This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 94%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello Team,
following this Microsoft Learn guide
to configure an Azure AD Application Proxy (to support an internal NDES and Intune Certificate Connector) will leave you with an IIS default page which is accessible from the internet. The certsrv/mscep/mscep.dll shows 403-Forbidden Message. Both is expected.
But what can I do to harden IIS? Are there any best practices? My first thought was just to publish the url with certsrv/mscep/mscep.dll and not just https://server.domain.tld
You can only use "Passthrough" in Azure AD App Proxy as it is the only way SCEP will work.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
II couldn't find any official guidelines on hardening, though I did find some third party guides. I'm looking into this internally though.
Hello,
thank you. I wanted to ask if you were able to get some information?
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 57.99999999999999%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
Hi all,
I'm preparing a Poc for CA implementation and want to know the best practice of installing "Azure AD Application Proxy Agent". It should be on a separate server/VM (1) or could be installed on NDES server (2)? pro/cons ?
Thanks in Advance
WalBenK
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 48%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
This is a separate question, not an answer for the question by SDS "But what can I do to harden IIS?"
Please unmark this as answer
For more information about your question see: https://learn.microsoft.com/en-us/entra/identity/app-proxy/app-proxy-protect-ndes
