You may already know the Azure Application Proxy (or Azure App Proxy or AAP), used to publish internal web applications to the external world without opening communication ports on the firewall and which can be used to leverage Azure AD for authentication and SSO.

Now, Azure App Proxy supports wildcards to publish multiple web application at once.

This means you do not need anymore to publish each on-premises web applications one by one, as soon as they share the same AAP configuration (i.e. same authentication scheme, same set of assigned users/groups or same published virtual directory (if you don’t publish the root one).

Prerequisites

To be able to publish web application using wildcards, you need the following:

  • Use custom domain for the external URL
  • Use a certificate which match the need for wildcard; either by using a wildcard or by using a SAN certificate containing each and every public URL’s for each published application using the wildcard

DNS Record

Usually when you publish a web application with AAP, you have a specific target to use for the CNAME record published on your Internet domain.

This can not be used when using the wildcard publication option. In this case, the target for the CNAME record must be yourAzureTenantID.tenant.runtime.msappproxy.net

Don’t be worry, the AAP publication wizard is going to tell it to you

image

Wildcard publication

When you publish your applications using the wildcard option, the settings must be as below:

  • Internal URL: http(s)://*.internaldomain
  • External URL: https://*.custompublicdomain

image

NOTE if the published applications use Integrated Windows Authentication (IWA), then the SSO configuration also needs to have the wildcard if the SPN is not the same for each application (which will be usually the case), like https://app1.publishedapplicationdomain.local, https://app2.publishedapplicationdomain.local…)

image

Exclusions

If a setting needs to be different for one of the published applications, you can still publish with the wildcard and then publish a new application with the specific setting. The configuration for the most specific application always takes precedence over the wildcard configuration.

In this case, the CNAME record will need to be updated to be the specific one and not the generic/wildcard one. Again, the wizard will gives you the proper target value.