machv/README.md

## README.md

      
    Raw
  

              README.md
            
          
    How to run Azure AD Connect behind proxy server

In this scenario I am using two proxy servers:

User proxy - with authentication required for users
System proxy - for machine context without any authentication

Sample squid configuration is below together with PowerShell script to configure prerequisities (https://docs.microsoft.com/cs-cz/azure/active-directory/hybrid/how-to-connect-install-prerequisites#connectivity).
Do not make any changes to miiserver.exe.config. This file is overwritten on every upgrade so even if it works during initial install, the system stops working on first upgrade. For that reason, the recommendation is to update machine.config instead.
Whitelists:


https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install#outbound-connectivity-to-the-azure-service-endpoints
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers#proxy-outbound-rules


## aad_connect.txt
# https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers#proxy-outbound-rules
.msappproxy.net
.servicebus.windows.net
mscrl.microsoft.com
crl.microsoft.com
ocsp.msocsp.com
www.microsoft.com
login.windows.net
.microsoftonline.com
.microsoftonline-p.com
.msauth.net
.msauthimages.net
.msecnd.net
.msftauth.net
.msftauthimages.net
.phonefactor.net
enterpriseregistration.windows.net
management.azure.com
policykeyservice.dc.ad.msft.net
ctdl.windowsupdate.com

## aad_health.txt
# https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install#outbound-connectivity-to-the-azure-service-endpoints
.blob.core.windows.net
.aadconnecthealth.azure.com
.servicebus.windows.net
.adhybridhealth.azure.com
management.azure.com
policykeyservice.dc.ad.msft.net
login.windows.net
login.microsoftonline.com
secure.aadcdn.microsoftonline-p.com
www.office.com

## prepare.ps1
# AAD Connect installation with Health on proxy enabled machine

# Disable IES
$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0


# Authenticated
$userProxyServer = "squid02.corp.contoso.com"
$userProxyPort = 3128

# no auth
$systemProxyServer = "squid01.corp.contoso.com"
$systemProxyPort = 3128

# Set user proxy
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyServer -Value "$($userProxyServer):$($userProxyPort)"
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -Value 1

# Update .NET machine.config file to use proxy
$machineConfigFile = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config"
[System.Xml.XmlDocument]$machineConfig = New-Object System.Xml.XmlDocument
$machineConfig.Load($machineConfigFile)

[xml]$machineConfig = Get-Content $machineConfigFile
$node = $machineConfig.SelectSingleNode("/configuration/system.net")
if(-not $node) {
    $configurationNode = $machineConfig.SelectSingleNode("/configuration")
    $node = $machineConfig.CreateElement("system.net")
    $configurationNode.AppendChild($node) | Out-Null
}

# Remove existing proxy configurations
$proxyConfigs = $node.SelectNodes("defaultProxy")
foreach($proxy in $proxyConfigs) {
    $node.RemoveChild($proxy)
}

# set our
[xml]$proxyXml = @"
    <defaultProxy>
        <proxy
        usesystemdefault="true"
        proxyaddress="http://$($systemProxyServer):$($systemProxyPort)"
        bypassonlocal="true"
        />
    </defaultProxy>
"@
$node.AppendChild($machineConfig.ImportNode($proxyXml.defaultProxy, $true)) | Out-Null

# Save changes
$machineConfig.Save($machineConfigFile)

# after restart is important to check if computer sees network connectivity
# install aad connect
# registration failed for aad health is expected if proxy auth is used

Set-AzureADConnectHealthProxySettings -HttpsProxyAddress "$($systemProxyServer):$($systemProxyPort)"
Restart-Service AzureADConnectHealth*

# and finally complete aad health agent registration
# to be sure in new powershell admin window run this command
Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false

## squid.conf
# aad server
acl aadservers src 10.0.0.11/32

# whitelists
acl aadconnect dstdomain "/etc/squid/aad_connect.txt"
acl aadconnect dstdomain "/etc/squid/aad_health.txt"

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED

http_access deny !auth
http_access allow aadconnect aadservers
	# https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers#proxy-outbound-rules
	.msappproxy.net
	.servicebus.windows.net
	mscrl.microsoft.com
	crl.microsoft.com
	ocsp.msocsp.com
	www.microsoft.com
	login.windows.net
	.microsoftonline.com
	.microsoftonline-p.com
	.msauth.net
	.msauthimages.net
	.msecnd.net
	.msftauth.net
	.msftauthimages.net
	.phonefactor.net
	enterpriseregistration.windows.net
	management.azure.com
	policykeyservice.dc.ad.msft.net
	ctdl.windowsupdate.com
	# https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install#outbound-connectivity-to-the-azure-service-endpoints
	.blob.core.windows.net
	.aadconnecthealth.azure.com
	.servicebus.windows.net
	.adhybridhealth.azure.com
	management.azure.com
	policykeyservice.dc.ad.msft.net
	login.windows.net
	login.microsoftonline.com
	secure.aadcdn.microsoftonline-p.com
	www.office.com
	# AAD Connect installation with Health on proxy enabled machine

	# Disable IES
	$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
	$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
	Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
	Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0


	# Authenticated
	$userProxyServer = "squid02.corp.contoso.com"
	$userProxyPort = 3128

	# no auth
	$systemProxyServer = "squid01.corp.contoso.com"
	$systemProxyPort = 3128

	# Set user proxy
	Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyServer -Value "$($userProxyServer):$($userProxyPort)"
	Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -Value 1

	# Update .NET machine.config file to use proxy
	$machineConfigFile = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config"
	[System.Xml.XmlDocument]$machineConfig = New-Object System.Xml.XmlDocument
	$machineConfig.Load($machineConfigFile)

	[xml]$machineConfig = Get-Content $machineConfigFile
	$node = $machineConfig.SelectSingleNode("/configuration/system.net")
	if(-not $node) {
	$configurationNode = $machineConfig.SelectSingleNode("/configuration")
	$node = $machineConfig.CreateElement("system.net")
	$configurationNode.AppendChild($node) \| Out-Null
	}

	# Remove existing proxy configurations
	$proxyConfigs = $node.SelectNodes("defaultProxy")
	foreach($proxy in $proxyConfigs) {
	$node.RemoveChild($proxy)
	}

	# set our
	[xml]$proxyXml = @"
	<defaultProxy>
	<proxy
	usesystemdefault="true"
	proxyaddress="http://$($systemProxyServer):$($systemProxyPort)"
	bypassonlocal="true"
	/>
	</defaultProxy>
	"@
	$node.AppendChild($machineConfig.ImportNode($proxyXml.defaultProxy, $true)) \| Out-Null

	# Save changes
	$machineConfig.Save($machineConfigFile)

	# after restart is important to check if computer sees network connectivity
	# install aad connect
	# registration failed for aad health is expected if proxy auth is used

	Set-AzureADConnectHealthProxySettings -HttpsProxyAddress "$($systemProxyServer):$($systemProxyPort)"
	Restart-Service AzureADConnectHealth*

	# and finally complete aad health agent registration
	# to be sure in new powershell admin window run this command
	Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false
	# aad server
	acl aadservers src 10.0.0.11/32

	# whitelists
	acl aadconnect dstdomain "/etc/squid/aad_connect.txt"
	acl aadconnect dstdomain "/etc/squid/aad_health.txt"

	### acl for proxy auth and ldap authorizations
	acl auth proxy_auth REQUIRED

	http_access deny !auth
	http_access allow aadconnect aadservers