Skip to content

Instantly share code, notes, and snippets.

Last active March 4, 2022 04:26
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Azure AD Connect behind proxy server

How to run Azure AD Connect behind proxy server

In this scenario I am using two proxy servers:

  • User proxy - with authentication required for users
  • System proxy - for machine context without any authentication

Sample squid configuration is below together with PowerShell script to configure prerequisities (

Do not make any changes to miiserver.exe.config. This file is overwritten on every upgrade so even if it works during initial install, the system stops working on first upgrade. For that reason, the recommendation is to update machine.config instead.


# AAD Connect installation with Health on proxy enabled machine
# Disable IES
$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0
# Authenticated
$userProxyServer = ""
$userProxyPort = 3128
# no auth
$systemProxyServer = ""
$systemProxyPort = 3128
# Set user proxy
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyServer -Value "$($userProxyServer):$($userProxyPort)"
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -Value 1
# Update .NET machine.config file to use proxy
$machineConfigFile = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config"
[System.Xml.XmlDocument]$machineConfig = New-Object System.Xml.XmlDocument
[xml]$machineConfig = Get-Content $machineConfigFile
$node = $machineConfig.SelectSingleNode("/configuration/")
if(-not $node) {
$configurationNode = $machineConfig.SelectSingleNode("/configuration")
$node = $machineConfig.CreateElement("")
$configurationNode.AppendChild($node) | Out-Null
# Remove existing proxy configurations
$proxyConfigs = $node.SelectNodes("defaultProxy")
foreach($proxy in $proxyConfigs) {
# set our
[xml]$proxyXml = @"
$node.AppendChild($machineConfig.ImportNode($proxyXml.defaultProxy, $true)) | Out-Null
# Save changes
# after restart is important to check if computer sees network connectivity
# install aad connect
# registration failed for aad health is expected if proxy auth is used
Set-AzureADConnectHealthProxySettings -HttpsProxyAddress "$($systemProxyServer):$($systemProxyPort)"
Restart-Service AzureADConnectHealth*
# and finally complete aad health agent registration
# to be sure in new powershell admin window run this command
Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false
# aad server
acl aadservers src
# whitelists
acl aadconnect dstdomain "/etc/squid/aad_connect.txt"
acl aadconnect dstdomain "/etc/squid/aad_health.txt"
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow aadconnect aadservers
Copy link

Thank you Vladimír! I needed to revert from NAT to a proxy server due to a fiber cut to our location. Will need to speed up the AD Connect migration to a Azure VM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment