none
Azure Application Proxy Connector - DNS based whitelisting. How to???

    Question

  • Can someone please help me, related to Azure App Proxy Connector issue?  I need to make sure my Azure AD production ready.  I'm still learning my ways with Azure AD and last week I found out that my Azure AD is not production ready because IP address were not white listed.  However, there is another method where you whitelist DNS's.  

    There is this article:  https://www.msemsblog.com/2017/03/16/new-azure-ad-application-proxy-connector-available-action-required/

    There are too many North American IPs to whitelist and this would be easier going DNS whitelist route.  Plus the IP address list in an XML file, I have no clue how to add it into whitelist of firewall (this also has limited documentation by the way).

    Apparently, with new version of App Proxy Connector (1.5) the support for DNS based whitelisting to Azure for on outbound firewalls is present.

     I know the DNS's that I need to whitelist:

    *.msappproxy.net

    *.servicebus.windows.net

    login.microsoftonline.com

    login.windows.net

    I know that I need to whitelist the above DNS's from what the Azure App Proxy feedback has provided.  

    My question is how do I do the DNS whitelisting.

    Regarding the DNS solution whitelisting.  Is there a KB acrticle step by step?  Where or how is DNS whitelisted?  Is this something that is performed on Firewall?  Proxy servers?  DNS somehow?

    Also, do I need to uninstall the old connector (1.4) first and then reinstall the new connector (1.5) or will it update the old 1.4 connector when I execute the 1.5 connector after downloading..

    Link to connector page:  

    https://download.msappproxy.net/Subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/Connector/Download

     Also, is this link what I need to follow

    https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-working-with-proxy-servers

     




    Kumar



    Friday, April 28, 2017 2:25 PM

All replies

  • Azure App Proxy Team got back to me.  For anyone that needs to know

    When discussing the AAD App Proxy Connector network requirements it’s important to understand your company internal network configuration.

    Our latest update for the connector moved from being IP aware (or IP range aware to be more specific) to be DNS aware requiring the following DNS entries to be whitelisted for outgoing traffic:

    *.msappproxy.net

    *.servicebus.windows.net

    Login.microsoft.com

    Login.microsfotonline.com

    Usually if you’re using a backend proxy, whitelisting these domains to allow outbound traffic should be enough. Indeed the document you’ve found specifies how to configure the connector to use the backend proxy.

    Document:  https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-working-with-proxy-servers

    In case you also use a FW, in most cases we’ve seen customer either opening all outbound traffic coming from machine OR since FW are usually IP/IP range based, needing to open the Azure IPs as well.

    Azure IP ranges is a public tool that can be found at https://www.microsoft.com/en-us/download/details.aspx?id=41653 and is being updated constantly to include the new IPs.

    Regarding the connector version, upgrade should work, you can upgrade the connector from version 1.4 to 1.5 without needed to uninstall it.


    Kumar

    Friday, April 28, 2017 5:27 PM