# Application Proxy

31 Oct 2023

Microsoft Entra ID (formerly Azure AD) provides an Application Proxy service that enables users to securely access on-premises applications from outside the organisations' internal network without the need for a VPN.

This document aims to help your organisation set up this Application Proxy for Pozi QGIS Server.

Required permissions:

  • Administrator permissions on the on-premises server where QGIS resides
  • An Entra ID service account with Application Administrator permissions

Visit the Microsoft Entra ID portal using https://entra.microsoft.com/

# 1. Install connector on on-premises server

The connector is a required piece of software that manages the outbound connection from the on-premises application servers to Application Proxy in Microsoft Entra ID. It runs as a service.

Tutorial: Install and register a connector

  • Click on 'Download connector service', 'Accept terms & Download'
  • Transfer downloaded file (e.g. 'AADApplicationProxyConnectorInstaller.exe') to the on-premises server
  • Run the installer and follow the instructions

# 2. Add Pozi Server to Entra ID

This section describes how to add Pozi Server (on-premises app) to Entra ID platform as an Enterprise application.

Tutorial: Add an on-premises app to Microsoft Entra ID

In the Add your own on-premises application section, provide the following information about your application:

# Basic

  • Name : Pozi Server (recommended). The administrator is free to choose an other name if that better suits the organisation's policies.

  • Internal URL : http://<internal-server-name>/pozi/. Replace <internal-server-name> with the actual name of the on-premises server on the internal network. This can be localhost but the actual server name is preferred.

    Example: http://gis-server.local/pozi/

    To test internal URL on the internal network, opening the following URL in the browser should show a QGIS Server landing page:http://<internal-server-name>/pozi/qgisserver/wfs3.html

    Example: http://gis-server.local/pozi/qgisserver/wfs3.html

  • External URL: https:// poziserver -<entra-application-client-name>.msappproxy.net.

    The -<entra-application-client-name>.msappproxy.net part is a name that has been given to the organisation MS Entra ID. The dropdown may reveal other domains like .<entra-application-client-name>.onmicrosoft.com. Please select the domain that your organisation prefers.

    The interface will show a fully qualified URL to access Pozi Server in grey text below the form fields.

    Example: https://poziserver-councilnamevicgovau.msappproxy.net/pozi/

  • Pre Authentication: Microsoft Entra ID. This will get Entra ID to handle the authentication process.

    Do not choose Passthrough as that will allow any user (logged in or not) to access private resources from the server.

# Advanced

  • Translate Urls in application body : checked. This allows Entra ID to translate internal URLs to their external counterparts.

# 3. Assign users

Tutorial: Test the application

It is recommended to assign an individual user first for testing before assigning additional users and/or groups.

When configured correctly, a request from a logged-in user to Pozi Server through the Application Proxy URL should return the same result as within the local network.

Visiting following the Entra ID Application Proxy URL:

https://poziserver-<entra-application-client-name>.msappproxy.net/pozi/qgisserver/wfs3.html

...should return the same response as a local request to...

http://<internal-server-name>/pozi/qgisserver/wfs3.html

All going well, the QGIS landing page should now be visible when visiting the above Application Proxy URL.

# Troubleshooting

Error message Solution
Sorry, but we’re having trouble with signing you in.

AADSTS50105: Your administrator has configured the application Pozi Server ('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx') to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'xxxxxxxx' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.		 Grant access to the user(s) by following Step 3. Assign Users
BadGateway: This corporate app can't be accessed.

Connection to the server failed. For more details, check the Application Proxy Connector Event Log for reported errors.		 This could happen if the application proxy internal URL is accidentally configured with https instead of http
GatewayTimeout: The corporate app cannot be accessed / the service is unable to reach the connector / NoActiveConnector
  • Make sure that the Application Proxy connector is properly installed and registered with your Entra ID tenant
  • Check the Application Proxy connector Event Log for reported errors
  • Check the network settings to make sure any inactive connectors can reach the service and become active again
    		•
    GatewayTimeout: The corporate app cannot be accessed

    Next Steps

    This application is associated with a connector group that contains no connectors. Make sure to add connectors to this group for the application to be available.    		 This gets reported in Pozi as an EmptyConnectorGroup error. Solution: install the connector by following the instructions in section 1. above. For more information, see the relevant section on the Microft Entra Id site
    This page can’t be found. No web page was found for the web address: https://poziserver-<entra-application-client-name>.msappproxy.net HTTP ERROR 404 If the top level URL to the Application Proxy gives this error, it could be that the Private Network connectors are disabled in Entra ID. Visit https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AppProxyOverviewBlade and check if the Private Network is currently disabled for your tenant. Re-enable if needed and try again.