proxy servers and claims aware

articles/active-directory/active-directory-application-proxy-claims-aware-apps.md

@@ -13,23 +13,32 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 05/03/2017
+ms.date: 08/04/2017
 ms.author: kgremban
 
 ---
 # Working with claims aware apps in Application Proxy
-Claims aware apps perform a redirection to the Security Token Service (STS), which in turn requests credentials from the user in exchange for a token before redirecting the user to the application. To enable Application Proxy to work with these redirects, the following steps need to be taken.
+Claims aware apps perform a redirection to the Security Token Service (STS), which in turn requests credentials from the user in exchange for a token before redirecting the user to the application. There are a few ways to enable Application Proxy to work with these redirects. Use this article to configure your deployment for claims aware apps. 
 
 ## Prerequisites
-Before performing this procedure, make sure that the STS the claims aware app redirects to is available outside of your on-premises network.
+Before performing this procedure, make sure that the STS the claims aware app redirects to is available outside of your on-premises network. This redirection can be done by exposing the STS through a proxy or by allowing outside connections. 
 
-## Azure classic portal configuration
-1. Publish your application according to the instructions described in [Publish applications with Application Proxy](active-directory-application-proxy-publish.md).
-2. In the list of applications, select the claims aware app and click **Configure**.
-3. If you chose **Passthrough** as your **Preauthentication Method**, make sure to select **HTTPS** as your **External URL** scheme.
-4. If you chose **Azure Active Directory** as your **Preauthentication Method**, select **None** as your **Internal Authentication Method**.
+## Publish your application
+
+1. Publish your application according to the instructions described in [Publish applications with Application Proxy](active-directory-application-proxy-publish-azure-portal.md).
+2. Navigate to the application page in the portal and select **Single sign-on**.
+3. If you chose **Azure Active Directory** as your **Preauthentication Method**, select **Azure AD single sign-on disabled** as your **Internal Authentication Method**. If you chose **Passthrough** as your **Preauthentication Method**, you don't need to change anything.
+
+## Configure ADFS
+
+You can configure ADFS for claims aware apps in one of two ways. The first is by using custom domains. The second is with WS-Federation. 
+
+### Option 1: Custom domains
+
+If you are able to [use custom domains](active-directory-application-proxy-custom-domains.md) for your application, and all the URLs for the applications are FQDNs, then you don't need to do any additional configuration. Ensure that your interanl and external URLs are the same for the scenario to work.
+
+### Option 2: WS-Federation
 
-## ADFS configuration
 1. Open ADFS Management.
 2. Go to **Relying Party Trusts**, right-click on the app you are publishing with Application Proxy, and choose **Properties**.  
 

articles/active-directory/application-proxy-working-with-proxy-servers.md

@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 05/22/2017
+ms.date: 08/04/2017
 ms.author: kgremban
 
 ---
@@ -121,28 +121,21 @@ For initial registration, allow access to the following endpoints:
 * login.windows.net
 * login.microsoftonline.com
 
-The underlying Service Bus control channels that the connector service uses also require connectivity to specific IP addresses. Until Service Bus moves to an FQDN instead, there are two options:
+If you can't allow connectivity by FQDN and need to specify IP ranges instead, use these options:
 
 * Allow the connector outbound access to all destinations.
-* Allow the connector outbound access to [Azure datacenter IP ranges](https://www.microsoft.com/en-gb/download/details.aspx?id=41653).
-
->[!NOTE]
->The challenge with using the list of Azure datacenter IP ranges is that it's updated weekly. You will need to put a process in place to ensure that your access rules are updated accordingly.
->
+* Allow the connector outbound access to [Azure datacenter IP ranges](https://www.microsoft.com/en-gb/download/details.aspx?id=41653). The challenge with using the list of Azure datacenter IP ranges is that it's updated weekly. You will need to put a process in place to ensure that your access rules are updated accordingly.
 
 #### Proxy authentication
 
 Proxy authentication is not currently supported. Our current recommendation is to allow the connector anonymous access to the Internet destinations.
 
 #### Proxy ports
 
-The connector makes outbound SSL-based connections by using the CONNECT method. This method essentially sets up a tunnel through the outbound proxy. Some proxy servers, by default, allow outbound tunneling to only standard SSL ports such as 443. If this is the case, the proxy server must be configured to allow tunneling to additional ports.
-
-Configure the proxy server to allow tunneling to nonstandard SSL ports 8080, 9090, 9091, and 10100-10120.
+The connector makes outbound SSL-based connections by using the CONNECT method. This method essentially sets up a tunnel through the outbound proxy. Configure the proxy server to allow tunneling to ports 443 and 80.
 
 >[!NOTE]
 >When Service Bus runs over HTTPS, it uses port 443. However, by default, Service Bus attempts direct TCP connections and falls back to HTTPS only if direct connectivity fails.
->
 
 To ensure that the Service Bus traffic is also sent through the outbound proxy server, ensure that the connector cannot directly connect to the Azure services for ports 9350, 9352, and 5671.