Traditionally, users have accessed business applications remotely through solutions such as Virtual Private Networks (VPNs). VPNs have the advantage of providing a secure means of remote access, but often at a high cost and with a poor end-user experience. With the shift to mobile devices such as tablets and the use of personal computers and bring your own device (BYOD) strategies to access corporate data, the VPN is often not a practical solution anymore.
Without relying on a VPN, you still need a way to provide remote access to line-of-business applications that are hosted on-premises or in the cloud on an Infrastructure as a Service (IaaS) platform. This remote access needs to provide the same level of security and granular access control as your VPN, it needs to be end-user friendly, and of course it needs to be cost effective.
The Entra ID (formerly Azure Active Directory) Application Proxy is a perfect example of a solution to this problem. With the Entra ID Application Proxy, you can provide remote access to web applications and Remote Desktop Services (RDS) farms without opening any inbound holes in your firewall. You also don’t need to re-train your users because the URL they use to access an application doesn’t change. Finally, you can make dynamic decisions about whether or not users can access an application based on factors such as who they are, where they’re coming from, the device they’re using, and the risk factor for their current session.
How the Entra ID Application Proxy Works
The Entra ID Application Proxy uses one or more agents that are installed on servers in your network. The image below shows how those agents make a pool of outbound connections to the Entra ID cloud service and listen for requests (the blue arrow). When a user makes a request, the user is first authenticated by Entra ID (the first green arrow). If the authentication and policy checks succeed, the request is sent to one of the agents (the second green arrow). The agent makes a request to the on-premises server on the user’s behalf and returns the results via the outbound connection pool (the third green arrow). When the agent receives the request, the Application Proxy service typically uses Kerberos constrained delegation (KCD) to authenticate to the internal application on the user’s behalf.
Managing Risk with Conditional Access
Before a user is passed through Entra ID to the Entra ID Application Proxy, the user must first satisfy the conditional access policy associated with the application. The conditional access policy allows you to control access to the application based on factors such as: a) the user’s identity, b) the device the user is using to access the application, c) where the user is coming from (e.g., the user’s IP address), and d) the risk level assigned to the session. You can also require the user to perform multi-factor authentication (MFA) before being passed through to the application.
Secure Application Access with the Entra ID Application Proxy
With Entra ID Premium and the Entra ID Application Proxy, you can securely provide remote access to on-premises applications without the need for a traditional VPN solution. The conditional access and identity protection capabilities in Entra ID Premium let you control where and when applications can be accessed and allow you to make dynamic decisions based on risk to safeguard your information.
Are remote access and BYOD problems you’re facing? You can learn more about secure anywhere access with Mircrosoft Entra ID here.