Sıra | DOSYA ADI | Format | Bağlantı |
---|---|---|---|
01. | Microsoft Applications Contoso Access | pptx | Sunumu İndir |
Transkript
Spark the future.May 4 – 8, 2015Chicago, IL
Enable Your On-Premises Apps for the Cloud with Microsoft Azure Active Directory Application Proxy Meir MendelovichProgram Manager, Microsoft@MMendelovichBRK3864
Application Access ScenariosOn-Prem AppsActive DirectoryForefront UAG/TMGAzure AD Application ProxyAzure Active DirectorySaaS AppsWeb Application Proxy+AD FS
Empower Enterprise Mobility Protect your dataEnable your usersUser ITUnify your environmentPeople-centric approachDevices Apps Data
Empower Enterprise Mobility Protect your dataEnable your usersUser ITUnify your environmentPeople-centric approachDevices Apps Data
BenefitsAzure Active DirectoryOn-Premises ApplicationsRemote Access as a ServiceEasily publish your on-prem applications to users outside the corporate networkExtend Azure AD to on-premUtilize Azure AD as a central management point for all your apps
How it worksConnectors are deployed on corpnetMultiple connectors can be deployed for redundancy and scaleThe connector auto connects to the cloud serviceUser connects to the cloud service that routes their traffic to the resources via the connectorsAzure Active DirectoryApp AppAppCorporate NetworkDMZConnector ConnectorApplication Proxyhttps://sales-contoso.msappproxy.nethttp://saleshttps://sales.contoso.com
Cloud scale for your on-prem appsAzure Active DirectoryApp AppAppCorporate NetworkDMZConnector ConnectorApplication ProxyAccess Panel PortalAuthentication + MFAReporting & AuditingSecurity MonitoringAuthorization4.9M organizations1B-2B Authentications / Day430M identitiesSSO to 2,477 SaaS apps & Office 365Multi Factor Authentication Access Panel portal & appOffice 365 portalSelf-service workflowAuthorization based on user or groups Reports, auditing and security monitoring based on big data and machine learning.More…
Demo
Directory prep:1. Create a new directory2. Create users and groups 3. Request Azure AD Premium trial on “licenses” tab4. Assign the Azure AD Premium seats to users (including admins) Optional: add your domain nameDemo
App Proxy setup:1. Turn on App Proxy on the “configure” tab2. Download, install and register the connector3. Add a new proxy app4. Assign Users to appUse it Demohttp://myapps.microsoft.comUsername: dean@contoso55.comPassword: password1!
Optional steps (part 1):- Add to Office 365 App Launcher- Use Azure AD self-service- Multi-factor authentication (MFA)Demo
Cloud Scale SecurityAll HTTP/S traffic is terminated in the cloud blocking most HTTP level attacks such as the Heartbleed bug. Unauthenticated traffic filtered in the cloud – will not arrive on-prem. No incoming connections to the corporate network – only outgoing connection to the Azure AD Application Proxy serviceInternet facing service always up to date with latest security patches and server upgradesLogin abnormalities detection, reporting and auditing by Azure ADAzure Active DirectoryApp AppAppCorporate NetworkDMZConnector ConnectorApplication Proxyhttps://sales-contoso.msappproxy.net
SSO from the cloudSingle Sing-on experience from Azure Active Directory to on-prem applicationsConnectors use the Azure AD token data to impersonate as the end user to the backend applications using Kerberos Constrained Delegation (KCD)Support any application that uses Integrated Windows Authentication (IWA) such as SharePoint, Outlook Web Access and CRM.No need to change the backend applicationsNo need to install agents on backend applicationsNo need to expose on-prem apps directly to the InternetAzure Active DirectoryApp AppAppCorporate NetworkDMZConnector ConnectorApplication ProxyAzure AD Token: UPN=joe@contoso.comKerberos Ticket: joe@contoso.com
Use your own domain nameWhy?1. Domain name recognized by your users2. Replace existing solutions / well known URLs3. Have same internal and external URLs• Notifications and e-mail links just work• Some applications won’t work otherwiseHow?4. Upload a certificate with private key that covers the custom domain name (regular, wildcard or SAN)5. Create a CNAME record in the external DNS to point to the msappproxy.net addressAzure Active DirectoryAppCorporate NetworkConnector ConnectorApplication Proxysales-contoso.msappproxy.netsales.contoso.comsales.contoso.comExternal DNSInternal DNS
Optional steps (part 2):- Login UI branding- Custom domains- SSO to backend using IWA/KCDDemo
What is nextEnable different login name (UPN) for on-prem and cloudUtilizing Alternate Login ID the same way it is implemented in AD FSAssign connectors for appsDifferent sets of connectors serves different applications. Network optimization for multi-geo and isolated networksAdditional SSO methods for more applicationsMore control, management and health monitoring of connectorsImproved portal experience – customizing icons and more…
Learn more on Application ProxyApplication Proxy MSDN documentation:http://aka.ms/ProxyDoc Application Proxy blog:http://aka.ms/proxy Contact us: AADAPFeedback@microsoft.com
Related ContentBRK3863: Identity and Access Management EverywhereWednesday 10:45pm room E271BRK3851: Real Customer Stories for Azure PremiumWednesday 3:15pm room S501BRK3862: Extending On-Premises Directories to the Cloud Made Easy with Azure AD ConnectBRK3865: How Microsoft Azure AD Helps Prevent, Detect and Remediate Attacks to Your EnterpriseBRK3867: Microsoft Identity Platform for Developers: Overview and RoadmapBRK3854: How Microsoft IT Manages Identity in a Hybrid Cloud WorldBRK3332: Microsoft Azure Active Directory and Windows 10: Better Together for Work or SchoolBRK4850: Developing Web and Cross Platform Mobile Apps with Azure Active DirectoryBRK3873: Protecting Windows and Microsoft Azure AD with Privileged Access ManagementBRK3857: Upgrading from FIM to Microsoft Identity Manager and Azure Active Directory
Ignite Azure Challenge SweepstakesAttend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!Aka.ms/MyAzureChallengeEnter this session code online: BRK3864NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.
Drill down:1. Basic Connectivity
Azure AD Application Proxy Cloud ServiceAuthentication (STS)Contoso corpnetDMZWeb App1Web App2Active DirectoryAzure AD App Proxy Connector
Active DirectoryAzure AD Application Proxy Cloud ServiceAuthentication (STS)Contoso corpnetDMZWeb App1Web App2SettingsUpdateAzure AD App Proxy Connector
Azure AD Application Proxy Cloud ServiceAuthentication (STS)Contoso corpnetDMZWeb App1Web App2http://webapp1/Active DirectoryAzure AD App Proxy Connector
Azure AD Application Proxy Cloud ServiceAuthentication (STS)Contoso corpnetDMZWeb App1Web App2http://webapp1/https://app1-contoso.msappproxy.net/Active DirectoryAzure AD App Proxy Connector
Azure AD Application Proxy Cloud ServiceAuthentication (STS)Contoso corpnetDMZWeb App1Web App2http://webapp1/https://app1-contoso.msappproxy.net/Active DirectoryAzure AD App Proxy Connector
Azure AD Application Proxy Cloud ServiceAuthentication (STS)Contoso corpnetDMZWeb App1Web App2http://webapp1/https://app1-contoso.msappproxy.net/Active DirectoryAzure AD App Proxy Connector
Drill down:2. Preauthentication
Azure AD Application Proxy Cloud ServiceAuthentication (STS)http://app1-contoso.msappproxy.net/Contoso corpnetDMZWeb App1Web App2Active DirectoryAzure AD App Proxy Connector
Azure AD Application Proxy Cloud ServiceAuthentication (STS)http://app1-contoso.msappproxy.net/Token: UPN=joe@contoso.comContoso corpnetDMZWeb App1Web App2Active DirectoryAzure AD App Proxy Connector
Azure AD Application Proxy Cloud ServiceAuthentication (STS)Token: UPN=joe@contoso.comContoso corpnetDMZWeb App1Web App2http://app1-contoso.msappproxy.net/Active DirectoryAzure AD App Proxy Connector
Drill down:3. Single Sign On
Azure AD Application Proxy Cloud ServiceAuthentication (STS)Token: UPN=joe@contoso.comContoso corpnetAzure AD App Proxy ConnectorDMZWeb App1Web App2Active DirectoryToken: UPN=joe@contoso.comKerberos Ticket: joe@contoso.comKerberos Ticket: joe@contoso.comActive Directory
Works better with Office365Seamless single-sign-on from all Office 365 appsAdd on-prem apps Office365 App Launcher.Same identity and security infrastructure for your on-prem apps and Office365