There are a few ways to grant external access to an internal application without doing any port forwarding. The way to do this in Microsoft’s world is through an Entra Application Proxy.
The name is a bit of a mess, as Microsoft renamed the Microsoft Entra application proxy program to Microsoft Entra private network connector. The Microsoft Entra private network connector is part of Microsoft Entra Private Access, which is part of Microsoft Global Secure Access.
Basically, Microsoft Entra Enterprise Applications can be configured with an Application Proxy, which will use the Microsoft Entra private network connector to proxy the connection.
In this post, I will show you step-by-step how to set up a Microsoft Entra private network connector, configure an internal web application to use an Entra Enterprise application proxy, and add authentication before access is granted to the web application.
Prerequisites
- Microsoft Entra ID P1 or higher license.
- External domain added to Microsoft 365.
- Windows Server for the Private Network Connector.
- Internal DNS name for the application.
- Access to the external DNS records.
- SSL certificate in PFX format with a password.
The Process
The process will be broken up into the following sections.
Private Network Connector
We need to set up the Entra private network connector as the Entra application proxy will proxy its connections via the private network connector.
- Log in to the Microsoft Entra Admin Center
- Click on Global Secure Access
If needed, click on Activate to Activate Global Secure Access for your tenant.
- Under Global Secure Access, click on Connect > Connectors.