240 likes | 260 Views
Securing web applications Externally. With Azure Active Directory Application Proxy. Quick Survey. At your Board, are employee Web sites / applications currently internet facing (ex: SIS,Report cards,etc)? Does your Board currently use Azure Active Directory? Is your Board using office 365?
E N D
Securing web applications Externally With Azure Active Directory Application Proxy.
Quick Survey • At your Board, are employee Web sites / applications currently internet facing (ex: SIS,Report cards,etc)? • Does your Board currently use Azure Active Directory? • Is your Board using office 365? • Are you already using an Employee portal or gateway product to secure internal Board resources externally? Are You At Risk? Are you aware that your data could be at risk, and what are you doing about it?
Current site structure solution Internet User Router DMZ Web Servers Firewall Internal Network File Server Database Server Web Server AD Server
The Problem Public facing site Web applications are public internet facing sites so that staff can work from home Security vulnerabilities Number of vulnerabilities in OS, Webserver, Tomcat & Java continue to be discovered Increased Cyber Attacks Cybersecurity threats are continuing to increase. Our own Board was hit with the 1st Apache Struts 2 vulnerability User security Need to protect staff and student data, and privacy. Maintenance Depending on the time of year, it can be difficult to schedule down time. Even for security updates
Solution Increased Security Increase security of externally available resources, with experience that users are already accustomed to Integration Already integrates with existing technologies such as Active Directory and office 365 Cost Reduce cost by using additional features of software that we already own. Use Azure Active Directory Application Proxy to secure Board employee sites for external use
Easilypublishyour on-premises application to usersoutsideyourcorporate network Can leveragebenefits of Azure AD such as Multi factor authentication Doesn’t open access to yourentire network like VPN. You control wasis accessible Works across multiple devices Whatis Azure AD Application Proxy? Remoteaccess solution foron-premisesresources
Azure AD Architecture Microsoft Azure Website Azure ADApplication Proxy User Microsoft AzureActive Directory Internal network Azure ADapp proxyconnector Azure ADconnect Web Applications AD Server Web Servers
URL name Use same URL internally and externally Site structure Some Trillium are structured in a way that make it difficult to access top level resources (ex: css) Linking to Jasper Issues launching Jasper Reports from Landing Page User experience Make end user experience seamless, despite new URL’s Initial Challenges Here are the main challenges that we need to overcome to make this solution viable.
Site structure challenge Trillium Web Secondary Achievement SharedCSS TWEBSA X Elementary Achieve X Azure can’t traverse up URLchain from published URL Web Attendance
Site structure solution Trillium Web Secondary Achievement https://webattendance.com SharedCSS https://elemreportcard.com TWEBSA √ Rewrite RuleDefault homepage Elementary Achieve √ Rewrite RuleDefault homepage Web Attendance Note: Need to have Application Request Routing 3.0 installed, which you can do with the Web Platform Installer in IIS
Jasper redirection challenge Microsoft Azure Microsoft AzureActive Directory User authentication Azure ADApplication Proxy Use accessing Jasper Reports via landing page externally Trillium LandingPage Jasper Reports Note: Microsoft blocks this to avoid cross site scripting attacks
DEMO Go through basic steps and show setup in our test environment Custom IIS sites URL rewrite rules Azure AD configurations DNS configurations More rewrite rules Core Trillium Configurations
Azure AD Architecture Microsoft Azure Website Azure ADApplication Proxy User Microsoft AzureActive Directory Internal network Azure ADapp proxyconnector Azure ADconnect Web Applications AD Server Web Servers
IIS Configurations (part 1) Custom Sites • Web Attendance • Elementatry achievement • Secondary achievement • Create new IIS sites to over come site structure challenges • Add SSL Certs & HTTPS binding • Add URL Rewrite Rules • HTTP to HTTPS • Default homepage redirection to appropriate sub URL • Redirection to Tomcat web app • For webapps with link to jasper also setup jasper rewrite rules. • Steps
Azure AD Architecture Microsoft Azure Website Azure ADApplication Proxy User Microsoft AzureActive Directory Internal network Azure ADapp proxyconnector Azure ADconnect Web Applications AD Server Web Servers
Azure AD Configurations Steps • Open Azure Active Directory admin center • Create new On-premises application • Enter Internal URL • Make sure external URL matches Internal URL • Add users or group who can access the app • Import your SSL cert Note: if you want users to access other Trillium products such as TWebSchAdmin or Jasper Reports within apps, you also need to create apps for these in Azure.
Azure AD Architecture Microsoft Azure Website Azure ADApplication Proxy User Microsoft AzureActive Directory Internal network Azure ADapp proxyconnector Azure ADconnect Web Applications AD Server Web Servers
DNS Configurations Internal DNS • Add new A Host record for new url’s created • Add New Alias (CName) record for new url’s created • Alias name should point to the base of the url configured in IIS (ex: attendance) • Fully qualified domaine name (FQDN) should point to url configured in IIS (ex: attendance.mydomain.ca) • Fully qualified domaine name (FQDN) for target host should point to the Azure URL for the application. This value can be found in the application proxy page for the app. (ex: https://attendance-mydomain.msappproxy.net) • External DNS
Azure AD Architecture Microsoft Azure Website Azure ADApplication Proxy User Microsoft AzureActive Directory Internal network Azure ADapp proxyconnector Azure ADconnect Web Applications AD Server Web Servers
IIS Configurations (part 2) Redirect existing URL’s to new URL’s • On the default pre-existing Trillium site create URL rewrite rules to redirect users to new site URL • Disable old rewrite rules that no longer apply and have been recreated in new site Note: These settings help make things seamless to end users since their favorites, saved or published url’s will still work, and simply redirect to the new ones.
Core Trillium Configurations Redirect existing URL’s to new URL’s • Under Trillium Security > Web Services update URL’S for elementary and secondary report card printing to new URL’s • If you made made changes to URL’s found under Admin Gateway, make sure to change those as well
Next steps? Move Trillium web server to internal network • Since Azure AD allows us to publish internal sites outside of our network without opening holes in our firewall, we would like to move our Trillium web server out of our DMZ, and into our internal network. • This will as another layer of protection for our Trillium Web applications
Increased security • Relative ease of setup • Familiar user experience • Documentation & presentation available athttps://bit.ly/2KsGOf0 Summary
Questions ? Thank You John-Rock Bilodeau bilodeauj@csviamonde.ca Richard Therrien therrienr@csviamonde.ca