1
00:00:00,940 --> 00:00:04,100
Hybrid cloud app publishing. The business case we're

2
00:00:04,100 --> 00:00:07,280
concerned with here is how can we securely expose an

3
00:00:07,280 --> 00:00:09,750
internal app to internet access? Now,

4
00:00:09,750 --> 00:00:13,720
this becomes particularly important when a business is looking at the

5
00:00:13,720 --> 00:00:17,960
hybrid cloud in staged migrations. In all likelihood, you're not going

6
00:00:17,960 --> 00:00:21,440
to cut over all of your on‑premises services into Azure, you're going

7
00:00:21,440 --> 00:00:22,880
to do a stepwise approach.

8
00:00:22,880 --> 00:00:26,890
So you may have some services running in Azure and some running on‑prem. So

9
00:00:26,890 --> 00:00:30,990
that brings up important questions of connectivity between your local

10
00:00:30,990 --> 00:00:33,400
servers and the ones that are running in Azure.

11
00:00:33,400 --> 00:00:34,980
And if you're not yet there,

12
00:00:34,980 --> 00:00:39,060
as far as establishing a site‑to‑site VPN or an ExpressRoute circuit,

13
00:00:39,060 --> 00:00:43,340
the question of an application proxy becomes particularly salient.

14
00:00:43,340 --> 00:00:47,000
Now in Windows Server, we have the Application Proxy, or it's

15
00:00:47,000 --> 00:00:51,620
actually called the Web Application Proxy, or WAP. And this, in

16
00:00:51,620 --> 00:00:55,960
my experience, is associated most of the time with Active

17
00:00:55,960 --> 00:00:57,840
Directory Federation Services.

18
00:00:57,840 --> 00:01:01,430
So you see, this is a Microsoft docs diagram. As always,

19
00:01:01,430 --> 00:01:05,260
I give the citation in the lower‑left corner of the slide. And in

20
00:01:05,260 --> 00:01:09,230
this case, it looks like we've got an AD FS farm on‑premises,

21
00:01:09,230 --> 00:01:11,010
that's the left side of the diagram.

22
00:01:11,010 --> 00:01:14,830
And on the right side of the diagram, we have, say, Office 365,

23
00:01:14,830 --> 00:01:19,460
which of course, is now called Microsoft 365 licensed in our Azure

24
00:01:19,460 --> 00:01:23,840
AD tenant, and we want to give our users single sign‑on capability

25
00:01:23,840 --> 00:01:25,580
into this cloud application.

26
00:01:25,580 --> 00:01:26,400
How do we do that?

27
00:01:26,400 --> 00:01:26,840
Well,

28
00:01:26,840 --> 00:01:29,320
we don't need to get too far into the plumbing for the

29
00:01:29,320 --> 00:01:31,010
hybrid cloud administrator role.

30
00:01:31,010 --> 00:01:34,740
There are other Azure certifications and job roles where you do need

31
00:01:34,740 --> 00:01:38,730
to know how to set up using Azure AD Connect federated or

32
00:01:38,730 --> 00:01:42,510
synchronized identity. But here, notice that we've got over the

33
00:01:42,510 --> 00:01:47,200
internet a federation trust between our on‑premises domain and our

34
00:01:47,200 --> 00:01:48,980
Azure Active Directory tenant.

35
00:01:48,980 --> 00:01:54,860
And what happens is when the user logs in or tries to sign in to Office 365,

36
00:01:54,860 --> 00:02:00,240
their browser will redirect back to the Web Application Proxy or AD FS proxy

37
00:02:00,240 --> 00:02:03,340
on‑prem where the user is signed in locally.

38
00:02:03,340 --> 00:02:08,140
So that's the idea with Web Application Proxy, it's called a reverse proxy.

39
00:02:08,140 --> 00:02:13,270
So you're able to shield servers inside your network perimeter that in

40
00:02:13,270 --> 00:02:17,210
all likelihood have private non‑internet routable IP addresses and

41
00:02:17,210 --> 00:02:21,510
they're behind firewalls, and you can still connect to them securely

42
00:02:21,510 --> 00:02:23,620
through that Web Application Proxy.

43
00:02:23,620 --> 00:02:27,250
And like I said, in Windows Server, you can proxy regular web

44
00:02:27,250 --> 00:02:31,830
applications, but the normal use case, the one for the exam that I want

45
00:02:31,830 --> 00:02:36,000
you to think about is using Web Application Proxy as part of your Active

46
00:02:36,000 --> 00:02:40,550
Directory Federation Services deployment in order to give two things

47
00:02:40,550 --> 00:02:45,380
really, one, you're maintaining the user's credentials entirely locally in

48
00:02:45,380 --> 00:02:49,920
Active Directory as opposed to synchronizing those identities into Azure

49
00:02:49,920 --> 00:02:51,610
AD. And number two,

50
00:02:51,610 --> 00:02:55,290
you're able to use this token‑based authentication, and you

51
00:02:55,290 --> 00:02:59,490
can repurpose your Web Application Proxy in your AD FS farm

52
00:02:59,490 --> 00:03:01,440
with other service providers.

53
00:03:01,440 --> 00:03:05,390
This slide of course just shows Azure AD, but you can use AD

54
00:03:05,390 --> 00:03:12,000
FS for federation identity with other services elsewhere in the world and on the internet.