。Azure AD performs the authentication using the tenant directory stored in the cloud.
應用程式 Proxy 服務Application Proxy service 此應用程式 Proxy 服務作為 Azure AD 的一部分在雲端中執行。This Application Proxy service runs in the cloud as part of Azure AD. 它會將登入權杖從使用者傳遞至應用程式 Proxy 連接器時。It passes the sign-on token from the user to the Application Proxy Connector. 應用程式 Proxy 在請求上轉送任何可存取的標頭,並根據其通訊協定將標頭設定為用戶端 IP 位址。Application Proxy forwards any accessible headers on the request and sets the headers as per its protocol, to the client IP address. 如果對 Proxy 的連入要求中已經有該標頭,則將用戶端 IP 位址加入到以逗號分隔清單的結尾,該用戶端 IP 位址是標頭的值。If the incoming request to the proxy already has that header, the client IP address is added to the end of the comma separated list that is the value of the header.
應用程式 Proxy 連接器Application Proxy Connector 連接器是位於網路內部 Windows 伺服器上執行的輕量型代理程式。The connector is a lightweight agent that runs on a Windows Server inside your network. 連接器管理雲端中的應用程式 Proxy 服務與內部部署應用程式之間的通訊。The connector manages communication between the Application Proxy service in the cloud and the on-premises application. 連接器僅使用輸出連線,因此您不需要開啟任何輸入連接埠,或在 DMZ 中放置任何物件。The connector only uses outbound connections, so you don't have to open any inbound ports or put anything in the DMZ. 連接器是無狀態的,且在必要時會從雲端提取資訊。The connectors are stateless and pull information from the cloud as necessary. 如需連接器的詳細資訊,例如如何負載平衡和驗證,請參閱了解 Azure AD 應用程式 Proxy 連接器For more information about connectors, like how they load-balance and authenticate, see Understand Azure AD Application Proxy connectors.
Active Directory (AD)Active Directory (AD) Active Directory 在內部部署執行以對網域帳戶執行驗證。Active Directory runs on-premises to perform authentication for domain accounts. 設定單一登入之後,連接器將與 AD 通訊以執行所需的任何額外的驗證。When single sign-on is configured, the connector communicates with AD to perform any additional authentication required.
內部部署應用程式On-premises application 最後,使用者就能夠存取內部部署應用程式。Finally, the user is able to access an on-premises application.

後續步驟Next steps

若要開始使用應用程式 Proxy,請參閱教學課程:新增內部部署應用程式以便透過應用程式 Proxy 進行遠端存取To start using Application Proxy, see Tutorial: Add an on-premises application for remote access through Application Proxy.

如需最新消息,請參閱應用程式 Proxy 部落格For the latest news and updates, see the Application Proxy blog