Home > Forum > Installation > Publishing WEBCON BPS Standalone with Azure AD Application Proxy

Publishing WEBCON BPS Standalone with Azure AD Application Proxy
0

Dear Community,
we have installed WEBCON BPS Standalone and published it through Azure AD Application Proxy. We are synchronising users in BPS with on-premises Active Directory.
Currently we experience timeout issues after some time of inactivity on WEBCON BPS site. Sometimes it's few minutes, sometimes about 1 hour. See example in attachments. Please notice that WEBCON BPS and SQL Server (VMs) are placed in Azure.

Does anyone experience same issues?

Any feedback is more than welcome :)

In reply to: Daniel Krüger (Cosmo Consult)

Hi Adam,

we also had a timeout issue, also we are using AAD authentication. The timeout was caused by the application proxy authentication. I think the correct one is pass through, but I probably won't be able to look it up before tomorrow afternoon.

Best regards,
Daniel

Hi Daniel,
Thanks for your reply. Do you mean to switch and setup Azure AD authentication in BPS (for users) and then configure pass-through for Pre-Authentication in Azure AD Application Proxy, right?
Sounds like a plan :)

MVP
In reply to: Adam Hatak

Hi Daniel,
Thanks for your reply. Do you mean to switch and setup Azure AD authentication in BPS (for users) and then configure pass-through for Pre-Authentication in Azure AD Application Proxy, right?
Sounds like a plan :)

Hi Adam,

I'm not sure whether you actually need to switch from AD to AAD authentication. We are using it, but we never tried AD authentication in the first place. :)
Our Dev and Prod environment have been setup with different authentication behaviors in the Application Proxy and on one environment we received the timeouts. This was fixed after switching to pass through, so that the authentication is handled by WEBCON BPS itself. Maybe this works for AD authentication too and it should be easy to check. Also it's never easy to wait for such a timeout.:)

Kind regards,
Daniel

WEBCON

Hi Adam
If your VM's are placed in Azure, consider the use of Azure Web Application Firewall to publish WEBCON BPS (instead of Azure AD Application Proxy). We use Azure AD Application Proxy to publish on-prem applications/VM rather then Azure applications/VM.

Azure AD Application Proxy with Pass-through will work, but you lose one of the more important fuctionalities of AAD Application Proxy - preauthentication.

Dear Daniel, Paweł,
thanks for your feedback. It seems that passthrough setting in Azure AD Application Proxy is resolving this issue. But I don't feel comfortable with basic AD authentication for internet accessible WEBCON BPS service. Based on that my current approach is to setup passthrough and AAD authentication in WEBCON BPS Portal. BPS Portal is published with Azure AD Application Proxy because in Azure we have disabled public IP interfaces and connect to servers via IPSec tunnel from our on-premises DC. Unfortunately, I have issues configuring AAD. Details attached. I have reviewed howto prepared by WEBCON to configure AAD but in my scenario it doesn't work. Have issue with reply URL.

BTW, Azure WAF seems to look interesting, but is more complicated than Azure AD Application Proxy.

Kind regards,
Adam

MVP
In reply to: Adam Hatak

Dear Daniel, Paweł,
thanks for your feedback. It seems that passthrough setting in Azure AD Application Proxy is resolving this issue. But I don't feel comfortable with basic AD authentication for internet accessible WEBCON BPS service. Based on that my current approach is to setup passthrough and AAD authentication in WEBCON BPS Portal. BPS Portal is published with Azure AD Application Proxy because in Azure we have disabled public IP interfaces and connect to servers via IPSec tunnel from our on-premises DC. Unfortunately, I have issues configuring AAD. Details attached. I have reviewed howto prepared by WEBCON to configure AAD but in my scenario it doesn't work. Have issue with reply URL.

BTW, Azure WAF seems to look interesting, but is more complicated than Azure AD Application Proxy.

Kind regards,
Adam

Hi Adam,

based on the error message I would say, that there is no or a misspelled redirect URL in the authentication "tab" of the created application. I've attached an example.

Best regards,
Daniel

In reply to: Daniel Krüger (Cosmo Consult)

Hi Adam,

based on the error message I would say, that there is no or a misspelled redirect URL in the authentication "tab" of the created application. I've attached an example.

Best regards,
Daniel

Hello

I know this is a little late to the party on this one however, we have the same issue you describe with the time out. I stumbled across your post as I am trying to see if there is any options to use the Webcon mobile app from behind the application proxy

Did you ever resolve your issue?

We have a work around in place at the moment so that the user is unlikely ever to witness the timeout

Regards

Dan

In reply to: Daniel Hamilton

Hello

I know this is a little late to the party on this one however, we have the same issue you describe with the time out. I stumbled across your post as I am trying to see if there is any options to use the Webcon mobile app from behind the application proxy

Did you ever resolve your issue?

We have a work around in place at the moment so that the user is unlikely ever to witness the timeout

Regards

Dan

Dear Dan,
what I have done some time ago and it worked:
- switch from AD authentication for users (portal) to Azure AD authentication
- changed configuration in Azure AD Application Proxy to pass-through

With these settings Azure AD Application Proxy is passing request to WEBCON directly (as pass-through works), and there is Azure AD authentication from WEBCON.

You have Azure AD security and no timeouts in WEBCON portal :)

I'm not sure if this will work with mobile app (assume that it will). If you have WEBCON Portal version (standalone) then the website is rendered nicely on mobile browser (skipping mobile app here).

Best,
Adam.

In reply to: Adam Hatak

Dear Dan,
what I have done some time ago and it worked:
- switch from AD authentication for users (portal) to Azure AD authentication
- changed configuration in Azure AD Application Proxy to pass-through

With these settings Azure AD Application Proxy is passing request to WEBCON directly (as pass-through works), and there is Azure AD authentication from WEBCON.

You have Azure AD security and no timeouts in WEBCON portal :)

I'm not sure if this will work with mobile app (assume that it will). If you have WEBCON Portal version (standalone) then the website is rendered nicely on mobile browser (skipping mobile app here).

Best,
Adam.

We have Webcon only set to sync users from Azure and set to Pre Auth in Azure and we do have a timeout but the user is not likely to be inactive long enough for it to ever trigger

I have found articles from Microsoft and when I get the chance I will be having a call with them as according to Microsoft the reason we are having the issue is due to CORS and the top recommendation to fix that is a custom domain which we use already but still have the issue

Also strangely the Webcon Mobile app appears to be working through the proxy although it 100% didn't when we first upgraded to the Standalone Webcon

Do I need any extra software on my Windows app Webcon server for Azure AD Application Proxy? When I use URL https://mywebconaddress.com/signin-aad I receive the error.
I use manual from https://kb.webcon.pl/integracja-webcon-bps-z-azure-active-directory/

In reply to: piotrusx

Do I need any extra software on my Windows app Webcon server for Azure AD Application Proxy? When I use URL https://mywebconaddress.com/signin-aad I receive the error.
I use manual from https://kb.webcon.pl/integracja-webcon-bps-z-azure-active-directory/

At least you need a connector app for Entra ID Application Proxy (formerly Azure AD Application Proxy):
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-connectors

If your WEBCON BPS is not accessible from Internet.

In reply to: Adam Hatak

At least you need a connector app for Entra ID Application Proxy (formerly Azure AD Application Proxy):
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-connectors

If your WEBCON BPS is not accessible from Internet.

I have it. When I try to coennect from Internet I have login page, but when I click "Azure Active Directory (AAD)" system redirects me to an internal address and I get the error.

In reply to: piotrusx

I have it. When I try to coennect from Internet I have login page, but when I click "Azure Active Directory (AAD)" system redirects me to an internal address and I get the error.

What URI have you entered here?
Here I have public internet URL of WEBCON BPS.

In reply to: piotrusx

Yes. I have a public address. When I click the button, my WEBCON app redirects me to an internal address.

What WEBCON BPS version is it? Standalone (Portal) of Integrated (SharePoint)?
Here's how it looks in Advanced settings of Application Proxy.

DNS are fine?

In reply to: Adam Hatak

What WEBCON BPS version is it? Standalone (Portal) of Integrated (SharePoint)?
Here's how it looks in Advanced settings of Application Proxy.

DNS are fine?

I had "Translate Urls in headers" checked. I removed it. Now I have a 404 error. No login page. DNS is OK, website works correctly inside.

In reply to: piotrusx

I had "Translate Urls in headers" checked. I removed it. Now I have a 404 error. No login page. DNS is OK, website works correctly inside.

What value is set inside WEBCON setup / configuration for portal URL?
Here I also set external / internet URL.

This can be changed using installation media (setup.exe) -> Tools for application management -> Portal address configuration.

In reply to: Adam Hatak

What value is set inside WEBCON setup / configuration for portal URL?
Here I also set external / internet URL.

This can be changed using installation media (setup.exe) -> Tools for application management -> Portal address configuration.

Thank you. It was a IIS configuration problem.