Microsoft Web Application Proxy

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Microsoft Web Application Proxy

scooper
Microsoft have recently replaced UAG with the Web Application Proxy, which supports multi factor authentication (MFA) via either certificates or Azure AD Application Proxy. I read a Microsoft blog (below) that suggests it also supports third-party MFA solutions.

Does WiKID plug into this? Or is this in the pipeline?

I'm trying to get multi factor authentication working for a Sharepoint extranet solution.

http://blogs.technet.com/b/in_the_cloud/archive/2013/07/10/what-s-new-in-2012-r2-making-device-users-productive-and-protecting-corporate-information.aspx


Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Web Application Proxy

Nick Owen
Administrator
It looks like Web Application Proxy requires AD FS which can use
Radius as the authentication protocol:
http://msdn.microsoft.com/en-us/library/azure/dn394287.aspx.

Here's an older post that seems to do the same with UAG, so hopefully
it will still work with Web Application Proxy:
http://blog.auth360.net/2011/06/25/federated-sso-logon-with-ad-fs-2-0-in-an-extranet-with-uag.

The question for Microsoft is: Can you use Radius to proxy the
authentication requests to the auth server of your choice and if so,
how?  We typically recommend using a standard authentication protocol
over a custom plugin.  Not that we wouldn't love to tie you in to
WiKID. ;-)

On Thu, Aug 21, 2014 at 3:30 AM, scooper [via WiKID Strong
Authentication Forums] <[hidden email]>
wrote:

> Microsoft have recently replaced UAG with the Web Application Proxy, which
> supports multi factor authentication (MFA) via either certificates or Azure
> AD Application Proxy. I read a Microsoft blog (below) that suggests it also
> supports third-party MFA solutions.
>
> Does WiKID plug into this? Or is this in the pipeline?
>
> I'm trying to get multi factor authentication working for a Sharepoint
> extranet solution.
>
> http://blogs.technet.com/b/in_the_cloud/archive/2013/07/10/what-s-new-in-2012-r2-making-device-users-productive-and-protecting-corporate-information.aspx
>
>
>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://wikid-strong-authentication-forums.1491522.n2.nabble.com/Microsoft-Web-Application-Proxy-tp7575097.html
> To start a new topic under Support, email
> [hidden email]
> To unsubscribe from WiKID Strong Authentication Forums, click here.
> NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Web Application Proxy

scooper
Thanks Nick. The Microsoft article you provided suggests the use of Azure Multi-Factor Authentication Server installed on the Web App Proxy (now that UAG is no longer available). So I read up on how to install MFA - first step is you need an Azure subscription.
http://technet.microsoft.com/en-us/library/dn394280.aspx
I'm keen to use WiKID, but I can't see how I can provide 2FA for IIS sites exposed to the internet unless I either force all users to use a VPN to access them, or purchase an Azure subscription. Can you think of any other options?
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Web Application Proxy

Nick Owen
Administrator
Hmm - if it is just IIS sites, then using MS Forefront in front of
them to handle authentication should work.  It supports radius:
http://technet.microsoft.com/en-us/library/cc995109.aspx.

On Thu, Aug 28, 2014 at 3:21 AM, scooper [via WiKID Strong
Authentication Forums] <[hidden email]>
wrote:

> Thanks Nick. The Microsoft article you provided suggests the use of Azure
> Multi-Factor Authentication Server installed on the Web App Proxy (now that
> UAG is no longer available). So I read up on how to install MFA - first step
> is you need an Azure subscription.
> http://technet.microsoft.com/en-us/library/dn394280.aspx
> I'm keen to use WiKID, but I can't see how I can provide 2FA for IIS sites
> exposed to the internet unless I either force all users to use a VPN to
> access them, or purchase an Azure subscription. Can you think of any other
> options?
>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://wikid-strong-authentication-forums.1491522.n2.nabble.com/Microsoft-Web-Application-Proxy-tp7575097p7575099.html
> To start a new topic under Support, email
> [hidden email]
> To unsubscribe from WiKID Strong Authentication Forums, click here.
> NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Web Application Proxy

scooper
Thanks Nick. I agree, Forefront UAG would do the job, but it can no longer be purchased as of July 1.
http://blogs.technet.com/b/server-cloud/archive/2013/12/17/important-changes-to-the-forefront-product-line.aspx
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Web Application Proxy

Nick Owen
Administrator

Has it been replaced by something that supports radius?

On Aug 28, 2014 7:42 PM, "scooper [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
Thanks Nick. I agree, Forefront UAG would do the job, but it can no longer be purchased as of July 1.
http://blogs.technet.com/b/server-cloud/archive/2013/12/17/important-changes-to-the-forefront-product-line.aspx


If you reply to this email, your message will be added to the discussion below:
http://wikid-strong-authentication-forums.1491522.n2.nabble.com/Microsoft-Web-Application-Proxy-tp7575097p7575101.html
To start a new topic under Support, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Web Application Proxy

scooper
Hi Nick,

My understanding is that UAG has been replaced by the Web Application Proxy, and I cannot see any support for RADIUS authentication in this product.
http://technet.microsoft.com/en-au/library/dn584113.aspx

However, Web Application Proxy supports the use of multi factor authentication (certs or phone) via ADFS. Microsoft have purchased PhoneFactor in order to deliver this:
http://www.microsoft.com/en-us/news/press/2012/oct12/10-04mfapr.aspx

ADFS also supports "custom MFA providers: for organizations that leverage third-party MFA methods, AD FS offers the ability to incorporate and use these authentication methods seamlessly."
http://technet.microsoft.com/en-au/library/dn280949.aspx

I was hoping WiKID would offer one of these third-party MFA methods.

An example of how to develop an MFA plug in for ADFS is here:
http://blogs.technet.com/b/cloudpfe/archive/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-3-0-part-1.aspx