Triofox Server has a web server component with a published AccessPoint (or URL). In order to protect the URL from unauthorized access, the Triofox server integrates with Microsoft Azure AD Application Proxy so the access is protected by Azure AD Authentication. This article describes how to set up the integration between Azure AD Application Proxy and Triofox Server.
Notes: Skip this step if you have already set up the Triofox server and the Microsoft Azure AD application proxy on your own.
System Requirements - 3 servers
- server 1 - local on-premise active directory server domain controller
- server 2 - local on-premise Triofox server, domain joined and point DNS resolution to the server #1.
- server 3 - local on-premise server, clean Windows 2019 machine, domain joined, and point DNS resolution to server #1. Clean machine and will install the Azure AD proxy connector.
- Azure Portal Administrator access
Assuming Server #1 is already installed and the domain controller is ready. and Assuming Server #2 is also ready with Triofox installed and a domain administrator account is used to manage the Triofox server.
Now we are ready to install the Azure AD Proxy connector on server #3.
Notes: In this example,
- the local AD domain is: delray.triofox.tech
- the local triofox URL is: delraytriofox.delray.triofox.tech
- the Azure Active Directory is: hadroncloud.com
The following steps are from the two Microsoft articles, with specific examples of our test environment.
- Tutorial - Add an on-premises app - Application Proxy in Azure Active Directory | Microsoft Docs
- Publish native client apps - Azure Active Directory | Microsoft Docs
Step 1 - Install Azure Proxy Connector
Log in to the console of Server #3, it was a clean Windows 2019 machine and it is ready to install the application proxy. From the Azure Portal, go to the "Azure Active Directory" section, and follow the "Application proxy" link on the left. First, create a "New Connector Group" and then download the connector service.
In this example, we created a Connector Group called "DelrayProxyGroup". The orange triangle means no connectors are in the group yet.
After downloading the connector service, it is an exe installer. Double click on the exe installer to start the installation.
Here is a screenshot of the installation.
During the installation, the Microsoft Login Window will show up and you will need to log in as the Azure AD administrator to connect the connector service to Azure AD. In this example, the admin user is "email@example.com", and use your own admin user in your organization instead.
Once the installation is done, it will say "Setup Successful"
Once the connector is installed, it will automatically join the "Default" Connector group, we will need to reassign it to our newly created "DelrayProxyGroup". The newly installed Application Proxy will be named by its hostname with the local Active Directory domain name. For example, in this case, it is called delrayproxy.delray.triofox.tech. You can reassign it by double click on the "DelrayProxyGroup" and then selecting the connector to join this specific group.
Now go back to the tutorial page - Tutorial - Add an on-premises app - Application Proxy in Azure Active Directory | Microsoft Docs
There are a couple of steps to disable HTTP2 and also enable TLS2 via registry files. These two steps are required.
Save both registry files and import them into the registry.
Step 2 - Add an on-premise Application to represent the Triofox server
From the Azure Active Directory, go into the "Enterprise Applications" section. and add an "on-premise application". The two most important parameters are the "Internal URL" and the "Connector Group".
- Internal URL - Internal URL has to be in an FQDN format instead of an IP-address format. That is why the "domain join" in the earlier step matters. With domain join, there is an FQDN for the Triofox server. You will need to test first that from the proxy server, using the FQDN works to access the Triofox server.
- Connector Group - It has to be the same connector group that has the proxy connector.
NOTES: For the external URL field, please select the .msappproxy.net type of URL. This is the URL format currently supported in Triofox Desktop Client.
After you created the application, you can find the application you created faster by applying a filter "Is App Proxy" to Yes. there are a few more steps to configure in the enterprise application.
First, you will need to "add user/group" to assign users to this app.
From the permissions, you can use "Grant admin consent for hadroncloud" to grant admin consent.
After this step, you shall be able to access your triofox via a web browser. The Azure AD login screen will show up first before it allows you to access the Triofox server directly.
Step 3 - Allow Desktop Client Agent to Connect
Now we need to create an "App Registration" to register an application in Azure Active Directory. Basically need to follow the other article - Publish native client apps - Azure Active Directory | Microsoft Docs
Need to assign the Proxy application as API permissions to the new native application.
The "user_impersonation" permissions need to be given.
Need to do "Grant admin consent for hadroncloud"
Need to write down the "Application (client) ID" and the "Directory (tenant) ID".
Now the app is ready and the Triofox will also need to change the public External DNS to the same msappproxy.net
NOTE: currently the desktop application only supports the ".msappproxy.net" format.
Step 4 - Getting Desktop Client App Ready
use the following text to create a registry file for the client's desktop machine. The registry file can be pushed out via Microsoft InTune.
Windows Registry Editor Version 5.00
"MsiPath"="C:\\Program Files (x86)\\Gladinet Cloud Enterprise\\portal\\Pkgs\\TeamClient\\(992686312_1_triofox1-hadroncloud.msappproxy.net)_CloudWindowsClient_x64.msi"
Documentation of the field
AzureAppProxyClientId - The Application (client) ID in the Azure Portal
AzureAppProxyAuthority - replace the GUID id part with the tenant ID.
AzureAppProxyScope - need to replace the URL part with the Triofox URL
MsiPath - the URL is required for Single Signon to work.