Reverse Proxy and Office 365 integration

Jerry Seinfield
Jerry Seinfield used Ask the Experts™
Hello Experts,

My customer runs a hybrid organization Exchange 2010 and O365 using a federation identity model. The ADFS infrastructure is built between Azure and On Prem resources. An express route has been deployed between Azure and AD ON prem to allow proper integration.

Now, there is a request made by the Security department to evaluate and built a POC for Reverse Proxy to add a extra later or security between 0365 and internal network.

Can you please provide me PROS and CONS of using Reverse proxy with Office 365?

Any gotchas?

what are the best practices to integrate Reverse Proxy and O365?

Can you please summarize the Do, and Do not's when deploying Reverse Proxy in a O365 hybrid environment?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
The reverse proxy is mainly alluded to web appl proxy, WAP.

Pro - Using WAP, you can configure additional features provided by AD FS, including: Workplace Join, multifactor authentication (MFA), and multifactor access control. Also WAP can be part of a DirectAccess infrastructure deployment, or when securely publishing Exchange or SharePoint services.

Another is scale out the amount of public IP-addresses to provide for your number of concurrent users. For example, if you are using one proxy server with one single NATed address to the Internet to provide for 10 000 concurrent users, add one or two more IP-addresses to you web proxy configuration (configure a NAT pool, add NIC or add additional IP addresses, whichever works for your web proxy). Add more IP-addresses for more concurrent users.

Con - Using WAP, there will not be any content inspection per se. All network traffic for AD FS to and from client devices always occur over HTTPS, so firewalls must allow TCP/443 from the external network/Internet into the WAP server (or the Virtual IP if using Load Balancing across a server farm). If the WAP servers are placed in a DMZ, a firewall placed between the DMZ and the internal network must furthermore allow TCP/443 from each of the WAP servers internal IP to the AD FS server (or the Virtual IP if using Load Balancing across a server farm). Of course, another device to manage and make sure it does not become single point of failure.

Note that the web proxy will function just as a proxy/relay for the Internet traffic, but will not cache its content, inspect its traffic or require authentication if the user have not already authenticated.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial