diff --git a/articles/active-directory/active-directory-application-proxy-claims-aware-apps.md b/articles/active-directory/active-directory-application-proxy-claims-aware-apps.md index 82e225808f9ae..f8fb2a107735e 100644 --- a/articles/active-directory/active-directory-application-proxy-claims-aware-apps.md +++ b/articles/active-directory/active-directory-application-proxy-claims-aware-apps.md @@ -17,25 +17,25 @@ ms.date: 08/04/2017 ms.author: kgremban --- -# Working with claims aware apps in Application Proxy -Claims aware apps perform a redirection to the Security Token Service (STS), which in turn requests credentials from the user in exchange for a token before redirecting the user to the application. There are a few ways to enable Application Proxy to work with these redirects. Use this article to configure your deployment for claims aware apps. +# Working with claims-aware apps in Application Proxy +[Claims-aware apps](https://msdn.microsoft.com/library/windows/desktop/bb736227.aspx) perform a redirection to the Security Token Service (STS). The STS requests credentials from the user in exchange for a token and then redirects the user to the application. There are a few ways to enable Application Proxy to work with these redirects. Use this article to configure your deployment for claims-aware apps. ## Prerequisites -Make sure that the STS that the claims aware app redirects to is available outside of your on-premises network. You can make the STS available by exposing it through a proxy or by allowing outside connections. +Make sure that the STS that the claims-aware app redirects to is available outside of your on-premises network. You can make the STS available by exposing it through a proxy or by allowing outside connections. ## Publish your application -1. Publish your application according to the instructions described in [Publish applications with Application Proxy](active-directory-application-proxy-publish-azure-portal.md). +1. Publish your application according to the instructions described in [Publish applications with Application Proxy](application-proxy-publish-azure-portal.md). 2. Navigate to the application page in the portal and select **Single sign-on**. 3. If you chose **Azure Active Directory** as your **Preauthentication Method**, select **Azure AD single sign-on disabled** as your **Internal Authentication Method**. If you chose **Passthrough** as your **Preauthentication Method**, you don't need to change anything. ## Configure ADFS -You can configure ADFS for claims aware apps in one of two ways. The first is by using custom domains. The second is with WS-Federation. +You can configure ADFS for claims-aware apps in one of two ways. The first is by using custom domains. The second is with WS-Federation. ### Option 1: Custom domains -If all the internal URLs for your appliations are fully qualified domain names (FQDNs), then you can configure [custom domains](active-directory-application-proxy-custom-domains.md) for your applications. Use the custom domains to create external URLs that are the same as the internal URLs. With this configuration, the redirects that the STS creates work the same whether your users are on-premises or remote. +If all the internal URLs for your applications are fully qualified domain names (FQDNs), then you can configure [custom domains](active-directory-application-proxy-custom-domains.md) for your applications. Use the custom domains to create external URLs that are the same as the internal URLs. With this configuration, the redirects that the STS creates work the same whether your users are on-premises or remote. ### Option 2: WS-Federation @@ -45,12 +45,12 @@ If all the internal URLs for your appliations are fully qualified domain names ( ![Relying Party Trusts right-click on app name - screenshot](./media/active-directory-application-proxy-claims-aware-apps/appproxyrelyingpartytrust.png) 3. On the **Endpoints** tab, under **Endpoint type**, select **WS-Federation**. -4. Under **Trusted URL** enter the URL you entered in the Application Proxy under **External URL** and click **OK**. +4. Under **Trusted URL**, enter the URL you entered in the Application Proxy under **External URL** and click **OK**. ![Add an Endpoint - set Trusted URL value - screenshot](./media/active-directory-application-proxy-claims-aware-apps/appproxyendpointtrustedurl.png) ## Next steps -* [Enable single-sign on](application-proxy-sso-overview.md) for applications that aren't claims aware +* [Enable single-sign on](application-proxy-sso-overview.md) for applications that aren't claims-aware * [Enable native client apps to interact with proxy applications](active-directory-application-proxy-native-client.md) diff --git a/articles/active-directory/active-directory-application-proxy-connectors-azure-portal.md b/articles/active-directory/active-directory-application-proxy-connectors-azure-portal.md index 69ec2a7183ba8..3d184badfa648 100644 --- a/articles/active-directory/active-directory-application-proxy-connectors-azure-portal.md +++ b/articles/active-directory/active-directory-application-proxy-connectors-azure-portal.md @@ -26,9 +26,9 @@ ms.custom: H1Hack27Feb2017; it-pro Customers utilize Azure AD's Application Proxy for more and more scenarios and applications. So we've made App Proxy even more flexible by enabling more topologies. You can create Application Proxy connector groups so that you can assign specific connectors to serve specific applications. This capability gives you more control and ways to optimize your Application Proxy deployment. -Each Application Proxy connector is assigned to a connector group. All the connectors that belong to the same connector group act as a separate unit for high-availability and load balancing. All connectors belong to a connector group. If you don't create groups, then all your connectors are in a default group. You admin can create new groups and assign connectors to them in the Azure portal. +Each Application Proxy connector is assigned to a connector group. All the connectors that belong to the same connector group act as a separate unit for high-availability and load balancing. All connectors belong to a connector group. If you don't create groups, then all your connectors are in a default group. Your admin can create new groups and assign connectors to them in the Azure portal. -All applications are assigned to a connector group. If you don't create groups, then all your applications are assigned to a default group. But if you organize your connectors into groups, you can set each application to work with a specific connector group. In this case, only the connectors in that group will serve the application upon request. This feature is useful if your applications are hosted in different locations. You can create connector groups based on location, so that applications are always served by connectors that are physically close to them. +All applications are assigned to a connector group. If you don't create groups, then all your applications are assigned to a default group. But if you organize your connectors into groups, you can set each application to work with a specific connector group. In this case, only the connectors in that group serve the application upon request. This feature is useful if your applications are hosted in different locations. You can create connector groups based on location, so that applications are always served by connectors that are physically close to them. >[!TIP] >If you have a large Application Proxy deployment, don't assign any applications to the default connector group. That way, new connectors don't receive any live traffic until you assign them to an active connector group. This configuration also enables you to put connectors in an idle mode by moving them back to the default group, so that you can perform maintenance without impacting your users. @@ -43,7 +43,7 @@ Use these steps to create as many connector groups as you want. 1. Select **Azure Active Directory** > **Enterprise applications** > **Application proxy**. 2. Select **New connector group**. The New Connector Group blade appears. - ![Select new connector group](./media/active-directory-application-proxy-connectors-azure-portal/add-group.png) + ![Select new connector group](./media/active-directory-application-proxy-connectors-azure-portal/new-group.png) 3. Give your new connector group a name, then use the dropdown menu to select which connectors belong in this group. 4. Select **Save**. @@ -65,9 +65,9 @@ Many organizations have a number of interconnected datacenters. In this case, yo ### Applications installed on isolated networks -Applications can be hosted in networks that are not part of the main corporate network. You can use connector groups to install dedicated connectors on isolated networks to also isolate applications to the network. This usually happens when a third party vendor maintains a specific application for your organization. +Applications can be hosted in networks that are not part of the main corporate network. You can use connector groups to install dedicated connectors on isolated networks to also isolate applications to the network. This usually happens when a third-party vendor maintains a specific application for your organization. -Connector groups allow you to install dedicated connectors for those networks that publish only specific applications, making it easier and more secure to outsource application management to third party vendors. +Connector groups allow you to install dedicated connectors for those networks that publish only specific applications, making it easier and more secure to outsource application management to third-party vendors. ### Applications installed on IaaS @@ -83,9 +83,9 @@ This can become an issue as many organizations use multiple cloud vendors, as th ### Multi-forest – different connector groups for each forest -Most customers who have deployed Application Proxy are using its single-sign-on (SSO) capabilities by performing Kerberos Constrained Delegation (KCD). To acheive this, the connector’s machines need to be joined to a domain that can delegate the users toward the application. KCD supports cross-forest capabilities. But for companies who have distinct multi-forest environments with no trust between them, a single connector cannot be used for all forests. +Most customers who have deployed Application Proxy are using its single-sign-on (SSO) capabilities by performing Kerberos Constrained Delegation (KCD). To achieve this, the connector’s machines need to be joined to a domain that can delegate the users toward the application. KCD supports cross-forest capabilities. But for companies who have distinct multi-forest environments with no trust between them, a single connector cannot be used for all forests. -In this case, specific connectors can be deployed per forest, and set to serve applications that were published to serve only the users of that specific forest. Each connector group represents a different forest. While the tenant and most of the experience will be unified for all forests, users can be assigned to their forest applications using Azure AD groups. +In this case, specific connectors can be deployed per forest, and set to serve applications that were published to serve only the users of that specific forest. Each connector group represents a different forest. While the tenant and most of the experience is unified for all forests, users can be assigned to their forest applications using Azure AD groups.   ### Disaster Recovery sites @@ -100,7 +100,7 @@ There are many different ways to implement a model in which a single service pro ## Sample configurations -Some examples that you can implement, include the followiong connector groups. +Some examples that you can implement, include the following connector groups.   ### Default configuration – no use for connector groups diff --git a/articles/active-directory/application-proxy-working-with-proxy-servers.md b/articles/active-directory/application-proxy-working-with-proxy-servers.md index 5c4780cbc8850..2ffcb1e0bebf2 100644 --- a/articles/active-directory/application-proxy-working-with-proxy-servers.md +++ b/articles/active-directory/application-proxy-working-with-proxy-servers.md @@ -71,7 +71,7 @@ Be sure to make copies of the original files, in case you need to revert to the Some environments require all outbound traffic to go through an outbound proxy, without exception. As a result, bypassing the proxy is not an option. -You can configure the connector traffic to go through the outbound proxy, as shown in the following diagram. +You can configure the connector traffic to go through the outbound proxy, as shown in the following diagram: ![Configuring connector traffic to go through an outbound proxy to Azure AD Application Proxy](./media/application-proxy-working-with-proxy-servers/configure-proxy-settings.png) @@ -124,7 +124,7 @@ For initial registration, allow access to the following endpoints: If you can't allow connectivity by FQDN and need to specify IP ranges instead, use these options: * Allow the connector outbound access to all destinations. -* Allow the connector outbound access to [Azure datacenter IP ranges](https://www.microsoft.com/en-gb/download/details.aspx?id=41653). The challenge with using the list of Azure datacenter IP ranges is that it's updated weekly. You will need to put a process in place to ensure that your access rules are updated accordingly. +* Allow the connector outbound access to [Azure datacenter IP ranges](https://www.microsoft.com/en-gb/download/details.aspx?id=41653). The challenge with using the list of Azure datacenter IP ranges is that it's updated weekly. You need to put a process in place to ensure that your access rules are updated accordingly. #### Proxy authentication @@ -140,7 +140,7 @@ The connector makes outbound SSL-based connections by using the CONNECT method. To ensure that the Service Bus traffic is also sent through the outbound proxy server, ensure that the connector cannot directly connect to the Azure services for ports 9350, 9352, and 5671. #### SSL inspection -Do not use SSL inspection for the connector traffic, because it will cause problems for the connector traffic. +Do not use SSL inspection for the connector traffic, because it causes problems for the connector traffic. ## Troubleshoot connector proxy problems and service connectivity issues Now you should see all traffic flowing through the proxy. If you have problems, the following troubleshooting information should help. @@ -181,13 +181,13 @@ One filter is as follows (where 8080 is the proxy service port): **(http.Request or http.Response) and tcp.port==8080** -If you enter this filter in the **Display Filter** window and select **Apply**, it will filter the captured traffic based on the filter. +If you enter this filter in the **Display Filter** window and select **Apply**, it filters the captured traffic based on the filter. -The preceding filter will show just the HTTP requests and responses to/from the proxy port. For a connector startup where the connector is configured to use a proxy server, the filter would show something like this: +The preceding filter shows just the HTTP requests and responses to/from the proxy port. For a connector startup where the connector is configured to use a proxy server, the filter would show something like this: ![Example list of filtered HTTP requests and responses](./media/application-proxy-working-with-proxy-servers/http-requests.png) -You're now specifically looking for the CONNECT requests that show communication with the proxy server. Upon success, you'll get an HTTP OK (200) response. +You're now specifically looking for the CONNECT requests that show communication with the proxy server. Upon success, you get an HTTP OK (200) response. If you see other response codes, such as 407 or 502, the proxy is requiring authentication or not allowing the traffic for some other reason. At this point, you engage your proxy server support team. @@ -213,7 +213,7 @@ If you see something like the preceding response, the connector is trying to com Network trace analysis is not for everyone. But it can be a valuable tool to get quick information about what's going on with your network. -If you continue to struggle with connector connectivity issues, please create a ticket with our support team. The team can assist you with further troubleshooting. +If you continue to struggle with connector connectivity issues, create a ticket with our support team. The team can assist you with further troubleshooting. For information about resolving errors with Application Proxy Connector, see [Troubleshoot Application Proxy](https://azure.microsoft.com/documentation/articles/active-directory-application-proxy-troubleshoot).