Share via

Azure App Proxy Wildcard SSL for Custom Domain Name

Dom A 1 Reputation point
2022-02-07T18:20:27.73+00:00

We are currently implementing Azure App Proxy for an internal application. We have published the application on the MSApproxy.net for testing. When moving to a custom domain a wildcard SSL cert was purchased. When now changing the configuration to Custom domain and using the wildcard cert *.domain.com the app proxy configuration is not loading when going to the url for the published app = we get a 404 error.

Any recommendations please.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Cogan 10,822 Reputation points Microsoft Employee Volunteer Moderator
    2022-02-08T09:14:00.427+00:00

    You need to make sure you follow the steps in this article for using wildcards with app proxy.

  2. Clément BETACORNE 2,496 Reputation points
    2022-02-08T09:18:13.94+00:00

    Hello,

    Did you change in your internal DNS your record to a CNAME and configure it to go to the URLs you have a the end of the page of your Azure AD Proxy ?
    https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-custom-domain
    172185-01.png

    Regards,

  3. Siva-kumar-selvaraj 15,731 Reputation points Volunteer Moderator
    2022-02-08T12:24:07.793+00:00

    Hello @Dom A ,

    Thanks for reaching out.

    Are you getting HTTP 404 error even with default endpoint (MSApproxy.net) or just with custom domain name? In case if the issue with default endpoint then try accessing web app's internal URL on the "connector" server to make sure there's no 404 error.

    In case, the issue specific with custom domain name, can you confirm if you are getting 404 error with any specific external URL within app or for entire external url? because lets say if you have published app with external URL as https://test.contoso.com/help/ then accessing following https://test.contoso.com/help2/ would error out with HTTP 404 as this is out of URL scope.

    Additionally, would also request you to check following troubleshooting approaches and lets us know the outcome.

    • If you have already created CNAME record, check name resolution by using cmd nslookup example: external URL: https://app.contoso.com/ AppDnsRecordName : app-contoso.msappproxy.net and output should be like below and the highlighted hostname must match AppDnsRecordName. Please note that the IP address or other host names might be different!

    172224-image.png

    • Make sure Link Translation enabled in the header in the Azure AD Application Proxy app. (by default it's enabled)
      172176-image.png
    • HTTP 404 can be generated as well, when there is no listener for the hostname in Azure. If custom domain is used, it's important that the customer registers the exact same hostname as CNAME record that was configured in the external URL / The SSL certificate must be uploaded. Otherwise this error can happen:

    172198-image.png

    • You can use wildcard certificates as long as the wildcard matches the external URL. If you want to use the certificate to also access subdomains, you must add the subdomain wildcards as subject alternative names in the same certificate. For example, a certificate for *.adventure-works.com won't work for *.apps.adventure-works.com unless you add *.apps.adventure-works.com as a subject alternative name.
    • Also, ensure you have valid AAD Premium license is assigned to the tenant. A new AAD Premium license must be configured and the Azure AD Application Proxy feature must be enabled using the button under Application Proxy on the Azure Portal.
    • It's worth to collect HTTP trace like fiddler to compare working and non-working scenario. If you see the HTTP 404 for the same request in the working as well for non-working trace that means the issue must be troubleshooted by the involvement of developers of the web app.

    Also, ensure, you have configured custom domains as detailed here. Hope this helps.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.