One of the concerns that MIM engineers have faced is exposing the MIM Portal (SSPR, PAM, etc) to the outside. Placing it in the DMZ is still not comfortable for security auditors. One of the advantages of Azure is that it can act as a proxy to your internal websites and provide you with additional security tools you can enforce on outside connections like MFA or conditional access. You can also use it for internal only websites. It’s a very good tool that I would recommend.
So let’s start off with exposing the MIM Portal to the outside with the Azure Application proxy.
- Get P1 or P3 Azure License
- Setup AD connect with Password Hash synchronization or ADFS. There should be some kind of SSO so that user can use their on-premise AD account to log into the portal.
- MIM Portal or SSPR all setup. We will use MIM Portal for this blogpost. Make sure you have
- Windows Authentication enabled in the MIM Portal website
- Set your spn. For this blogpost we will use “Setspn –S Http/tlkazuremim1 tlkdomain\tlkmimservice”
- You have already set up at least one Application Proxy connectors and connector groups, if not you can visit here to install and configure. This step can be a make or break so let me give you some recommendations
- Install the connector on the MIM Server(s), don’t install it on a DC, I have seen flaky behavior when on a DC perhaps because of the delegation step we will discuss in item 3. That setting is so specific to your app that it can affect other domain processes. If in a single server environ, worth the operational ease to spin up a member server for the connector.
- Create a Connector proxy group called “MIMAZ”. This way you isolate your connector to your app.
- After you setup the proxy connector on the MIM server (if it is a member server or any other member server) and the spn. Go to the proxy connecter server account in ADUC. Properties, delegation, select Trust this computer for delegation to specified services. Select the spns for the MIM service account. Do not select the middle option, I have seen some flaky behavior with that, make it specific, which is why I advise to put it on the MIM server. Reboot the connector server after this change.
Publish the MIM Portal
Log into the Azure portal
Click on Enterprise Applications, click add an application, select on premise application, Name is “MIM Portal”
Enter the MIM Portal info and save. Note the external url
Go to Enterprise Applications and click on MIM Portal, click on Single Sign On. Enter the spn you setup
Click on users and groups and assign a user to the application
Connect to MIM Portal from outside
From the outside (internet) log into the external url with that the assigned user account, you will be asked to log into your Azure account, once logged in you will be routed to MIM Portal