Understanding Azure AD Application Proxy Support for Remote Desktop Services

Application Proxy lets users access Remote Desktop apps hosted behind a Remote Desktop Gateway. Now it works with the RDS web client too.Last month, Microsoft revealed the public preview of Azure Active Directory (AD) Application Proxy support for the Remote Desktop Services (RDS) web client. Application Proxy lets users access corporate web applications, and apps hosted behind a Remote Desktop Gateway, using a remote client. The primary advantage of Application Proxy is that it allows users to access intranet apps without first connecting to the corporate network using a virtual private network (VPN).

Azure AD Application Proxy uses an on-premises connector to manage communication between the cloud service and on-premises applications. Because the connector only uses outbound connections, organizations don’t need to open inbound ports or place servers in a demilitarized zone (DMZ). Application Proxy, along with Azure AD, is part of Microsoft’s identity-centric zero trust model.

Image #1 Expand
Figure1 3
Azure AD Application Proxy Support for Remote Desktop Services Web Client Now in Preview (Image Credit: Microsoft)


Application Proxy provides secure access to apps hosted on RDS. Application Proxy reduces the risks associated with connecting to RDS by enforcing pre-authentication and Conditional Access policies. For example, an organization could require use of multifactor authentication or use of a compliant device.

For more information on zero-trust networks, see Choosing between Virtual Private Network and Zero Trust Remote Access Solutions on Petri.

Starting with this preview, users can connect to RDS-hosted apps via Application Proxy using the RDS web client from any HTML5-compatible browser. Microsoft Edge, Internet Explorer 11, Google Chrome, Safari, and Mozilla Firefox are all compatible with the RDS web client. Organizations can use the RDS web client to publish full desktops or remote apps that look like they are running on the local device.

Image #2 Expand
Figure2 1
Azure AD Application Proxy Support for Remote Desktop Services Web Client Now in Preview (Image Credit: Microsoft)


For more information on the RDS web client, check out my article on Petri here.

Using the RDS web client preview with Application Proxy

Before you can use the RDS web client with Application Proxy, your connectors must be updated to the latest version (1.5.1975.0). For instructions about how to get RDS to work with Application Proxy, check out Microsoft’s website here. You’ll also need to set up the RDS web client for users by following the instructions here.

Once everything is configured and working, users can access the web client from a browser or launch it from the My Apps Portal.

RDS web client single sign-on

Azure AD Application Proxy uses two types of authentication: pre and pass-through.  Pre-authentication requires users to log in to Azure AD to get access to the RDS web client feed. Pass-through authentication relies on the published application to authenticate users. Windows Server AD must be synchronized with Azure AD to use pre-authentication.

If you choose to use pre-authentication, regardless of whether users are authenticated against Azure AD or via Active Directory Federation Services (ADFS), users will be required to log in a second time if the Remote Desktop Web Connection ActiveX Control is deployed in Internet Explorer. The ActiveX Control has been deprecated in Windows 10 in favor of browsers with HTML5 support.

When authenticating from a modern browser on devices that are joined to Azure AD, you will need to provide credentials on the RDS web log in page. Microsoft is hoping to make the sign-in process easier for users in the future.