Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.
In many environments, tier 0 systems like Azure AD Connect installations are only allowed Internet access through one or more internet proxy servers. In this post, I’ll show you how to configure the Windows Server host, Azure AD Connect and Azure AD Connect Health to work while meeting this proxy requirement. I’ll also provide steps along the way to check your connectivity.
Why use a proxy?
An Internet proxy, or forward proxy acts as an intermediary between hosts on the network and the Internet. Hosts on the network ask the proxy to act on their behalf.
Benefits of using an Internet proxy include reduced load times (when an Internet page is served from the Internet proxy’s cache) and filtering of malicious websites, but these benefits don’t really apply to Azure AD Connect due to its nature.
Instead, the fact that the connection is not a direct connection between the Windows Server running Azure AD Connect and its Azure AD service endpoints is the biggest benefit of using a proxy. This traffic can be inspected, filtered and monitored.
When all other hosts access Internet resources through the proxy, anomalies can be easily detected, reducing the detection time of advanced threats.
Why wouldn’t you?
Using Azure AD Connect behind an Internet proxy also has big drawbacks however.
Azure AD Connect leverages mutual authentication for encrypting the traffic with TLS (mTLS) to its Azure AD service endpoints. This encryption method ensures no system can intervene,or modify the traffic or eavesdrop on the communications in clear text at any stage. When using Azure AD Connect behind an Internet proxy, this advanced encryption is disabled and the Internet Proxy will use plain TLS when communicating to the Azure AD service endpoints on behalf of Azure AD Connect.
Because Internet proxy servers can be configured to inspect traffic, these systems may introduce lag or latency. In rare situations this might lead to Azure AD Connect synchronization cycles exceeding the 30 minutes threshold. Beyond this threshold, objects and attributes to synchronize may pile up.
To install Azure AD Connect behind an Internet Proxy, make sure to meet the following requirements:
Make sure all hosts in scope are installed with the latest cumulative Windows Updates. Also make sure you install the latest stable version of Azure AD Connect.
Sign in with an account with local administrative privileges.
Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Organizational Unit (OU) in which the systems in scope reside, if you intend to set the items using Group Policy preferences.
For Azure Active Directory, you’ll need an account with the Global administrator or Hybrid Identity administrator role.
Configuring the host
We start with configuring the Windows Server on which we will install and run Azure AD Connect.
Disabling Internet Explorer Enhanced Security Configuration
We start by disabling the Internet Explorer Enhanced Security Configuration (IE ESC) feature on the Windows Server on which we want to use Azure AD Connect. We do this, because Azure AD Connect and the Azure AD PowerShell module prompt for modern authentication using Internet Explorer. We can expect script faults and unnecessary pop-up warnings during authentication with default IE ESC settings.
Perform the following actions:
- Open Server Manager (servermanager.exe)
- In the left navigation menu, click on the Local Server node.
- In the Properties area, click on On next to IE Enhanced Security Configuration in the right column of properties for the server.
The Internet Explorer Enhanced Security Configuration pop-up window appears.
- Select Off for administrators.
- Click OK to save the new settings and close the pop-up window.
- Close Server Manager.
Configuring proxy settings
Now, we issue the following command on an elevated Command Prompt (cmd.exe) to configure the Windows Server Operating System, replacing ProxyServer and Port with the appropriate information:
netsh winhttp set proxy proxy-server="http=ProxyServer:Port;https=ProxyServer:Port" bypass-list="<local>"
For Windows PowerShell, specifically, we use the following three lines of Windows PowerShell in an elevated Windows PowerShell window:
[system.net.webrequest]::defaultwebproxy = New-Object system.net.webproxy('http://proxy:port')
[system.net.webrequest]::defaultwebproxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[system.net.webrequest]::defaultwebproxy.BypassProxyOnLocal = $true
Restart the Windows Server installation afterwards.
Testing proxy settings
We test these settings by connecting to one of the URIs that we need to connect through through the proxy in a Windows PowerShell window:
(Invoke-WebRequest -Uri login.microsoftonline.com).StatusDescription
When this returns OK, run the following lines of Windows PowerShell in an elevated Windows PowerShell window to install the Azure AD Module for Windows PowerShell and connect to Azure AD:
Sign in with an account that has either Global Administrator or Hybrid Identity Administrator privileges. When this is successful, the Operating System has been properly configured with the proxy settings, and the proxy server allows the exchange of the required traffic.
Configuring Azure AD Connect
To instruct Azure AD Connect to use the proxy server, we need to edit the .NET machine.config file with the following steps:
The machine.config file located in the v4.0.30319 folder applies to all applications and services that use .NET Framework v4.x, regardless of the specific v4.x version of .NET Framework installed (4.7, 4.8, etc.).
Alternatively, after installing Azure AD Connect on the Windows Server, we might make the changes we need to Azure AD Connect’s specific miiserver.exe.config file. This file is specific to Azure AD Connect only and does not affect other .NET Framework-based applications and services. However, this file seems to get overwritten during every Azure AD Connect upgrade…
- Open Notepad (notepad.exe) with administrative privileges.
- Open the following file:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
- Scroll down to the end of the file.
- Insert the following lines of text after the line that reads </system.web>, but before </configuration>, replacing ProxyServer and Port with the appropriate information:
<defaultProxy enabled="true" useDefaultCredentials="true">
- Save the file.
Now, we can install Azure AD Connect on the Windows Server without problems. During installation, you will get an error regarding Azure AD Connect Health. We address that issue in the next paragraph.
Configuring Azure AD Connect Health
All Azure AD Connect installations, by default, send information for Azure AD Connect Health to Microsoft, but only organizations with Azure AD Premium licenses have access to the Azure AD Connect Health dashboard. For organizations with Azure AD Premium licenses, Azure AD Connect Health offers a dashboard to troubleshoot Azure AD Connect synchronization errors and get notified of any problems.
Although it might make sense to not configure Azure AD Connect Health’s traffic through the proxy server, when your organization does not have Azure AD Premium licenses, I do advice to configure it.
Azure AD Connect Health requires additional URIs to be allowed access to through the proxy server, so be sure to allow them.
Run the following lines of Windows PowerShell in an elevated Windows PowerShell window to configure proxy settings for Azure AD Connect Health, to restart the service and re-register Azure AD Connect Health, replacing ProxyServer and Port with the appropriate information:
Set-AzureADConnectHealthProxySettings -HttpsProxyAddress "ProxyServer:Port"
Installing Azure AD Connect behind an Internet Proxy might be a requirement in your organization. Use the steps above to configure the setup to meet this requirement, but be aware that you will lose the mTLS functionality.