Skip to main content

When publishing IFS IEE on the internet, we couldn’t find any settings to configure  IEE to work with preauthentication through Azure Application Proxy. Does anyone knows if this is possible?

Please see recommendation from Microsoft here: Security considerations for Azure Active Directory Application Proxy | Microsoft Docs

We were able to get this to work through Application Proxy in Azure, specifically exposing IFS IEE on Internet - but then we had to bypass the preauthentication in Azure and leave all security handling to IFS IEE.  

We are still unsure if this could be considered secure and have disabled this until we know more. Does anyone have experience with this or could we have a comment from IFS R&D?

We are on IFS10 UPD15


Hello,


Bypassing the preauth from Azure isn’t a good idea. The security level is decreased of course.
You expose the on-prem environment directly to the web, wich is not recommended.


As far as i know, the Azure application proxy must be set with SSO for a remote application preauth.

Did you set the SSO for this remote application?
Tutorial - Add an on-premises app - Application Proxy in Azure Active Directory - Microsoft Entra | Microsoft Learn

 

Best regards,


HI @Geoff Romyns,

Thanks for your reply!

 

We are using Azure AD for authentication of users. After we got it to work, we disabled it until we know if this is secure. Do you know why the built-in IFS method is not secure? I assume it could be a risk on-prem as well, if it cannot be trusted?

 

Let me share what we did to get this to work in Azure.

We added a CNAME in our DNS to msappproxy

We imported a wildcard certificate to application proxy

We published the application proxy:

Note that here pre-Authentication is set to Passthrough. IEE does not support pre auth. This means that authentication is carried out by the IFS application, not by the Application proxy.

Our question is if we can trust the authentication carried out by IFS? Aurena is already exposed on the Internet, but this supports pre-auth by Azure.

We have set up the IEE Application registration according to IFS docs:

 


Hello @SORBJAHAU ,

 

Sorry for the confusion. I didn’t wanted to mean the IFS IEE security is not secure.
It’s simply better to have every layers of possible security.

Concerning your setting, can i ask which type of application did you set for the IEE? Web or Mobil and desktop?

 

Best regards,


Hi @Geoff Romyns No worries 🙂 We are very eager to allow IEE to be accessed openly, it will ease our work and save money on terminal servers such as AVD and Citrix. But it must be confirmed safe first.

 

Not sure I understand your questions? IEE is only used (and supported?) for desktop as far as I know.


Hi @SORBJAHAU ,

On Azure SSO setting when you set the remote app you can chose the type. but BTW, my question is not relevant if you want to run it openly.

As i’m not IFS SOC, my aknowledgment is not deep enough to be technicaly clear. 
I advice Elisabeth to follow up by the LCS case you opened. It will be better to get security confirmation.

I hope you an excelent day,

Best, regards,


Hi @Geoff Romyns, very good and thank you very much for your follow up! 🙂 Much appreciated! 

I totally agree with you, someone that knows the technical architecture of IFS Security must confirm this. A safety “token” or handshake between IFS and a user is established, it must be explored if this is done in a safe way since IFS IEE does not support Pre-authentication from Azure. 


An update regarding this case.

We had a meeting with a technical resource at IFS and found out that Microsoft’s Click-Once technology that IFS IEE is built on, is not working with Azure Preauth. It’s not safe to skip the preauth in Application Proxy, because of some URL’s does not support OAuth2.

That would be the ones with basic authentication in this page :

https://docs.ifs.com/techdocs/foundation1/010_overview/210_security/090_exposing_to_internet/default.htm

 

To get this to work we need to setup IEE without Click-Once and publish to Application Proxy. Then we can handle the addresses that are not safe to expose on the internet.