Companies have had for ages requirements for connecting employees computers to organization network.
In the past I have done these setups with Ipsecs, point-to-point tunnelings and recent year with Direct Access and Always-on vpn style.
Between these it was done with Citrix and Storefront with sms-gateways for enhance the security for the connection. All of those for working ways to manage the connect to organizations inner secrets, but all of them had flaws and were hard to setup and when there was a malfunction some where it was a nightmare so debug who’s fault is it. Was it a user mistake, computer network adapter, the vpn-client, networks in the employees home, networks on organizations side or what.
Just a black hole that you can spends days to find the solution to and sometimes I didn’t even find the fault. Then reinstalling laptops, opening ports from firewall etc. etc.
But thank god today we have different options for sharing organizational information outside the network. Could be even possible to move it to the cloud, of course depending on your files usage. I still wouldn’t move AutoCAD files to cloud and it really supported also. File storage would be still on-premises and the file store with sql-replication would be stored to the cloud. For you that AutoCAD isn’t familiar, it makes project that have files in them. When someone opens a file from the project it will lock the file in-place to keep it safe. I long time a ago I replicated the data with DFS and I had to remove the attribute from the files to replicate them between different stores, but got it working. This situation comes when someone don’t close the project when their done and files are left stranded.
So that is history and then to this day.
Microsoft (of course Microsoft, who else??) has a wide variety of solutions to make your cloud happy, eh “day”, but the the cloud day. I will stop explaining this bad joke anymore. I always tell to my kids that when I explain a bad joke three times it comes funny, almost all the time.
So Microsoft and happy cloud.
Azure File Sync with Azure files
With Azure File Sync you can sync your files from on-premises file-shares to the cloud and use you can use them like DFS before. Adding more nodes to the replication group and keeping the files always available.
When you sync you files to Azure Files they will be encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows.
Or if you want to bring your own keys they can stored inside Key Vault and you can encrypt your own files at-rest. Just don’t loose your keys, nobody else haves them and there a big possibility that the data will be crypted forever.
Cloud-tiering provides a heatmap of what data is used d what location. This heatmap will keep monitoring your usage on the files and keep them available when usage is high.
It will monitor the files with these attributes Last Access Time, Last Modified Time, Creation Time.
So that was cloud opportunity for files, what about stuff that has to be still inside on-premises or stuff outside your own hands.
When you create a new file share, you have options like below. I will explain a bit.
Default size with large file support is 5 terabytes and with large files it will be 100 terabytes. I believe that for most 5TB in enough.
And because I didn’t choose Premium disk when I created my storage account I cannot select it here also. All tough Transaction optimized is almost the same than Premium if you don’t need geo-redudancy.
Then you would want to configure Active Directory for the file share you just created. I’m not going thru all the steps as I don’t have AD in my hands right now.
And when you enable AD you can mount these shares with DFS-N with the same name than your existing file server on-premises.
So Azure file Sync with Azure Files in an excellent option to start your cloud journey and give your organization more usability but keeping the data also in on-premises shares.
That was Azure Files and then for the other scenario Microsoft has introduced Azure Application Proxy.
What is Azure AD Application Proxy?
AAD Application Proxy is like RDS Web Access or Citrix Storefront, i will support the following.
- Web applications that use Integrated Windows Authentication for authentication
- Web applications that use form-based or header-based access
- Web APIs that you want to expose to rich applications on different devices
- Applications hosted behind a Remote Desktop Gateway
- Rich client apps that are integrated with the Microsoft Authentication Library (MSAL)
When you introduce the proxy for the first time, you need to install an connector to on-premise. It supports Windows Server 2012 R2 or later and should be able to communicate with the software that you are publishing.
The agent has automatic updates enabled by default so you don’t have to worry about new versions.
Quick tip! Did you know that Modern Exchange Hybrid uses the same feature? You don’t have to expose EWS to internet, you can just use the agent and Microsoft Proxy Services will carry the traffic to the cloud
Authentication
AAD Application Proxy has several options for authentication workflows. You can use SP-initiated or IdP-initiated authentication.
And to explain a bit, with IdP workflow the user logins from MyApps portal to access the application and with SP they will contact the app directly but the app will send auth request to Azure AD.
So as you can see it’s really useful for giving Azure AD secured access to your on-premise apps no matter where you want to connect from.
And you can these the SSO options with Azure AD Proxy.
Header-Based
- The Admin customizes the attribute mappings required by the application in the Azure AD portal.
- When a user accesses the app, Application Proxy ensures the user is authenticated by Azure AD
- The Application Proxy cloud service is aware of the attributes required. So the service fetches the corresponding claims from the ID token received during authentication. The service then translates the values into the required HTTP headers as part of the request to the Connector.
- The request is then passed along to the Connector, which is then passed to the backend application.
- The application receives the headers and can use these headers as needed.
Kerberos-based
- The user enters the URL to access the on premises application through Application Proxy.
- Application Proxy redirects the request to Azure AD authentication services to preauthenticate. At this point, Azure AD applies any applicable authentication and authorization policies, such as multifactor authentication. If the user is validated, Azure AD creates a token and sends it to the user.
- The user passes the token to Application Proxy.
- Application Proxy validates the token and retrieves the User Principal Name (UPN) from it, and then the Connector pulls the UPN, and the Service Principal Name (SPN) through a dually authenticated secure channel.
- The Connector performs Kerberos Constrained Delegation (KCD) negotiation with the on premises AD, impersonating the user to get a Kerberos token to the application.
- Active Directory sends the Kerberos token for the application to the Connector.
- The Connector sends the original request to the application server, using the Kerberos token it received from AD.
- The application sends the response to the Connector, which is then returned to the Application Proxy service and finally to the user.
Final thoughts
Microsoft is really making your cloud journey starting easy with these product. You don’t have Lift and Shift all the services to the cloud at-once (You could and maybe should, but don’t have to)
Organizations still require on-premises AD for authentication or maybe user provisioning purposes. Maybe they have legacy app that cannot be shifted to the cloud as-is.
And that was it, Azure Files Sync to Azure Files and Azure AD Application proxy basics, more on these an later articles.
Stay tuned and safe!
RSS - Posts