Working from Home: Securing Access to On-Prem Applications

Many companies will have enabled their employees to work from home over the past few weeks. For some, this will have been just an extension to existing practices, but for the majority, it meant learning a whole new set of technologies, and overcoming a lot of technology hurdles. Most now though will be up to speed with the basics – email, access to documents etc. Collaboration apps such as Zoom and Microsoft Teams have also seen their usage rocket as an antidote to isolation.

As we enter a third week of lockdown in the UK, it’s time to look beyond the basics. Many businesses will have “legacy” applications running on servers that are only accessible from the office. Some may be accessible via a VPN, but these can be awkward to deploy, especially to employee’s own devices, and may come with licensing or concurrent usage limits. VPN adds a network overhead too, which the office router may not cope with then the whole company is connected.

There are alternatives to VPN which allow the same secure connection to the office network, without the complications.

1: Azure AD Application Proxy

This is an ideal solution for web-based applications hosted on an internal server, e.g. an on-prem Dynamics instance, ERP applications, or in-house developed applications. It can work with any web host (not restricted to IIS/Windows) and although it can integrate with Active Directory for single sign-on, it doesn’t have to – once signed into Azure AD with their work credentials, employees can then proceed to the application’s own login screen. There are only three requirements:

1. Azure AD Premium licence for each user needing to login (which is part of Microsoft 365 suites, or available as an add-in for Office 365)
2. An Azure AD login, which they’ll already have if they have any Microsoft cloud application
3. An agent host machine running Windows within the same network as the application, with access to the internet – this does not require any ports to be open/forwarded, or even a static IP address, as it’s an outbound connection.

Once setup, users sign-in to their Office portal as usual, where they’ll see an additional app alongside the usual icons, e.g. Word, Excel, Company ERP. Clicking on that will take them directly to the app, as if they were in the office. You can also provide a direct URL, using a custom domain name, to distribute the app via email for example.

2: Windows Virtual Desktop with Site-to-Site Virtual Network

This is a slightly more complex solution, but it meets a number of challenges that the simpler proxy solution can’t:

1. Ensures data never leaves the company network (The proxy can be set up so it only allows trusted devices, but this limits it’s use to enrolled devices)
2. Allows any application to be used, not just web based ones (e.g. Windows based client-server apps, database apps that need access to SQL/Oracle)
3. Can even be used for Windows 7 only applications.

There are four aspects to this solution:

1. A Windows Virtual Desktop environment attached to the company Active Directory, either on prem or in Azure
2. An Azure site-to-site VPN, that extends the company network into Azure, allowing connections from the virtual desktops to the on-prem applications/data/services, including AD where needed. Pretty much any business-class firewall/router can be configured to support an Azure site-to-site VPN.
3. A custom image for the virtual desktops (that can be Windows 7, 10 or Server) that includes the necessary applications (e.g. Sage, Access, Custom Apps)
4. Licensing for WVD: included with Microsoft 365, or available as an add-on.

It can be further extended to include off-site backup for the on-prem systems (into Azure). Users can also be given access to different applications/desktops depending on their role. Best of all, the user can use their own device – from an old Windows 7 laptop to an iPad – to access the WVD environment, without compromising the security of the company network.