Reverse Proxy and Office 365 integration

Hello Experts,

My customer runs a hybrid organization Exchange 2010 and O365 using a federation identity model. The ADFS infrastructure is built between Azure and On Prem resources. An express route has been deployed between Azure and AD ON prem to allow proper integration.

Now, there is a request made by the Security department to evaluate and built a POC for Reverse Proxy to add a extra later or security between 0365 and internal network.

Can you please provide me PROS and CONS of using Reverse proxy with Office 365?

Any gotchas?

what are the best practices to integrate Reverse Proxy and O365?

Can you please summarize the Do, and Do not's when deploying Reverse Proxy in a O365 hybrid environment?
Jerry SeinfieldAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
The reverse proxy is mainly alluded to web appl proxy, WAP.

Pro - Using WAP, you can configure additional features provided by AD FS, including: Workplace Join, multifactor authentication (MFA), and multifactor access control. Also WAP can be part of a DirectAccess infrastructure deployment, or when securely publishing Exchange or SharePoint services.

Another is scale out the amount of public IP-addresses to provide for your number of concurrent users. For example, if you are using one proxy server with one single NATed address to the Internet to provide for 10 000 concurrent users, add one or two more IP-addresses to you web proxy configuration (configure a NAT pool, add NIC or add additional IP addresses, whichever works for your web proxy). Add more IP-addresses for more concurrent users.

Con - Using WAP, there will not be any content inspection per se. All network traffic for AD FS to and from client devices always occur over HTTPS, so firewalls must allow TCP/443 from the external network/Internet into the WAP server (or the Virtual IP if using Load Balancing across a server farm). If the WAP servers are placed in a DMZ, a firewall placed between the DMZ and the internal network must furthermore allow TCP/443 from each of the WAP servers internal IP to the AD FS server (or the Virtual IP if using Load Balancing across a server farm). Of course, another device to manage and make sure it does not become single point of failure.

Note that the web proxy will function just as a proxy/relay for the Internet traffic, but will not cache its content, inspect its traffic or require authentication if the user have not already authenticated.

http://www.mistercloudtech.com/2015/11/25/how-to-install-and-configure-web-application-proxy-for-adfs/
https://jesperstahle.azurewebsites.net/?p=972
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.