Secure On‑Premises Web Apps Using Entra Application Proxy

Scenario

A company hosts several internal web applications, an intranet site and a knowledge base on servers inside its private network. Staff working remotely need secure access to these apps, but the organisation wants to avoid VPN complexity, firewall exposure, and additional infrastructure.

Your task is to use Microsoft Entra Application Proxy to publish these internal apps externally. The solution must be secure, simple to deploy, and rely only on outbound connections from a lightweight connector agent installed on a Windows Server. You will configure two apps, test external access, resolve URL translation issues, and add the apps to the Microsoft 365 App Launcher for a seamless user experience.

Lab Objectives

By the end of this lab, you will be able to:

• Install and configure the Entra Application Proxy connector.
• Publish internal web apps using Entra Application Proxy.
• Configure internal and external URLs, authentication, and certificates.
• Resolve URL translation issues for apps with internal links.
• Add published apps to the Microsoft 365 App Launcher.

Prerequisites

• Microsoft 365 tenant with Entra ID Premium
• Windows Server (GUI required) for the connector
• Internal DNS configured
• Internal web servers hosting apps
• Internal Certificate Authority for HTTPS
• External DNS provider for public CNAME records
• Custom domain added to your Entra tenant

Validate Internal DNS Connectivity

Ensure the connector server can resolve internal app servers.

1. On the connector server, open PowerShell.
2. Run:
   Resolve-DnsName dns01
Resolve-DnsName intranet01
Resolve-DnsName kb01
3. Confirm internal IPs are returned.
4. If using a custom domain internally, verify the alias also resolves correctly.

Verification
All internal app hostnames resolve successfully from the connector server.

Prepare the Connector Server

Enable required protocols before installing the connector.

1. Enable HTTP/2:
   Enable-WindowsOptionalFeature -Online -FeatureName Http2
2. Create a .reg file to enable TLS 1.2.

Windows Registry Editor Version 5.00

; Enable TLS 1.2 for Client
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

; Enable TLS 1.2 for Server
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

; Enable strong cryptography for .NET Framework
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

1. Import the registry file using:
   reg import filename.reg
2. Restart the server if prompted.

Verification
HTTP/2 and TLS 1.2 are enabled on the server.

Install the Entra Application Proxy Connector

Install and register the connector with your tenant.

1. Go to Entra Admin Center → Enterprise Applications → Application Proxy.
2. Download the Connector Installer.
3. Run the installer on the connector server.
4. Sign in with your Entra admin account.
5. Confirm the following services appear in Services.msc:
   • Microsoft AAD Application Proxy Connector
   • Microsoft AAD Application Proxy Connector Updater

Verification
The connector appears as Active in the Entra portal.

Publish the Intranet Web App

Configure the first internal application.

1. Go to Enterprise Applications → Application Proxy → + Configure an app.
2. Enter:
   • Name: Intranet
   • Internal URL: https://intranet01
   • External URL: Choose a friendly name
3. Set Pre‑authentication to Entra ID.
4. Disable backend SSL certificate validation (internal cert).
5. Save the configuration.
6. Assign users or groups who should access the app.

Verification
The app appears as an Enterprise Application with an external URL.

Fix Internal Link Translation

Resolve issues where internal links still point to internal hostnames.

1. Edit the published app in Entra.
2. Enable:
   Translate URLs in application body
3. Save the configuration.

Verification
Hovering over links in the external version shows the external URL, not the internal hostname.

Publish the Knowledge Base App (Recommended Method)

Publish the second app using matching internal and external DNS names.

1. Configure internal DNS so the app uses the same hostname as your external custom domain.
2. In Entra, create a new Application Proxy app:
   • Name: Knowledge Base
   • Internal URL: https://kb01.customdomain.com
   • External URL: Same hostname
3. Upload the external SSL certificate for your custom domain.
4. Add a CNAME record at your DNS registrar pointing to the Microsoft proxy endpoint.
5. Assign users or groups.

Verification
The app loads externally without requiring URL translation.

Test External Access

Verify both apps work from an external device.

1. Sign in to Entra ID from an external PC.
2. Open the external URLs for both apps.
3. Confirm:
   • Authentication works
   • Pages load correctly
   • Internal links resolve properly
4. If the app supports Entra authentication, configure it to use Entra ID for SSO.

Verification
Both apps load externally and function as expected.

Add Apps to the Microsoft 365 App Launcher

Improve user experience by grouping apps in a custom collection.

1. Go to Enterprise Applications → Collections.
2. Create a new collection.
3. Add:
   • Intranet
   • Knowledge Base
4. Save the collection.

Verification
Users see a new collection in myapps.microsoft.com containing both apps.

Conclusion

In this lab, you successfully configured Microsoft Entra Application Proxy to publish internal web apps securely without VPNs or firewall changes. You installed the connector, published two apps, resolved URL translation issues, configured certificates, and added the apps to the App Launcher.

This approach improves security, simplifies access, and reduces infrastructure complexity while leveraging Entra ID for authentication and governance.

Lab Video