2,589 questions
Entra App Proxy - Internal IIS Web Server, users reporting slowness
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 89%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
PhP59300
76
Reputation points
We have an on-prem Windows IIS server running an internal website. Historically, the server was on the same LAN as our on-prem workstations, however, to improve security we have moved it onto an isolated vlan. Both remote and on-prem users now access the website via an Entra App Proxy. Users are reporting slow performance since moving over to Entra App Proxy. We tried increasing the Entra App Proxy 'Backend Application Timeout' value to 'Long' and have also installed additional agents/connectors on other on-prem servers (these are registered to same connector group and have line of sight to the webserver) to load-balance connection, however, this hasn't improved performance. As a test, we have connected a handful of on-prem workstations to the same vlan as the webserver, so that they can browse directly to the IIS site without goina via the App Proxy. These users instantly reported performance was much faster/responsive. We're 99% sure the lag is down to the Entra App Proxy.
Any suggestions on what we can do to improve performance for users going through the Entra App Proxy?
Microsoft Security Microsoft Entra Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 87%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
Mallikarjuna Vardham 445 Reputation points Microsoft External Staff Moderator2025-06-13T11:27:47.15+00:00 Hello PhP59300,
Check that the connector service is running on each server
Go to Microsoft Entra Admin Center → Application Proxy and make sure your connectors are listed as “Active”.
If a connector shows as inactive, it's not handling any traffic meaning users might be hitting just one overloaded connector, which could explain the slowness.
-
PhP59300 76 Reputation points
2025-06-13T14:51:40.9666667+00:00 Thanks for the suggestion but all connectors are online.
-
Mallikarjuna Vardham 445 Reputation points Microsoft External Staff Moderator
2025-06-16T13:22:03.59+00:00 Hello PhP59300,
Check on the App Proxy Connector Server
Log into the server where the App Proxy Connector is installed.
Open Command Prompt or PowerShell.
Run the following command (replace with your IIS server's hostname or IP)
ping <IIS-SERVER-IP-OR-HOSTNAME>
Then, look at the output — check the time= value and note the latency in milliseconds (ms).
And Monitor Connector Resource Usage
On each connector server, check CPU and RAM usage high usage may cause slow performance.
-
PhP59300 76 Reputation points
2025-06-17T14:10:42.02+00:00 Hi Mallikarjuna
Thanks for the advice. There are no signs of latency to the IIS website. Memory utilisation is a little on the high side but this is due to SQL which will consume whatever memory it has access to. That said, the servers memory usage never goes above 90%. Also, as mentioned, we have connected several on-prem computers to the same LAN as the server and these computers do not suffer from latency. Only the computers which are coming in through the Azure App Proxy are seeing performance issues.
-
Mallikarjuna Vardham 445 Reputation points Microsoft External Staff Moderator
2025-06-17T16:56:23.1433333+00:00 Hello PhP59300,
Could Verify Where the Connector is talking to the IIS Server
and check the App Proxy connector is either on the same VLAN or subnet as your IIS server or at least close enough that it has a fast and reliable connection. If it's on a different network segment, network hops could be causing the slowness.
Also check if the connector can quickly resolve the IIS server’s hostname. If the IIS site is accessed using a DNS name internally (like intranet.local), delays in DNS resolution can slow things down too.
You can use below powerShell command on the connector server to test
Resolve-DnsName <IIS-SERVER-NAME>
Test-NetConnection <IIS-SERVER-IP> -Port 80
-
PhP59300 76 Reputation points
2025-06-18T08:04:47.8766667+00:00 The connector is installed on the IIS webserver and also on three other servers. These servers are located on the same vlan/network segment and the connectors have been put into the same connector group as the webserver. I've ran the mentioned test on the webserver and the servers where we've installed the connector, but cannot see any issues here.
-
PhP59300 76 Reputation points
2025-06-18T08:37:41.6166667+00:00 The connector is installed directly on the iis webserver, however, we have since installed additional connectors on 3 other servers. These servers are on the same vlan/network segment. DNS is working correctly on all servers.
-
Mallikarjuna Vardham 445 Reputation points Microsoft External Staff Moderator
2025-06-18T16:46:10.7433333+00:00 Hello PhP59300,
To enable verbose diagnostic logging for App Proxy Connector and troubleshoot slowness
Enable App Proxy Connector Diagnostic Logging (Verbose)
Logging to each Proxy connector server:
Open Registry Editor:
Press Win + R, type regedit.
Navigate to the Logging Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AAD App Proxy Connector\Logging
Enable Verbose Logging:
If the following DWORD values don’t exist, create them:
LogLevel: Set value to 4 (DWORD, Decimal) → This enables verbose logging.
LogRotationSizeMB: Set to 100 or appropriate size (optional, for log management).
Restart the Connector Service:
Open Services (services.msc)
Restart the service:
Microsoft AAD Application Proxy Connector
After that, Reproduce the Issue:
Let affected users access the IIS site via App Proxy.
Monitor Logs at:
C:\ProgramData\Microsoft AAD App Proxy Connector\Logs
Then Analyze Logs:
Open the latest .log file.
Look for gaps or delays between:
Request received → Forwarded to backend
Backend response → Response sent to client
Check and Configure IIS Keep-Alive and Compression:
Launch IIS Manager
Run inetmgr on the IIS server.
Expand to your target site.
Sign in to comment
Sign in to answer