教學課程:新增內部部署應用程式以便透過 Azure Active Directory 中的應用程式 Proxy 進行遠端存取Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory

Azure Active Directory (Azure AD) 有一項應用程式 Proxy 服務,可讓使用者使用其 Azure AD 帳戶登入來存取內部部署應用程式。Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. 本教學課程會準備環境以便與應用程式 Proxy 搭配使用。This tutorial prepares your environment for use with Application Proxy. 環境準備就緒後,您會使用 Azure 入口網站將內部部署應用程式新增至 Azure AD 租用戶。Once your environment is ready, you'll use the Azure portal to add an on-premises application to your Azure AD tenant.

本教學課程會:This tutorial:

  • 對輸出流量開啟連接埠,並允許存取特定 URLOpens ports for outbound traffic and allows access to specific URLs
  • 在 Windows 伺服器上安裝連接器,並向應用程式 Proxy 註冊Installs the connector on your Windows server, and registers it with Application Proxy
  • 確認連接器的安裝和註冊是否正確Verifies the connector installed and registered correctly
  • 將內部部署應用程式新增至 Azure AD 租用戶Adds an on-premises application to your Azure AD tenant
  • 確認測試使用者可以使用 Azure AD 帳戶登入應用程式Verifies a test user can sign on to the application by using an Azure AD account

先決條件Prerequisites

若要將內部部署應用程式新增至 Azure AD,您需要:To add an on-premises application to Azure AD, you need:

  • Microsoft Azure AD 進階訂用帳戶A Microsoft Azure AD premium subscription
  • 應用程式系統管理員帳戶An application administrator account
  • 必須從內部部署目錄同步使用者身分識別,或是直接在您的 Azure AD 租用戶內建立使用者身分識別。User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants. 身分識別同步處理可讓 Azure AD 在允許使用者存取 App Proxy 發佈的應用程式之前,先預先驗證使用者,以及具有執行單一登入 (SSO) 所需的使用者識別碼資訊。Identity synchronization allows Azure AD to pre-authenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).

Windows 伺服器Windows server

若要使用應用程式 Proxy,您需要執行 Windows Server 2012 R2 或更新版本的 Windows 伺服器。To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. 您會在伺服器上安裝應用程式 Proxy 連接器。You'll install the Application Proxy connector on the server. 此連接器伺服器需要連線至 Azure 中的「應用程式 Proxy」服務,以及您打算發佈的內部部署應用程式。This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.

若要在生產環境中實現高可用性,建議您準備多個 Windows 伺服器。For high availability in your production environment, we recommend having more than one Windows server. 在本教學課程中,一部 Windows 伺服器就已足夠。For this tutorial, one Windows server is sufficient.

重要

如果您要在 Windows Server 2019 上安裝連接器,必須停用 WinHttp 元件中的 HTTP2 通訊協定支援,Kerberos 限制委派才能正常運作。If you are installing the connector on Windows Server 2019, you must disable HTTP2 protocol support in the WinHttp component for Kerberos Constrained Delegation to properly work. 在舊版的支援作業系統中,預設會停用此功能。This is disabled by default in earlier versions of supported operating systems. 新增下列登錄機碼並重新啟動伺服器,即可在 Windows Server 2019 上停用此功能。Adding the following registry key and restarting the server disables it on Windows Server 2019. 請注意,這是整部機器適用的登錄機碼。Note that this is a machine-wide registry key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] "EnableDefaultHttp2"=dword:00000000

針對連接器伺服器的建議Recommendations for the connector server

  1. 將連接器伺服器實體放在靠近應用程式伺服器的位置,以便連接器和應用程式之間能有最佳效能。Physically locate the connector server close to the application servers to optimize performance between the connector and the application. 如需詳細資訊,請參閱網路拓撲考量For more information, see Network topology considerations.
  2. 連接器伺服器和 Web 應用程式伺服器應該屬於相同的 Active Directory 網域或橫跨信任網域。The connector server and the web applications servers should belong to the same Active Directory domain or span trusting domains. 伺服器必須位於相同網域或信任網域,才能搭配使用單一登入 (SSO) 與整合式 Windows 驗證 (IWA) 和 Kerberos 限制委派 (KCD) 的需求。Having the servers in the same domain or trusting domains is a requirement for using single sign-on (SSO) with Integrated Windows Authentication (IWA) and Kerberos Constrained Delegation (KCD). 如果連接器伺服器和 Web 應用程式伺服器位於不同的 Active Directory 網域,則必須使用以資源為基礎的委派才能實現單一登入。If the connector server and web application servers are in different Active Directory domains, you need to use resource-based delegation for single sign-on. 如需詳細資訊,請參閱使用應用程式 Proxy 進行單一登入的 KCDFor more information, see KCD for single sign-on with Application Proxy.

警告

如果您已部署 Azure AD 密碼保護 Proxy,請勿在相同的機器上同時安裝 Azure AD 應用程式 Proxy 和 Azure AD 密碼保護 Proxy。If you've deployed Azure AD Password Protection Proxy, do not install Azure AD Application Proxy and Azure AD Password Protection Proxy together on the same machine. Azure AD 應用程式 Proxy 和 Azure AD 密碼保護 Proxy 會安裝不同版本的 Azure AD Connect 代理程式更新程式服務。Azure AD Application Proxy and Azure AD Password Protection Proxy install different versions of the Azure AD Connect Agent Updater service. 這些不同的版本安裝在相同的機器上時,彼此會不相容。These different versions are incompatible when installed together on the same machine.

TLS 需求TLS requirements

您安裝「應用程式 Proxy」連接器之前,Windows 連接器伺服器需要先啟用 TLS 1.2。The Windows connector server needs to have TLS 1.2 enabled before you install the Application Proxy connector.

啟用 TLS 1.2:To enable TLS 1.2:

  1. 設定下列登錄機碼:Set the following registry keys:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    
  2. 重新啟動伺服器。Restart the server.

準備內部部署環境Prepare your on-premises environment

一開始請先啟用與 Azure 資料中心的通訊,以準備適合 Azure AD 應用程式 Proxy 的環境。Start by enabling communication to Azure data centers to prepare your environment for Azure AD Application Proxy. 如果路徑中有防火牆,請確定防火牆已開啟。If there's a firewall in the path, make sure it's open. 防火牆開啟才能讓連接器對「應用程式 Proxy」提出 HTTPS (TCP) 要求。An open firewall allows the connector to make HTTPS (TCP) requests to the Application Proxy.

重要

如果您要安裝適用於 Azure Government 雲端的連接器,請遵循必要條件安裝步驟If you are installing the connector for Azure Government cloud follow the pre-requisites and installation steps. 您需要啟用一組不同 URL 的存取權,以及執行安裝的其他參數。This requires enabling access to a different set of URLs and an additional parameter to run the installation.

開啟連接埠Open ports

輸出流量開啟下列連接埠。Open the following ports to outbound traffic.

連接埠號碼Port number 使用方式How it's used
8080 下載憑證撤銷清單 (CRL) 時驗證 TLS/SSL 憑證Downloading certificate revocation lists (CRLs) while validating the TLS/SSL certificate
443443 應用程式 Proxy 服務的所有傳出通訊All outbound communication with the Application Proxy service

如果您的防火牆根據原始使用者強制執行流量,也請針對來自以網路服務形式執行的 Windows 服務的流量,開啟連接埠 80 和 443。If your firewall enforces traffic according to originating users, also open ports 80 and 443 for traffic from Windows services that run as a Network Service.

允許存取 URLAllow access to URLs

允許存取下列 URL:Allow access to the following URLs:

URLURL 使用方式How it's used
*.msappproxy.net*.msappproxy.net
*.servicebus.windows.net*.servicebus.windows.net
連接器和應用程式 Proxy 雲端服務之間的通訊Communication between the connector and the Application Proxy cloud service
mscrl.microsoft.com:80mscrl.microsoft.com:80
crl.microsoft.com:80crl.microsoft.com:80
ocsp.msocsp.com:80ocsp.msocsp.com:80
www.microsoft.com:80www.microsoft.com:80
連接器會使用這些 URL 來確認憑證。The connector uses these URLs to verify certificates.
login.windows.netlogin.windows.net
secure.aadcdn.microsoftonline-p.comsecure.aadcdn.microsoftonline-p.com
*.microsoftonline.com*.microsoftonline.com
*.microsoftonline-p.com*.microsoftonline-p.com
*.msauth.net*.msauth.net
*.msauthimages.net*.msauthimages.net
*.msecnd.net*.msecnd.net
*.msftauth.net*.msftauth.net
*.msftauthimages.net*.msftauthimages.net
*.phonefactor.net*.phonefactor.net
enterpriseregistration.windows.netenterpriseregistration.windows.net
management.azure.commanagement.azure.com
policykeyservice.dc.ad.msft.netpolicykeyservice.dc.ad.msft.net
ctldl.windowsupdate.com:80ctldl.windowsupdate.com:80
連接器會在註冊程序進行期間使用這些 URL。The connector uses these URLs during the registration process.

如果防火牆或 Proxy 可讓您設定 DNS 允許清單,您便可以允許連往 *.msappProxy.net 和 *.servicebus.windows.net 的連線。You can allow connections to *.msappproxy.net and *.servicebus.windows.net if your firewall or proxy lets you configure DNS allow lists. 如果不是,您需要允許存取 Azure IP 範圍和服務標籤 - 公用雲端If not, you need to allow access to the Azure IP ranges and Service Tags - Public Cloud. IP 範圍會每週更新。The IP ranges are updated each week.

安裝並註冊連接器Install and register a connector

若要使用應用程式 Proxy,請在與應用程式 Proxy 服務搭配使用的每一部 Windows 伺服器上安裝連接器。To use Application Proxy, install a connector on each Windows server you're using with the Application Proxy service. 連接器會作為代理程式來管理從內部部署應用程式伺服器到 Azure AD 中應用程式 Proxy 的輸出連線。The connector is an agent that manages the outbound connection from the on-premises application servers to Application Proxy in Azure AD. 在同時安裝了其他驗證代理程式 (例如,Azure AD Connect) 的伺服器上,您也可以安裝連接器。You can install a connector on servers that also have other authentication agents installed such as Azure AD Connect.

若要安裝連接器:To install the connector:

  1. 以目錄 (使用應用程式 Proxy) 的應用程式管理員身分,登入 Azure 入口網站Sign in to the Azure portal as an application administrator of the directory that uses Application Proxy. 例如,如果租用戶網域為 contoso.com,則系統管理員應該是 admin@contoso.com ,或該網域上的其他管理員別名。For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.

  2. 在右上角選取您的使用者名稱。Select your username in the upper-right corner. 請確認您已登入使用應用程式 Proxy 的目錄。Verify you're signed in to a directory that uses Application Proxy. 如果您需要變更目錄,請選取 [切換目錄] ,然後選擇會使用應用程式 Proxy 的目錄。If you need to change directories, select Switch directory and choose a directory that uses Application Proxy.

  3. 在左瀏覽窗格中,選取 [Azure Active Directory] 。In left navigation panel, select Azure Active Directory.

  4. 在 [管理] 底下,選取 [應用程式 Proxy] 。Under Manage, select Application proxy.

  5. 選取 [下載連接器服務] 。Select Download connector service.

    下載連接器服務以查看服務條款

  6. 閱讀服務條款。Read the Terms of Service. 當您準備好時,選取 [接受條款並下載] 。When you're ready, select Accept terms & Download.

  7. 在視窗底部選取 [執行] 以安裝連接器。At the bottom of the window, select Run to install the connector. 安裝精靈隨即開啟。An install wizard opens.

  8. 請遵循精靈內的指示安裝服務。Follow the instructions in the wizard to install the service. 當系統提示您向 Azure AD 租用戶的應用程式 Proxy 註冊連接器時,請提供您的應用程式管理員認證。When you're prompted to register the connector with the Application Proxy for your Azure AD tenant, provide your application administrator credentials.

    • 針對 Internet Explorer (IE),如果 [IE 增強式安全性設定] 設定為 [開啟] ,您可能不會看到註冊畫面。For Internet Explorer (IE), if IE Enhanced Security Configuration is set to On, you may not see the registration screen. 若要取得存取權,請依照錯誤訊息中的指示。To get access, follow the instructions in the error message. 請確定 [Internet Explorer 增強式安全性設定] 已設定為 [關閉] 。Make sure that Internet Explorer Enhanced Security Configuration is set to Off.

一般備註General remarks

如果您先前已安裝連接器,請重新安裝以取得最新版本。If you've previously installed a connector, reinstall to get the latest version. 若要查看先前發行的版本和所含變更的資訊,請參閱應用程式 Proxy:版本發行記錄To see information about previously released versions and what changes they include, see Application Proxy: Version Release History.

如果您選擇為內部部署應用程式準備多個 Windows 伺服器,則必須在每一部伺服器上安裝和註冊連接器。If you choose to have more than one Windows server for your on-premises applications, you'll need to install and register the connector on each server. 您可以將連接器組織成連接器群組。You can organize the connectors into connector groups. 如需詳細資訊,請參閱連接器群組For more information, see Connector groups.

如果您的組織使用 Proxy 伺服器連線到網際網路,您需要為它們設定應用程式 Proxy。If your organization uses proxy servers to connect to the internet, you need to configure them for Application Proxy. 如需詳細資訊,請參閱使用現有的內部部署 Proxy 伺服器For more information, see Work with existing on-premises proxy servers.

如需有關連接器、容量規劃以及其如何保持最新狀態的相關資訊,請參閱了解 Azure AD 應用程式 Proxy 連接器For information about connectors, capacity planning, and how they stay up-to-date, see Understand Azure AD Application Proxy connectors.

確認連接器的安裝和註冊是否正確Verify the connector installed and registered correctly

您可以使用 Azure 入口網站或 Windows 伺服器來確認新的連接器是否安裝正確。You can use the Azure portal or your Windows server to confirm that a new connector installed correctly.

透過 Azure 入口網站確認安裝Verify the installation through Azure portal

若要確認連接器的安裝和註冊是否正確:To confirm the connector installed and registered correctly:

  1. Azure 入口網站中登入租用戶目錄。Sign in to your tenant directory in the Azure portal.

  2. 在左側導覽面板中,選取 [Azure Active Directory] ,然後選取 [管理] 區段底下的 [應用程式 Proxy] 。In the left navigation panel, select Azure Active Directory, and then select Application Proxy under the Manage section. 所有的連接器與連接器群組都會出現在此頁面上。All of your connectors and connector groups appear on this page.

  3. 檢視連接器以確認其詳細資料。View a connector to verify its details. 依預設,連接器應該會展開。The connectors should be expanded by default. 如果您想要檢視的連接器並未展開,請展開連接器以檢視詳細資料。If the connector you want to view isn't expanded, expand the connector to view the details. 作用中的綠色標籤會指出連接器可以連線至服務。An active green label indicates that your connector can connect to the service. 不過,即使標籤是綠色的,仍可能會因為網路問題而讓連接器無法接收訊息。However, even though the label is green, a network issue could still block the connector from receiving messages.

    Azure AD 應用程式 Proxy 連接器

如需如何安裝連接器的詳細說明,請參閱在安裝應用程式 Proxy 連接器時發生問題For more help with installing a connector, see Problem installing the Application Proxy Connector.

透過 Windows 伺服器確認安裝Verify the installation through your Windows server

若要確認連接器的安裝和註冊是否正確:To confirm the connector installed and registered correctly:

  1. 按一下 [Windows] 機碼並輸入 services.msc 來開啟 Windows 服務管理員。Open the Windows Services Manager by clicking the Windows key and entering services.msc.

  2. 確認下列兩項服務的狀態是否為執行中Check to see if the status for the following two services is Running.

    • Microsoft AAD 應用程式 Proxy 連接器可啟用連線。Microsoft AAD Application Proxy Connector enables connectivity.

    • Microsoft AAD 應用程式 Proxy 連接器更新程式是自動更新服務。Microsoft AAD Application Proxy Connector Updater is an automated update service. 更新程式會檢查連接器的新版本,並且視需要更新連接器。The updater checks for new versions of the connector and updates the connector as needed.

      應用程式 Proxy 連接器服務 - 螢幕擷取畫面

  3. 如果服務的狀態不是執行中,請對每個服務按一下滑鼠右鍵加以選取,然後選擇 [啟動] 。If the status for the services isn't Running, right-click to select each service and choose Start.

將內部部署應用程式新增至 Azure ADAdd an on-premises app to Azure AD

現在您已準備好環境並安裝好連接器,接下來您便可以將內部部署應用程式新增至 Azure AD。Now that you've prepared your environment and installed a connector, you're ready to add on-premises applications to Azure AD.

  1. Azure 入口網站中,以系統管理員身分登入。Sign in as an administrator in the Azure portal.

  2. 在左瀏覽窗格中,選取 [Azure Active Directory] 。In the left navigation panel, select Azure Active Directory.

  3. 選取 [企業應用程式] ,然後選取 [新增應用程式] 。Select Enterprise applications, and then select New application.

  4. 在 [內部部署應用程式] 區段中,選取 [新增內部部署應用程式] 。In the On-premises applications section, select Add an on-premises application.

  5. 在 [新增自己的內部部署應用程式] 區段中,提供您應用程式的下列資訊:In the Add your own on-premises application section, provide the following information about your application:

    欄位Field 說明Description
    名稱Name 會出現在「我的應用程式」上和 Azure 入口網站中的應用程式名稱。The name of the application that will appear on My Apps and in the Azure portal.
    內部 URLInternal URL 用於從私用網路內部存取應用程式的 URL。The URL for accessing the application from inside your private network. 您可以提供後端伺服器上要發佈的特定路徑,而伺服器的其餘部分則不發佈。You can provide a specific path on the backend server to publish, while the rest of the server is unpublished. 如此一來,您可以在相同的伺服器上將不同網站發佈為不同應用程式,並給予各自的名稱和存取規則。In this way, you can publish different sites on the same server as different apps, and give each one its own name and access rules.

    如果您發佈路徑,請確定其中包含您的應用程式的所有必要映像、指令碼和樣式表。If you publish a path, make sure that it includes all the necessary images, scripts, and style sheets for your application. 例如,如果您的應用程式位於 https://yourapp/app 並使用位於 https://yourapp/media 的映像,您應該發佈 https://yourapp/ 做為路徑。For example, if your app is at https://yourapp/app and uses images located at https://yourapp/media, then you should publish https://yourapp/ as the path. 此內部 URL 不一定是您使用者所看見的登陸頁面。This internal URL doesn't have to be the landing page your users see. 如需詳細資訊,請參閱針對發佈應用程式設定自訂的首頁For more information, see Set a custom home page for published apps.
    外部 URLExternal URL 可讓使用者從網路外部存取應用程式的位址。The address for users to access the app from outside your network. 如果您不想使用預設的應用程式 Proxy 網域,請閱讀 Azure AD Application Proxy 中的自訂網域If you don't want to use the default Application Proxy domain, read about custom domains in Azure AD Application Proxy.
    預先驗證Pre Authentication 應用程式 Proxy 在給予您的應用程式存取權前,用來驗證使用者的方式。How Application Proxy verifies users before giving them access to your application.

    Azure Active Directory - 應用程式 Proxy 會重新導向使用者以使用 Azure AD 登入,進而驗證目錄和應用程式的權限。Azure Active Directory - Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. 建議您將這個選項保持為預設值,讓您可以利用諸如條件式存取以及 Multi-Factor Authentication 等 Azure AD 安全性功能。We recommend keeping this option as the default so that you can take advantage of Azure AD security features like Conditional Access and Multi-Factor Authentication. 利用 Microsoft Cloud Application Security 監視應用程式時需要 Azure Active DirectoryAzure Active Directory is required for monitoring the application with Microsoft Cloud Application Security.

    即時通行 - 使用者不必向 Azure AD 進行驗證即可存取應用程式。Passthrough - Users don't have to authenticate against Azure AD to access the application. 您還是可以在後端設定驗證需求。You can still set up authentication requirements on the backend.
    連接器群組Connector Group 連接器會處理針對應用程式的遠端存取,連接器群組可協助您依區域、網路或用途組織連接器和應用程式。Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose. 如果您尚未建立任何連接器群組,您的應用程式就會指派給 [預設] 。If you don't have any connector groups created yet, your app is assigned to Default.

    如果應用程式使用 WebSocket 進行連線,群組中的所有連接器必須是 1.5.612.0 版或更新版本。If your application uses WebSockets to connect, all connectors in the group must be version 1.5.612.0 or later.
  6. 如有必要,請設定 [其他設定] 。If necessary, configure Additional settings. 對於大部分的應用程式,您應該在其預設狀態中保留這些設定。For most applications, you should keep these settings in their default states.

    欄位Field 描述Description
    後端應用程式逾時Backend Application Timeout 只有當您的應用程式太慢而無法驗證和連線時,才將此值設定為 [長] 。Set this value to Long only if your application is slow to authenticate and connect. 在預設情況下,後端應用程式的逾時長度為 85 秒。At default, the backend application timeout has a length of 85 seconds. 設定為 Long 時,後端逾時會增加到 180 秒。When set to long, the backend timeout is increased to 180 seconds.
    使用僅限 HTTP CookieUse HTTP-Only Cookie 將此值設定為 [是] ,讓應用程式 Proxy Cookie 在 HTTP 回應標頭中包含 HTTPOnly 旗標。Set this value to Yes to have Application Proxy cookies include the HTTPOnly flag in the HTTP response header. 如果使用遠端桌面服務,請將此值設定為 [否] 。If using Remote Desktop Services, set this value to No.
    使用安全的 CookieUse Secure Cookie 將此值設定為 [是] ,以透過安全的通道 (例如加密的 HTTPS 要求) 傳輸 Cookie。Set this value to Yes to transmit cookies over a secure channel such as an encrypted HTTPS request.
    使用永續性 CookieUse Persistent Cookie 將此值的設定保留為 [否] 。Keep this value set to No. 請只對無法在程序之間共用 Cookie 的應用程式使用此設定。Only use this setting for applications that can't share cookies between processes. 如需 Cookie 設定的詳細資訊,請參閱 Azure Active Directory 中用來存取內部部署應用程式的 Cookie 設定For more information about cookie settings, see Cookie settings for accessing on-premises applications in Azure Active Directory.
    轉譯標頭中的 URLTranslate URLs in Headers 除非您的應用程式需要驗證要求中的原始主機標頭,否則請將此值保留為 [是] 。Keep this value as Yes unless your application required the original host header in the authentication request.
    轉譯應用程式主體中的 URLTranslate URLs in Application Body 除非您有其他內部部署應用程式的硬式編碼 HTML 連結,且未使用自訂網域,否則請將此值保留為 [否] 。Keep this value as No unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. 如需詳細資訊,請參閱使用應用程式 Proxy 連結轉譯For more information, see Link translation with Application Proxy.

    如果您打算使用 Microsoft Cloud App Security (MCAS) 監視此應用程式,請將此值設定為 [是] 。Set this value to Yes if you plan to monitor this application with Microsoft Cloud App Security (MCAS). 如需詳細資訊,請參閱使用 Microsoft Cloud App Security 與 Azure Active Directory 設定即時應用程式存取監視For more information, see Configure real-time application access monitoring with Microsoft Cloud App Security and Azure Active Directory.
  7. 選取 [新增] 。Select Add.

測試應用程式Test the application

您準備好測試應用程式是否已正確新增。You're ready to test the application is added correctly. 在下列步驟中,您會將使用者帳戶新增至應用程式,然後嘗試登入。In the following steps, you'll add a user account to the application, and try signing in.

新增測試使用者Add a user for testing

在將使用者新增至應用程式之前,請確認使用者帳戶已經有權限可存取公司網路內部的應用程式。Before adding a user to the application, verify the user account already has permissions to access the application from inside the corporate network.

若要新增測試使用者:To add a test user:

  1. 選取 [企業應用程式] ,然後選取您想要測試的應用程式。Select Enterprise applications, and then select the application you want to test.
  2. 選取 [開始使用] ,然後選取 [指派測試使用者] 。Select Getting started, and then select Assign a user for testing.
  3. 在 [使用者和群組] 底下,選取 [新增使用者] 。Under Users and groups, select Add user.
  4. 在 [新增指派] 底下,選取 [使用者和群組] 。Under Add assignment, select Users and groups. [使用者和群組] 區段隨即會出現。The User and groups section appears.
  5. 選擇您想要新增的帳戶。Choose the account you want to add.
  6. 選擇 [選取] ,然後選取 [指派] 。Choose Select, and then select Assign.

測試登入Test the sign-on

若要測試能否登入應用程式:To test the sign-on to the application:

  1. 從您想要測試的應用程式中,選取 [應用程式 Proxy] 。From the application you want to test, select Application Proxy.
  2. 在頁面頂端,選取 [測試應用程式] 以在應用程式上執行測試,並檢查是否有任何設定問題。At the top of the page, select Test Application to run a test on the application and check for any configuration issues.
  3. 請務必先啟動應用程式來測試是否能登入應用程式,然後再下載診斷報告來檢閱所偵測到問題的解決指引。Make sure to first launch the application to test signing into the application, then download the diagnostic report to review the resolution guidance for any detected issues.

如需疑難排解,請參閱針對應用程式 Proxy 問題和錯誤訊息進行疑難排解For troubleshooting, see Troubleshoot Application Proxy problems and error messages.

清除資源Clean up resources

如果您不再需要本教學課程中建立的所有資源,請將其刪除。When no longer needed, delete the resources you created in this tutorial.

後續步驟Next steps

在本教學課程中,您已讓內部部署環境準備好與應用程式 Proxy 搭配運作,然後安裝並註冊了應用程式 Proxy 連接器。In this tutorial, you prepared your on-premises environment to work with Application Proxy, and then installed and registered the Application Proxy connector. 接下來,您將應用程式新增至 Azure AD 租用戶。Next, you added an application to your Azure AD tenant. 您已確認使用者可以使用 Azure AD 帳戶登入應用程式。You verified that a user can sign on to the application by using an Azure AD account.

您進行了下列事項:You did these things:

  • 對輸出流量開啟連接埠,並允許存取特定 URLOpened ports for outbound traffic and allowed access to specific URLs
  • 在 Windows 伺服器上安裝連接器,並向應用程式 Proxy 註冊Installed the connector on your Windows server, and registered it with Application Proxy
  • 確認連接器的安裝和註冊是否正確Verified the connector installed and registered correctly
  • 將內部部署應用程式新增至 Azure AD 租用戶Added an on-premises application to your Azure AD tenant
  • 確認測試使用者可以使用 Azure AD 帳戶登入應用程式Verified a test user can sign on to the application by using an Azure AD account

您可以為應用程式設定單一登入。You're ready to configure the application for single sign-on. 使用下列連結來選擇單一登入方法,以及尋找單一登入教學課程。Use the following link to choose a single sign-on method and to find single sign-on tutorials.