
First and foremost: ensure that your on-prem proxy allows the IP Address of your server to reach *msappproxy.net*
On the 2016 Server, you will need to do the following
- You want to make sure your server is joined to Azure. If it isn’t done so via domain policy, you can manually get it to join by doing the following. Run GPEdit and navigate to Computer Configuration > Administrative Templates > Windows Components > Device Registration
- Set “Register domain joined computers as devices” to enabled
- Set “Register domain joined computers as devices” to enabled
- Open internet explorer and configure the proxy with whatever settings are necessary for your environment.
- Open an administrative command prompt and run the following to setup a system-wide proxy
-
netsh winhttp import proxy source=ie
-
- Since the application proxy services will run as Network Service and System, we need to set the proxy for these accounts as well. Download PSexec and copy it over to the 2016 server
-
psexec -i -u "nt authority\network service" cmd.exe
-
- In this newly opened cmd window, we want to launch internet explorer. So CD to “C:\Program Files\Internet Explorer”. Then type in iexplore.exe to open internet explorer
- Configure the proxy in this newly opened IE instance, and then close internet explorer
- We now want to do the same thing we just did, only we want to use the System account, so repeat the same steps in #4 and #5, but this time use the username “nt authority\system”
- Using the same cmd window opened in step #5, we also want to make sure the system is going to register with Azure. Run the following command
-
dsregcmd /join
-
- Reboot the system
- Disable IE Enhanced Security Configuration from Server Manager (Click on Local Server, and it’s in the right-hand column)
- Download the Application Proxy Connector from https://portal.azure.com
- Click on Enterprise Applications
- Click on Application proxy
- Click on Download connector
- Run the downloaded file on the server as administrator
- Log in with global admin credentials at the prompt (The prompt won’t work right if you didn’t disable IE Enhanced Security Policy in step 8)
- The server should now be listed in azure in the same location you navigated to in step #9
- Last but not least, launch the port checking page for the Azure Application Proxy from the server https://aadap-portcheck.connectorporttest.msappproxy.net/ You should see green checkmarks across the board. If you see any red, your application proxy server may show up on the proxies page in azure, but it may show as inactive. Notice in the image above you see one listed as active and the other as inactive. The inactive one went through the entire setup but the proxy was blocking certain ports. If this is the case for you, you will likely need to battle it out with the person in charge of administering your proxy.