machv · September 4, 2024 07:41 · ivanversluis · Nov 17, 2020
diff --git a/README.md b/README.md
diff --git a/aad_connect.txt b/aad_connect.txt
 # https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers#proxy-outbound-rules
 .msappproxy.net
 .servicebus.windows.net
 mscrl.microsoft.com
 crl.microsoft.com
 ocsp.msocsp.com
 www.microsoft.com
 login.windows.net
 .microsoftonline.com
 .microsoftonline-p.com
 .msauth.net
 .msauthimages.net
 .msecnd.net
 .msftauth.net
 .msftauthimages.net
 .phonefactor.net
 enterpriseregistration.windows.net
 management.azure.com
 policykeyservice.dc.ad.msft.net
 ctdl.windowsupdate.com
diff --git a/aad_health.txt b/aad_health.txt
 # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install#outbound-connectivity-to-the-azure-service-endpoints
 .blob.core.windows.net
 .aadconnecthealth.azure.com
 .servicebus.windows.net
 .adhybridhealth.azure.com
 management.azure.com
 policykeyservice.dc.ad.msft.net
 login.windows.net
 login.microsoftonline.com
 secure.aadcdn.microsoftonline-p.com
 www.office.com
diff --git a/prepare.ps1 b/prepare.ps1
 # AAD Connect installation with Health on proxy enabled machine

 # Disable IES
 $AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
 $UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
 Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
 Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0


 # Authenticated
 $userProxyServer = "squid02.corp.contoso.com"
 $userProxyPort = 3128

 # no auth
 $systemProxyServer = "squid01.corp.contoso.com"
 $systemProxyPort = 3128

 # Set user proxy 
 Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyServer -Value "$($userProxyServer):$($userProxyPort)"
 Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -Value 1

 # Update .NET machine.config file to use proxy
 $machineConfigFile = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config"
 [System.Xml.XmlDocument]$machineConfig = New-Object System.Xml.XmlDocument
 $machineConfig.Load($machineConfigFile)

 [xml]$machineConfig = Get-Content $machineConfigFile
 $node = $machineConfig.SelectSingleNode("/configuration/system.net") 
 if(-not $node) {
    $configurationNode = $machineConfig.SelectSingleNode("/configuration")
    $node = $machineConfig.CreateElement("system.net")
    $configurationNode.AppendChild($node) | Out-Null
 }

 # Remove existing proxy configurations
 $proxyConfigs = $node.SelectNodes("defaultProxy")
 foreach($proxy in $proxyConfigs) {
    $node.RemoveChild($proxy)
 }

 # set our
 [xml]$proxyXml = @"
    <defaultProxy>
        <proxy
        usesystemdefault="true"
        proxyaddress="http://$($systemProxyServer):$($systemProxyPort)"
        bypassonlocal="true"
        />
    </defaultProxy>
 "@
 $node.AppendChild($machineConfig.ImportNode($proxyXml.defaultProxy, $true)) | Out-Null

 # Save changes
 $machineConfig.Save($machineConfigFile)

 # after restart is important to check if computer sees network connectivity
 # install aad connect
 # registration failed for aad health is expected if proxy auth is used

 Set-AzureADConnectHealthProxySettings -HttpsProxyAddress "$($systemProxyServer):$($systemProxyPort)"
 Restart-Service AzureADConnectHealth*

 # and finally complete aad health agent registration
 # to be sure in new powershell admin window run this command
 Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false
diff --git a/squid.conf b/squid.conf
 # aad server
 acl aadservers src 10.0.0.11/32

 # whitelists
 acl aadconnect dstdomain "/etc/squid/aad_connect.txt"
 acl aadconnect dstdomain "/etc/squid/aad_health.txt"

 ### acl for proxy auth and ldap authorizations
 acl auth proxy_auth REQUIRED

 http_access deny !auth
 http_access allow aadconnect aadservers
	# https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers#proxy-outbound-rules
	.msappproxy.net
	.servicebus.windows.net
	mscrl.microsoft.com
	crl.microsoft.com
	ocsp.msocsp.com
	www.microsoft.com
	login.windows.net
	.microsoftonline.com
	.microsoftonline-p.com
	.msauth.net
	.msauthimages.net
	.msecnd.net
	.msftauth.net
	.msftauthimages.net
	.phonefactor.net
	enterpriseregistration.windows.net
	management.azure.com
	policykeyservice.dc.ad.msft.net
	ctdl.windowsupdate.com
	# https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install#outbound-connectivity-to-the-azure-service-endpoints
	.blob.core.windows.net
	.aadconnecthealth.azure.com
	.servicebus.windows.net
	.adhybridhealth.azure.com
	management.azure.com
	policykeyservice.dc.ad.msft.net
	login.windows.net
	login.microsoftonline.com
	secure.aadcdn.microsoftonline-p.com
	www.office.com
	# AAD Connect installation with Health on proxy enabled machine

	# Disable IES
	$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
	$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
	Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
	Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0


	# Authenticated
	$userProxyServer = "squid02.corp.contoso.com"
	$userProxyPort = 3128

	# no auth
	$systemProxyServer = "squid01.corp.contoso.com"
	$systemProxyPort = 3128

	# Set user proxy
	Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyServer -Value "$($userProxyServer):$($userProxyPort)"
	Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -Value 1

	# Update .NET machine.config file to use proxy
	$machineConfigFile = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config"
	[System.Xml.XmlDocument]$machineConfig = New-Object System.Xml.XmlDocument
	$machineConfig.Load($machineConfigFile)

	[xml]$machineConfig = Get-Content $machineConfigFile
	$node = $machineConfig.SelectSingleNode("/configuration/system.net")
	if(-not $node) {
	$configurationNode = $machineConfig.SelectSingleNode("/configuration")
	$node = $machineConfig.CreateElement("system.net")
	$configurationNode.AppendChild($node) \| Out-Null
	}

	# Remove existing proxy configurations
	$proxyConfigs = $node.SelectNodes("defaultProxy")
	foreach($proxy in $proxyConfigs) {
	$node.RemoveChild($proxy)
	}

	# set our
	[xml]$proxyXml = @"
	<defaultProxy>
	<proxy
	usesystemdefault="true"
	proxyaddress="http://$($systemProxyServer):$($systemProxyPort)"
	bypassonlocal="true"
	/>
	</defaultProxy>
	"@
	$node.AppendChild($machineConfig.ImportNode($proxyXml.defaultProxy, $true)) \| Out-Null

	# Save changes
	$machineConfig.Save($machineConfigFile)

	# after restart is important to check if computer sees network connectivity
	# install aad connect
	# registration failed for aad health is expected if proxy auth is used

	Set-AzureADConnectHealthProxySettings -HttpsProxyAddress "$($systemProxyServer):$($systemProxyPort)"
	Restart-Service AzureADConnectHealth*

	# and finally complete aad health agent registration
	# to be sure in new powershell admin window run this command
	Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false
	# aad server
	acl aadservers src 10.0.0.11/32

	# whitelists
	acl aadconnect dstdomain "/etc/squid/aad_connect.txt"
	acl aadconnect dstdomain "/etc/squid/aad_health.txt"

	### acl for proxy auth and ldap authorizations
	acl auth proxy_auth REQUIRED

	http_access deny !auth
	http_access allow aadconnect aadservers