Skip to content

Instantly share code, notes, and snippets.

@machv
Last active September 4, 2024 07:41
Show Gist options
  • Save machv/b4478a57bef795029a08aed4a25f8713 to your computer and use it in GitHub Desktop.
Save machv/b4478a57bef795029a08aed4a25f8713 to your computer and use it in GitHub Desktop.
Azure AD Connect behind proxy server

How to run Azure AD Connect behind proxy server

In this scenario I am using two proxy servers:

  • User proxy - with authentication required for users
  • System proxy - for machine context without any authentication

Sample squid configuration is below together with PowerShell script to configure prerequisities (https://docs.microsoft.com/cs-cz/azure/active-directory/hybrid/how-to-connect-install-prerequisites#connectivity).

Do not make any changes to miiserver.exe.config. This file is overwritten on every upgrade so even if it works during initial install, the system stops working on first upgrade. For that reason, the recommendation is to update machine.config instead.

Whitelists:

# https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers#proxy-outbound-rules
.msappproxy.net
.servicebus.windows.net
mscrl.microsoft.com
crl.microsoft.com
ocsp.msocsp.com
www.microsoft.com
login.windows.net
.microsoftonline.com
.microsoftonline-p.com
.msauth.net
.msauthimages.net
.msecnd.net
.msftauth.net
.msftauthimages.net
.phonefactor.net
enterpriseregistration.windows.net
management.azure.com
policykeyservice.dc.ad.msft.net
ctdl.windowsupdate.com
# https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install#outbound-connectivity-to-the-azure-service-endpoints
.blob.core.windows.net
.aadconnecthealth.azure.com
.servicebus.windows.net
.adhybridhealth.azure.com
management.azure.com
policykeyservice.dc.ad.msft.net
login.windows.net
login.microsoftonline.com
secure.aadcdn.microsoftonline-p.com
www.office.com
# AAD Connect installation with Health on proxy enabled machine
# Disable IES
$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0
# Authenticated
$userProxyServer = "squid02.corp.contoso.com"
$userProxyPort = 3128
# no auth
$systemProxyServer = "squid01.corp.contoso.com"
$systemProxyPort = 3128
# Set user proxy
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyServer -Value "$($userProxyServer):$($userProxyPort)"
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -Value 1
# Update .NET machine.config file to use proxy
$machineConfigFile = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config"
[System.Xml.XmlDocument]$machineConfig = New-Object System.Xml.XmlDocument
$machineConfig.Load($machineConfigFile)
[xml]$machineConfig = Get-Content $machineConfigFile
$node = $machineConfig.SelectSingleNode("/configuration/system.net")
if(-not $node) {
$configurationNode = $machineConfig.SelectSingleNode("/configuration")
$node = $machineConfig.CreateElement("system.net")
$configurationNode.AppendChild($node) | Out-Null
}
# Remove existing proxy configurations
$proxyConfigs = $node.SelectNodes("defaultProxy")
foreach($proxy in $proxyConfigs) {
$node.RemoveChild($proxy)
}
# set our
[xml]$proxyXml = @"
<defaultProxy>
<proxy
usesystemdefault="true"
proxyaddress="http://$($systemProxyServer):$($systemProxyPort)"
bypassonlocal="true"
/>
</defaultProxy>
"@
$node.AppendChild($machineConfig.ImportNode($proxyXml.defaultProxy, $true)) | Out-Null
# Save changes
$machineConfig.Save($machineConfigFile)
# after restart is important to check if computer sees network connectivity
# install aad connect
# registration failed for aad health is expected if proxy auth is used
Set-AzureADConnectHealthProxySettings -HttpsProxyAddress "$($systemProxyServer):$($systemProxyPort)"
Restart-Service AzureADConnectHealth*
# and finally complete aad health agent registration
# to be sure in new powershell admin window run this command
Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false
# aad server
acl aadservers src 10.0.0.11/32
# whitelists
acl aadconnect dstdomain "/etc/squid/aad_connect.txt"
acl aadconnect dstdomain "/etc/squid/aad_health.txt"
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow aadconnect aadservers
@ivanversluis
Copy link

Thank you Vladimír! I needed to revert from NAT to a proxy server due to a fiber cut to our location. Will need to speed up the AD Connect migration to a Azure VM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment