If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users.
To reduce the attack surface, a traditional method, such as a VPN, has its place, but Microsoft Entra Application Proxy is another method for improving security, while offering a more efficient approach.
Entra Application Proxy, formerly Azure Active Directory Application Proxy, uses Microsoft Entra ID, formerly Azure AD, to give access to an on-premises web-based application by proxying the access request through Entra ID. Entra Application Proxy allows anyone over the public internet - from any device and browser - to use single sign-on for access to an application without opening inbound connections in the corporate firewall.
Once authenticated at a browser login prompt, the user can access the application.
If the application has its own authentication requirements, then the user sees a prompt at the app layer.
Pointing these policies at groups gives you an easy way to audit who has access to the application by checking the users who are in the linked group.
Historically, as more people worked remotely and needed access to these web applications, the next logical step was to use a VPN to create a secure connection over the internet to the remote device as if it were on the internal network.
Using Entra Application Proxy can bring potential cost savings in both licensing and administrative effort if a switch to Entra Application Proxy leads to the removal of your VPN. You can get reports on the logins and usage of each application, which might not be available with alternatives to Entra Application Proxy.
The licensing covers as many web interfaces as you need, but there is a limit of 500 transactions per second for a single application and 750 transactions per second across the organization.
You also need Microsoft Entra ID set up with access to an Application Administrator account - or an account with equivalent access.
You get this license with Entra ID. Network bandwidth requirements vary based on the on-premises web application.
The configuration of Entra Application Proxy requires just a few simple steps.
First, install an Entra Application Proxy connector on Windows Server 2012 R2 or newer.
For high availability purposes, consider installing a second Entra Application Proxy connector on another server.
Ideally, this server should be close on the network to the server that hosts the web application front end to reduce latency.
The connector and the web application must be in the same AD or in multiple AD systems with a trust set up between them.
The connector status appears in the Microsoft Entra portal under Identity > Applications > Enterprise applications > Application proxy.
Next, add your on-premises web application to Entra ID. Include configuration information, such as the application on the Entra ID portal with specifics, including the internal URL and external URL for outside users to find the application.
You have several optional settings related to application timeouts and certificate settings to further customize the way Entra Application Proxy works.
When complete, a user enters the external URL and authenticates with Microsoft Entra ID. If they pass the conditional access checks, they get access to the internal web application in a much more secure and controlled manner.
This Cyber News was published on www.techtarget.com. Publication date: Tue, 12 Mar 2024 18:13:05 +0000