How Microsoft can help working from Home – Responding to Corona crisis – Remote Access – Part2

Hello All,

This is Part Two of this series, Part one can be found here which discussed how to enable MS TEAMS.

In responding to current Corona Virus crisis, many governments around the world start locked down countries, which means that most employees will start thinking seriously to work from home.

Searching over search engines will show a lot of articles to show how much technologies can help in such situation, in this article I am going to discuss one of the most top requests we are getting from our customers these days and clear up all the doubts that you may have, frequent questions we are getting from our customers these days:

I have some on-premises APPS which not published over Internet and I need my employees to still be able to access them securely while they are working from home!

I want to allow my users to access internal Servers/Resources securely while they are working from home!

 

We have a multiple solutions Microsoft provide to allow your users to work affectively and more productive while they are working from home.

Azure Application proxy:

Azure Application proxy is new way to publish your web-based application over internet securely. Application Proxy doesn’t require you to open inbound connections through your firewall which make it very secure to publish your on-premises applications in a very secure manner including Exchange OWA. 

In this way, the authentication request will be start with Azure Active directory, which simply means that most of Azure security features can be applied to this kind of access such as conditional access and MFA.

 

Application Proxy works with:

  • Web applications that use Integrated Windows Authentication for authentication
  • Web applications that use form-based or header-based access
  • Web APIs that you want to expose to rich applications on different devices
  • Applications hosted behind a Remote Desktop Gateway
  • Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)

Application Proxy supports single sign-on. For more information on supported methods, see Choosing a single sign-on method.

Application Proxy is recommended for giving remote users access to internal resources. Application Proxy replaces the need for a VPN or reverse proxy. It is not intended for internal users on the corporate network. These users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues.

Full information about Azure APP Proxy can be found here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy

Technical Steps can be found here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application

 

Now, since we are talking about a crisis here, some customer may don’t have Azure AD in place already, in order to be able to use Azure APP proxy, you need to make sure that you have your Azure AD tenant configured correctly.

If you are starting from scratch, then you may need to activate your Azure AD tenant, then you need to sync your users to Azure AD, I will highlight some steps for customer who never used Azure AD before that they can follow in order to start using Azure AD Proxy:

 

1- Sign up for free Azure AD tenant: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant#create-a-new-azure-ad-tenant

2- Verify your domain name in Azure, in this step you can verify your actual domain name in azure to allow users to have it in their UPN: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain#add-your-custom-domain-name-to-azure-ad

3- Sync your users from local AD to Azure AD using AD Connect tool, this tool will help you to sync your on-premises users to Azure AD, this tool offer multiple way for sign in’s, you can simply sync the users with their passwords, or if you have an AD FS or other federation Services you still can sync the users only without their passwords. The whole technical steps with a lot of details described here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

Once the users synced, now you need to have a valid license, Azure APP proxy need Azure AD Premium P1 or P2 license, if you are OK with the license then go ahead and start your implementation now.

What About Security!

Since the Authentication traffic will be routed to start with Azure AD, you can use any azure security features such as Multi-factor Authentication, Conditional Access … etc. for sure this depends on your license and how much security layers you want to add.

For more information about Azure AD security features, read this: https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-overview

This is a great start to allow your users to work remotely and be productive by accessing your internal apps remotely in a very secure way.

Securing Remote access to internal Servers/Resources:

The other types of requests I see these days, that the customer want to allow remote sessions to internal servers and resources, but they don’t have a good VPN solution or they want something that can be implemented easily and be secure.

First Scenario: Customers already have a VPN solution like CISCO, Fortinet … etc. they need just to secure the access by adding additional layer of security.

Azure AD providing multiple ways to secure this type of connections by adding a multi-facto authentication to any connection.
We have two solutions here, either to use Azure MFA server or MFA NPS extension, since we already announced that we are deprecating the MFA server, we don’t recommend start implementing it.

The best solution here and since most of these VPN solutions support Radius Authentication, we recommend to user Azure MFA NPS extension, it’s a light deployment that will enable MFA for all VPN connections.

If you looking how you can implement this and what is the license requirements, please follow this article: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

If you already have MFA on-premises server and you still need to use it, you can see some sample documents on how to configure Radius/LDAP Authentication: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn

Noting that in MFA NPS Extension model, you must have your users synced to Azure AD, hence if the users not synced OR if you never use Azure AD before, please follow the missing points from below list:

1- Sign up for free Azure AD tenant: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant#create-a-new-azure-ad-tenant

2- Verify your domain name in Azure, in this step you can verify your actual domain name in azure to allow users to have it in their UPN: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain#add-your-custom-domain-name-to-azure-ad

3- Sync your users from local AD to Azure AD using AD Connect tool, this tool will help you to sync your on-premises users to Azure AD, this tool offer multiple way for sign in’s, you can simply sync the users with their passwords, or if you have an AD FS or other federation Services you still can sync the users only without their passwords. The whole technical steps with a lot of details described here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

After that completed, continue with the MFA NPS extension guide mentioned above.

Second Scenario: Customers DON’T have a VPN solution; they need to allow the access to internal servers/Resources in a secure way.

The faster solution here is to deploy a windows Gateway Role and secure the access using MFA, like scenario #1, you can use both options: MFA server or MFA NPS extension, our recommendation still go to Azure MFA NPS Extension in this deployment.

I already wrote a long article long time ago described all the technical details and considerations required for such deployment: http://azuredummies.com/2017/07/01/securing-rdp-connection-using-azure-mfa-for-windows-2012-r22016/ , even this is the old model of deployment (MFA server), but I still recommend you to read the article in order to understand the concept and connection flow, this article include a huge great info.

To configure the RD Gateway with MFA NPS Extension, please follow this article:  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg

Remember that you need to be aware about the licensing requirement of this deployment 😊

Note: if you want still to work with MFA server and you are a new customer who never used it before, you need to open a support case with Microsoft to whitelist your tenant with a critical business justification.

Stay tuned for the next article in couple of days, where I will discuss more topics that will help in this crisis 😊

Stay Safe, protect yourself and others by working from home in this crisis.

Ahmad Yasin is a Technical Adviser at Microsoft in Azure identity Team and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions, office 365, Azure Security Specialist.

Find Ahmad at Facebook and LinkedIn

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.