Setting up Azure Application Proxy on Server 2016 When Behind Company Proxy

Please note: This post may not be relevant anymore as newer builds of the application proxy support internal proxies by editing the following two files:

C:\Program Files\Microsoft AAD App Proxy Connector\ApplicationProxyConnectorService.exe.config
C:\Program Files\Microsoft AAD App Proxy Connector Updater\ApplicationProxyConnectorUpdaterService.exe.config

Add / update the <defaultProxy> section under the <configuration><system net> in the two config files above

     <system net>
               <proxy proxyaddress=”http://address of your proxy:port” bypasslocal=”true/false” usesystemdefault=”true/false” />

The remainder of this post is likely deprecated BUT for the sake of still having the info available:

First and foremost: ensure that your on-prem proxy allows the IP Address of your server to reach **

On the 2016 Server, you will need to do the following

You want to make sure your server is joined to Azure. If it isn’t done so via domain policy, you can manually get it to join by doing the following. Run GPEdit and navigate to Computer Configuration > Administrative Templates > Windows Components > Device Registration

Set “Register domain joined computers as devices” to enabled

Open internet explorer and configure the proxy with whatever settings are necessary for your environment.

Open an administrative command prompt and run the following to setup a system-wide proxy

netsh winhttp import proxy source=ie

Since the application proxy services will run as Network Service and System, we need to set the proxy for these accounts as well. Download PSexec and copy it over to the 2016 server

psexec -i -u "nt authority\network service" cmd.exe

In this newly opened cmd window, we want to launch internet explorer. So CD to “C:\Program Files\Internet Explorer”. Then type in iexplore.exe to open internet explorer

Configure the proxy in this newly opened IE instance, and then close internet explorer

We now want to do the same thing we just did, only we want to use the System account, so repeat the same steps in #4 and #5, but this time use the username “nt authority\system”

Using the same cmd window opened in step #5, we also want to make sure the system is going to register with Azure. Run the following command

dsregcmd /join

Download the Application Proxy Connector from

Click on Enterprise Applications

Click on Application proxy

Click on Download connector 

Run the downloaded file on the server as administrator

Log in with global admin credentials at the prompt (The prompt won’t work right if you didn’t disable IE Enhanced Security Policy in step 8)

The server should now be listed in azure in the same location you navigated to in step #9

Last but not least, launch the port checking page for the Azure Application Proxy from the server  You should see green checkmarks across the board. If you see any red, your application proxy server may show up on the proxies page in azure, but it may show as inactive. Notice in the image above you see one listed as active and the other as inactive. The inactive one went through the entire setup but the proxy was blocking certain ports. If this is the case for you, you will likely need to battle it out with the person in charge of administering your proxy.

Leave a Reply

Your email address will not be published. Required fields are marked *