How to configure Cayosoft Administrator for remote access through Application Proxy in Azure Active Directory

Summary: Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.

This article explains how to configure Cayosoft Administrator for remote access through Application Proxy in Azure Active Directory

Applies to: Cayosoft Administrator 7.3.0 and later  

ID: KB20200819-1

Content: 

Check the required prerequisites

1. You should have Microsoft Azure AD premium subscription in your tenant.

2. You should use an application administrator account for configuration.

3. User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants.

4. Using Application Proxy requires Windows server running Windows Server 2012 R2 or later. For details please see Windows Server section in Microsoft article. 

5. Check the recommendations for the connector server.

6. Check the TLS requirements.

7. Prepare your on-premises environment:

   1. Open ports to outbound traffic.

   2. Allow access to URLs.

Install and register the connector

1. To use Application Proxy, install a connector on each Windows server you're using with the Application Proxy service. During installation specify credentials of an application administrator account.

2. Verify the installation through Azure portal.

3. Verify the installation through your Windows server.

Add Cayosoft Administrator application to Azure AD

1. Sign in as an administrator in the Azure portal.

2. In the left navigation panel, select Azure Active Directory.

3. Select Enterprise applications, and then select New application.

4. In the On-premises applications section, select Add an on-premises application.

5. In the Add your own on-premises application section, provide the following information about your application:

   • Name: specify the Application Proxy name. For example, CayoAdmin.
   • Internal URL: specify Cayosoft Administrator endpoint URL with the server name and trailing "/" in the end. For example, https://cayoadminserver.domain.com/CayosoftWebAdmin/ 
   • External URL: generates automatically. You will need to copy\paste it for Cayosoft Administrator Web Portal Settings. 
   • Pre Authentication: use default value Azure Active Directory.
     Note: Users or groups must first be assigned to this application before being able to access it.

   • Leave default values for other application proxy optional parameters.

   • Click Save
     
     

Assign users or groups to CayoAdmin proxy application

Before adding a user or group to the CayoAdmin proxy application, verify that they already have permissions to access the application from inside the corporate network.

1. Select Enterprise applications, and then select created CayoAdmin proxy application.test.

2. Select Getting started, and then select Assign a user for testing.

3. Under Users and groups, select Add user.

4. Under Add assignment, select Users and groups. The User and groups section appears.

5. Choose the users and groups you want to add.

6. Choose Select, and then select Assign.

Configure CayoAdmin Application Proxy when Automatic Single Sign-on (SSO) for Azure Active Directory is used

1. In Admin Console navigate to Home > Configuration > Web Portal > Web Portal Settings

2. In Server URL paste External URL from CayoAdmin application proxy.

3. Ensure that User sign-in authentication method is set to Automatic Sign-in (SSO) for Azure Active Directory / Office 365 accounts.

4. Set Enable integration with Azure AD Application Proxy to Yes. 

5. Save changes.

6. Perform IIS reset.

Test the sign-in

1. In Web browser specify External URL from CayoAdmin application proxy.
2. Sign-in to Azure AD using credentials of the user that is assigned to CayoAdmin proxy application. 
3. Ensure that Cayosoft Administrator Web Portal home page appears.

Configure CayoAdmin Application Proxy when Automatic Single Sign-on (SSO) for Active Directory is used

Configure Active Directory

1. If the connector and application server in the same domain, perform these steps that enable the Application Proxy Connector to impersonate users in AD against the applications defined in the list.
2. If the connector and application server in different domains, you should perform these steps.

Configure single sign-on

1. In the Azure portal select created CayoAdmin application and click Single sign-on.
2. Select Integrated Windows Authentication as Single sign-on method.
3. In Internal Application SPN specify http/cayoadminserver.domain.com
4. Delegated Login Identity is the value which connector service takes to authenticate a user using Key Distribution Center (KDC). It must match to UserPrincipalName or samAccountName user attributes in the on-prem Active Directory. If Azure AD UserPrincipalName matches to on-prem Active Directory UserPrincipalName, you can use User principal name as Delegated Login Identity.
   
   
5. Click Save

Configure Cayosoft Administrator 

1. In Admin Console navigate to Home > Configuration > Web Portal > Web Portal Settings

2. In Server URL paste External URL from CayoAdmin application proxy.

3. Ensure that User sign-in authentication method is set to Automatic Sign-in (SSO) + Sign-in form for Active Directory accounts.

4. Set Enable integration with Azure AD Application Proxy to Yes. 

5. Save changes.

6. Perform IIS reset.

Test the sign-in

1. In Web browser specify External URL from CayoAdmin application proxy.
2. Sign-in to Azure AD using credentials of the user that is assigned to CayoAdmin proxy application. 
   Note: Ensure that the user that is assigned to CayoAdmin proxy application is hybrid and has Active Directory account that is synced to Azure AD.
3. Ensure that Cayosoft Administrator Web Portal home page appears.