How to configure Cayosoft Administrator for remote access through Azure AD Application Proxy

Summary: Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.

This article explains how to configure Cayosoft Administrator for remote access through Application Proxy in Azure Active Directory. Also, it is possible to enforce two-factor authentication when signing into the Web Portal through Azure AD Application Proxy.

Applies to: Cayosoft Administrator 7.3.0 and later  

ID: KB20200819-1

Content: 

Check the required prerequisites

1. You should have Microsoft Azure AD premium subscription in your tenant.

2. You should use an application administrator account for configuration.

3. User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants.

4. Using Application Proxy requires Windows server running Windows Server 2012 R2 or later. For details please see Windows Server section in Microsoft article. 

5. Check the recommendations for the connector server.

6. Check the TLS requirements.

7. Prepare your on-premises environment:

   1. Open ports to outbound traffic.

   2. Allow access to URLs.

Install and register the connector

1. To use Application Proxy, install a connector on each Windows server you're using with the Application Proxy service. During installation specify credentials of an application administrator account.

2. Verify the installation through Azure portal.

3. Verify the installation through your Windows server.

Add Cayosoft Administrator application to Azure AD

1. Sign in as an administrator in the Azure portal.

2. In the left navigation panel, select Azure Active Directory.

3. Select Enterprise applications, and then select New application.

4. In the On-premises applications section, select Add an on-premises application.

5. In the Add your own on-premises application section, provide the following information about your application:

   • Name: specify the Application Proxy name. For example, CayoAdmin.
   • Internal URL: specify Cayosoft Administrator endpoint URL with the server name and trailing "/" in the end. For example, https://cayoadminserver.domain.com/CayosoftWebAdmin/ 
   • External URL: generates automatically. You will need to copy\paste it for Cayosoft Administrator Web Portal Settings. 
   • Pre Authentication: use default value Azure Active Directory.
     Note: Users or groups must first be assigned to this application before being able to access it.

   • Leave default values for other application proxy optional parameters.

   • Click Save
     
     

Assign users or groups to CayoAdmin proxy application

Before adding a user or group to the CayoAdmin proxy application, verify that they already have permissions to access the application from inside the corporate network.

1. Select Enterprise applications, and then select created CayoAdmin proxy application. 

2. Select Getting started, and then select Assign a user for testing.

3. Under Users and groups, select Add user.

4. Under Add assignment, select Users and groups. The User and groups section appears.

5. Choose the users and groups you want to add.

6. Choose Select, and then select Assign.

Configure CayoAdmin Application Proxy when Automatic Single Sign-on (SSO) for Azure Active Directory is used

1. In Admin Console navigate to Home > Configuration > Web Portal > Web Portal Settings

2. In Server URL paste External URL from CayoAdmin application proxy.

3. Ensure that User sign-in authentication method is set to Automatic Sign-in (SSO) for Azure Active Directory / Office 365 accounts.

4. Set Enable integration with Azure AD Application Proxy to Yes. 

5. Save changes.

6. Perform IIS reset.

Test the sign-in

1. In Web browser specify External URL from CayoAdmin application proxy.
2. Sign-in to Azure AD using credentials of the user that is assigned to CayoAdmin proxy application. 
3. Ensure that Cayosoft Administrator Web Portal home page appears.

Configure CayoAdmin Application Proxy when Automatic Single Sign-on (SSO) for Active Directory is used

Configure Active Directory

1. If the connector and application server are in the same domain, perform these steps that enable the Application Proxy Connector to impersonate users in AD against the applications defined in the list.
2. If the connector and application server are in different domains, you should perform these steps.

Configure single sign-on

1. In the Azure portal select created CayoAdmin application and click Single sign-on.
2. Select Integrated Windows Authentication as Single sign-on method.
3. In Internal Application SPN specify http/cayoadminserver.domain.com 
4. Delegated Login Identity is the value that connector service takes to authenticate a user using Key Distribution Center (KDC). It must match to UserPrincipalName or samAccountName user attributes in the on-prem Active Directory. If Azure AD UserPrincipalName matches to on-prem Active Directory UserPrincipalName, you can use User principal name as Delegated Login Identity.
   
   
5. Click Save

Configure Cayosoft Administrator 

1. In Admin Console navigate to Home > Configuration > Web Portal > Web Portal Settings

2. In Server URL paste External URL from CayoAdmin application proxy.

3. Ensure that User sign-in authentication method is set to Automatic Sign-in (SSO) + Sign-in form for Active Directory accounts.

4. Set Enable integration with Azure AD Application Proxy to Yes. 

5. Save changes.

6. Perform IIS reset.

Test the sign-in

1. In Web browser specify External URL from CayoAdmin application proxy.
2. Sign-in to Azure AD using credentials of the user that is assigned to CayoAdmin proxy application. 
   Note: Ensure that the user that is assigned to CayoAdmin proxy application is hybrid and has Active Directory account that is synced to Azure AD.
3. Ensure that Cayosoft Administrator Web Portal home page appears.

Enforce Two-Factor Authentication when signing into the Web Portal through Azure AD Application Proxy

To enforce two-factor authentication when users sign in to Web Portal, you should perform the following steps:

1. Configure Cayosoft Administrator Application Proxy when Automatic Single Sign-on (SSO) for Azure Active Directory or when Automatic Single Sign-on (SSO) for Active Directory is used.
2. In Azure AD create a Conditional Access Policy that will be applied to created CayoAdmin proxy application and will require multi-factor authentication for users and groups that are defined in the policy scope: 
   1. Sign in to Azure Active Directory admin center.
   2. Click Azure Active Directory.
   3. In Manage section click Security.
   4. Click Conditional Access. 
   5. Click New Policy.
   6. Specify policy Name.
   7. Select Users and Groups who will be required two-factor authentication when signing in to the Web Portal.
   8. In Cloud Apps or actions select CayoAdmin proxy application.
   9. In Conditions select Any location.
   10. In Access Controls click Grant Access and check Require multi-factor authentication.
   11. Enable policy - select On.
   12. Click Save.

After that when users that are in the Conditional Access Policy scope are signing in to the Web Portal using External URL from CayoAdmin application proxy they will be required to provide a second factor during authentication.

My Profile & Password

To use My Profile & Password functionality that allows users to reset their passwords and unlock accounts together with Application Proxy you should use user sign-in authentication method Sign-in for Active Directory accounts:

1. In Admin Console navigate to Home > Configuration > Web Portal > Web Portal Settings.
2. In User Sign-in Settings section set User sign-in authentication method to Sign-in for Active Directory accounts.
3. Save changes.

After login to Web Portal users who ​need to unlock their account or reset their passwords may see this form:

In this case, users should click Cancel and after that Login form for Web Portal with SelfService links will be displayed:

Using these links user can reset the password or unlock the account if this user enrolled into SelfService before.