Application Proxy for On-Premises Apps
Understanding the Concept
Microsoft Entra Application Proxy provides secure remote access to on-premises web applications without requiring VPN. It consists of a connector installed in the on-premises environment that creates an outbound connection to the Application Proxy service in Azure.
Application Proxy supports header-based authentication, integrated Windows authentication with Kerberos constrained delegation, and forms-based authentication. Users access on-premises apps through Entra ID with SSO, MFA, and Conditional Access - the same policies as cloud apps.
The architecture is secure by design: connectors make outbound-only connections (no inbound firewall rules needed), traffic is encrypted, and all access goes through Entra ID authentication and authorization.
Key Points
- Outbound-only connectors: No inbound firewall rules or DMZ needed
- SSO to on-prem apps: Kerberos, header-based, or forms authentication
- CA + MFA: Cloud security policies applied to on-prem app access
- Connector groups: Route traffic to specific connectors for different apps
- Custom domains: Use your own domain instead of msappproxy.net
Why This Matters in Real Organizations
Application Proxy eliminates the need for VPN for web application access, reducing attack surface and improving user experience. It brings the full power of Entra ID security (CA, MFA, Identity Protection) to legacy on-premises applications.
Common Mistakes to Avoid
Interview Tips
- Explain the outbound-only architecture and its security benefits
- Discuss SSO options for different on-prem app types
- Compare Application Proxy to VPN for remote access
Exam Tips (SC-300)
- Know Application Proxy architecture and connector requirements
- Understand SSO options: KCD, header-based, forms
- Know connector group use cases
Course Complete!
You've finished all lessons