Publish NDES by Azure AD Application Proxy

This week the Azure AD Product Team did a great job by updating the Azure Application Proxy service to allow you to publish NDES using Azure Application Proxy, which is great news! Pieter Wigleven, Microsoft Technology Solution Professional on Enterprise Mobility has posted a great serie of posts on setting up certificate distribution to mobile devices. A must read!

Part 1 – First tips and tricks on how to troubleshoot and check existing ConfigMgr/SCEP/NDES infrastructures.
Part 2 – After many asks for clarity, a full guide on how to install and troubleshoot ConfigMgr/SCEP/NDES.
Part 3 – Using an additional reverse proxy in a DMZ in front of NDES. The reverse proxy of choice was Windows Server 2012 R2 with the Web Application Proxy role installed.
Part 4 – Protecting NDES with Azure AD Application Proxy

ndes_azure_application_proxy

In part 4 Pieter will outlines the set up of publishing NDES by Azure Application Proxy service, a cool solution that just have been made possible!

—————————————————————————————-

Azure AD Application Proxy (Web Application Proxy from the Cloud) lets you publish applications, such as SharePoint sites, Outlook Web Access and other web application, inside your private network and provides secure access to users outside your network via Azure.

Azure AD Application Proxy is built on Azure and gives you a massive amount of network bandwidth and server infrastructure to have better protection against DDOS attacks and superb availability. Furthermore there is no need to open external firewall ports to your on premise network and no DMS server is required. All traffic is originated inbound. For a complete list of outbound ports take a look at this MSDN page.

Important notes:

Azure AD Application Proxy is a feature that is available only if you are using the Premium or Basic editions of Azure Active Directory. For more information, see Azure Active Directory Editions.
If you have
Enterprise Mobility Suite (EMS) licenses you are eligible of using this solution. The Azure AD Application Proxy connector only installs on a Windows Server 2012 R2 Operating system, this is also a requirement of the NDES server anyway.

Read more…

Name Suffix Routing into the rescue publishing Non-Claims-Aware application using Kerberos Constrained Delegation

Last week I faced a challenge publishing non-claims-aware application (SharePoint 2013) using Kerberos Constrained Delegation (KCD) by Web Application Proxy (WAP).

ADFS cross forest Mirosoft Intune Infrastructure

The customer environment consists of a multi-forest active directory where user accounts and server objects each stored in a separate forest. Due to the introduction of Microsoft Enterprise Mobility Suite (EMS) we added a public User Principal Name (UPN) which was required to log on using a public domain namespace.

Continue reading “Name Suffix Routing into the rescue publishing Non-Claims-Aware application using Kerberos Constrained Delegation”

Update: Hotfix solves issue publishing Network Device Enrollement Service (NDES) through Web Application Proxy (WAP) KB30137609

UPDATE! Hereby a quick note that you no longer have to contact support, it’s available in the in the December Windows Update. Just install the latest Windows Update on your Windows Server 2012 R2 and you should be good to go. December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 http://support.microsoft.com/kb/3013769

UPDATE! A private hofix (for now) is available that fixes URL length issues with Windows Application Proxy (applicable for NDES deployments) KB523052. This hotfix can be requested through a PSS case. For more details click here.

For those who are using Web Application Proxy (WAP) and intent or already have been published Network Device Enrolment Service (NDES) might noticed this isn’t working, even when pass-through preauthentication is configured. This post will go into details how NDES is working including a brief explanation of the issue.

The Network Device Enrollment Service (NDES) allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). The user certificates can be used for managing company resource access (E-mail, WiFi- and VPN profiles) instead of using user name + password. This existing technique is recently emphatically re-evaluated by the use and application for mobile device management in relation to BYOD scenarios.

Continue reading “Update: Hotfix solves issue publishing Network Device Enrollement Service (NDES) through Web Application Proxy (WAP) KB30137609”