![]() The browser error will probably give you a pretty good idea about what’s wrong. If you don’t, you probably made a mistake entering the internal url in the App Proxy setup, tried the wrong external URL in your browser, or have the wrong info for the NDES service account. Once the App proxy is setup, test it by hitting /certsrv/mscep_admin in a web browser and logging in with the NDES Service account before you do anything in Jamf Pro. Clients like Jamf Pro don’t even know that there’s a proxy involved. The external Azure App Proxy and the internal Microsoft App Proxy Connector link the external and internal URLs together. To generate the external URL, you enter a name (e.g., “jamfscepserver”, or whatever you want to call it) and select the tenant from the drop-down menu. The External URL is what you’ll tell Jamf Pro to use when it needs to talk to your NDES Server. For “Internal URL”, enter the hostname of your NDES Server. I didn’t have to mess with any of that.īelow there’s a screenshot of the Azure portal blade for the Application Proxy. My setup runs on Server 2016 and no outbound proxy or firewall. Bluecoat), read this page on Connector TLS requirements. If you’re installing the Connector on Server 2019 or need to configure an outbound proxy (e.g. If you already have app proxies for other applications you can reuse your existing on-premise Connector - you only need one. ![]() If this is your first Azure App Proxy app, they’ll walk you through the install of the Connector software that needs to run on an internal server. Microsoft has step-by-step instructions here. Step 2: Set up Azure AD Application Proxy Use a web browser to login to your NDES server’s /certsrv/mscep_admin page to make sure you know your NDES URL and the service account you’ll use to login to retrieve dynamic challenge codes. If you don’t yet have NDES setup, you can add the role to a Windows server. Your organization most likely has a PKI infrastructure and an NDES instance may already be up and running as a part of that. Step 1: Set up your AD Certificate Services and Microsoft NDES So non-Intune applications are going to need a plain-vanilla NDES instance they can talk to. ![]() One your run Intune’s NDESConnectorSetup.exe on an NDES server, it alters the auth mechanism so that only traffic coming in from Intune will authenticate properly in IIS and any other client requests will get rejected. You might even be wondering if you couldn’t just use the same Azure app you just set up for Intune. You probably already did the same basic setup as what we’re about to describe here. If you’re already using Microsoft Intune/Endpoint Manager to deploy AD CS-sourced certs to your Windows clients, this will sound really familiar to you. ![]() In the case we’re talking about here, Jamf Pro is the client (the little blue person above) and NDES is the “Application”. This Microsoft diagram shows the basic traffic flow… Clients like Jamf Pro will connect to the cloud URL provided by the Azure Application Proxy Service and the internal Microsoft Application Proxy Connector will reach outbound to the Azure proxy to retrieve HTTP connections. Microsoft Azure AD Application Proxy can be used to solve this problem.Īzure AD App Proxy includes two components, a cloud-based Proxy to which clients will connect instead of your internal resource’s URL, and an “Application Proxy Connector” that you’ll install on an internal Windows server. This is a common issue for every app that an organization is moving to the cloud or implementing as SaaS but which requires connection to internal IT resources. But connections from the DMZ to internal networks should be avoided where possible, so it would be even better if the network connections were initiated outbound from the internal network. Since these servers typically run on internal networks, the network admin would need to create a route where they pass internet traffic through a reverse proxy or load balancer in their DMZ network zone. This can get more complicated when hosting Jamf Pro on Jamf Cloud because many will be reluctant to set up an internet-facing CA or SCEP server. Jamf Pro can deliver certificates to managed devices if you integrate it with a certificate authority. Read this Microsoft document that deals with this issue: Integrate with Azure AD Application Proxy on a Network Device Enrollment Service (NDES) server You may have SaaS or remote clients that need access to SCEP cert provisioning but your security team may not allow inbound connections from the DMZ to the internal network where your NDES Server is located.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |