Configure Microsoft Entra private network connectors to use outbound proxy servers. The article assumes the network environment already has a proxy server.
We start by looking at these main deployment scenarios:
Configure connectors to bypass your on-premises outbound proxies.
Configure connectors to use an outbound proxy to access Microsoft Entra application proxy.
Configure using a proxy between the connector and backend application.
Connectors have underlying OS components that make outbound requests. These components automatically attempt to locate a proxy server on the network using Web Proxy Auto-Discovery (WPAD).
The OS components attempt to locate a proxy server by carrying out a Domain Name System (DNS) lookup for wpad.domainsuffix. If the lookup resolves in DNS, an HTTP request is then made to the Internet Protocol (IP) address for wpad.dat. This request becomes the proxy configuration script in your environment. The connector uses this script to select an outbound proxy server. However, connector traffic might continue to fail because more configuration settings are needed on the proxy.
You can configure the connector to bypass your on-premises proxy to ensure that it uses direct connectivity to the Microsoft Entra application proxy service. Direct connections are recommended because they require less configuration. However, some network policies require traffic going through a local proxy server.
To disable outbound proxy usage for the connector, edit the C:\Program Files\Microsoft Entra private network connector\MicrosoftEntraPrivateNetworkConnectorService.exe.config file and add the system.net section shown in the code sample:
To ensure that the Connector Updater service also bypasses the proxy, make a similar change to the MicrosoftEntraPrivateNetworkConnectorUpdaterService.exe.config file. This file is located at C:\Program Files\Microsoft Entra private network connector Updater.
Be sure to make copies of the original files, in case you need to revert to the default .config files.
Use the outbound proxy server
Some environments require all outbound traffic to go through an outbound proxy, without exception. As a result, bypassing the proxy isn't an option.
You can configure the connector traffic to go through the outbound proxy, as shown in the following diagram:
As a result of having only outbound traffic, there's no need to configure inbound access through your firewalls.
Nota
Application proxy does not support authentication to other proxies. The connector/updater network service accounts should be able to connect to the proxy without being challenged for authentication.
Step 1: Configure the connector and related services to go through the outbound proxy
If WPAD is enabled in the environment and configured appropriately, the connector automatically discovers the outbound proxy server and attempt to use it. However, you can explicitly configure the connector to go through an outbound proxy.
To do so, edit the C:\Program Files\Microsoft Entra private network connector\MicrosoftEntraPrivateNetworkConnectorService.exe.config file, and add the system.net section shown in code sample. Change proxyserver:8080 to reflect your local proxy server name or IP address and port. The value must have the prefix http:// even if you're using an IP address.
Next, configure the Connector Updater service to use the proxy by making a similar change to the C:\Program Files\Microsoft Entra private network connector Updater\MicrosoftEntraPrivateNetworkConnectorUpdaterService.exe.config file.
Nota
The Connector service evaluates the defaultProxy configuration for usage in %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, if the defaultProxy isn't configured (by default) in MicrosoftEntraPrivateNetworkConnectorService.exe.config. The same applies to the Connector Updater service (MicrosoftEntraPrivateNetworkConnectorUpdaterService.exe.config) too.
Step 2: Configure the proxy to allow traffic from the connector and related services to flow through
There are four aspects to consider at the outbound proxy:
Proxy outbound rules
Proxy authentication
Proxy ports
Transport Layer Security (TLS) inspection
Proxy outbound rules
Allow access to the following URLs:
URL
Port
Use
*.msappproxy.net *.servicebus.windows.net
443/HTTPS
Communication between the connector and the application proxy cloud service
The connector uses these URLs during the registration process.
ctldl.windowsupdate.com www.microsoft.com/pkiops
80/HTTP
The connector uses these URLs during the registration process.
If your firewall or proxy allows you to configure DNS allowlists, you can allow connections to *.msappproxy.net and *.servicebus.windows.net.
If you can't allow connectivity by Fully Qualified Domain Name (FQDN) and need to specify IP ranges instead, use these options:
Allow the connector outbound access to all destinations.
Allow the connector outbound access to all of the Azure datacenter IP ranges. The challenge with using the list of Azure datacenter IP ranges is that they're updated weekly. You need to put a process in place to ensure that your access rules are updated accordingly. Only using a subset of the IP addresses causes your configuration to break. The latest Azure Data Center IP ranges are downloaded at https://download.microsoft.com. Use the search term, Azure IP Ranges and Service Tags. Be sure to select the relevant cloud. For example, the public cloud IP ranges can be found by searching for Azure IP Ranges and Service Tags – Public Cloud. The US Government cloud can be found by searching for Azure IP Ranges and Service Tags – US Government Cloud.
Proxy authentication
Proxy authentication isn't currently supported. Our current recommendation is to allow the connector anonymous access to the Internet destinations.
Proxy ports
The connector makes outbound TLS-based connections by using the CONNECT method. This method essentially sets up a tunnel through the outbound proxy. Configure the proxy server to allow tunneling to ports 443 and 80.
Nota
When Service Bus runs over HTTPS, it uses port 443. However, by default, Service Bus attempts direct Transmission Control Protocol (TCP) connections and falls back to HTTPS only if direct connectivity fails.
TLS inspection
Don't use TLS inspection for the connector traffic, because it causes problems for the connector traffic. The connector uses a certificate to authenticate to the application proxy service, and that certificate can be lost during TLS inspection.
Configure using a proxy between the connector and backend application
Using a forward proxy for the communication towards the backend application is a special requirement in some environments.
To enable a forward proxy, follow these steps:
Step 1: Add the required registry value to the server
To enable use of the default proxy, add the registry value (DWORD)UseDefaultProxyForBackendRequests = 1 to the connector configuration registry key located in HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Entra private network connector.
Step 2: Configure the proxy server manually using netsh command
Enable the group policy Make proxy settings per-machine. The group policy is found in: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer. The group policy needs to be set rather than having the policy set per user.
Run gpupdate /force on the server. Alternatively, to ensure the group policy is updated, reboot the server.
Launch an elevated command prompt with admin rights and enter control inetcpl.cpl.
Configure the required proxy settings.
The settings make the connector use the same forward proxy for the communication to Azure and to the backend application. Modify the file MicrosoftEntraPrivateNetworkConnectorService.exe.config to change the forward proxy. Forward proxy configuration is described in the sections Bypass outbound proxies and Use the outbound proxy server.
Nota
There are various ways to configure the internet proxy in the operating system. Proxy settings configured via NETSH WINHTTP (run NETSH WINHTTP SHOW PROXY to verify) override the proxy settings you configured in Step 2.
The connector updater service uses the machine proxy. The setting is found in the MicrosoftEntraPrivateNetworkConnectorUpdaterService.exe.config file.
Troubleshoot connector proxy problems and service connectivity issues
Now you should see all traffic flowing through the proxy. If you have problems, the following troubleshooting information should help.
The best way to identify and troubleshoot connector connectivity issues is to take a network capture while starting the connector service. Here are some quick tips on capturing and filtering network traces.
You can use the monitoring tool of your choice. For the purposes of this article, we used Microsoft Message Analyzer.
Nota
Microsoft Message Analyzer (MMA) was retired and its download packages removed from microsoft.com sites on November 25 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, please consider using a 3rd party network protocol analyzer tool such as Wireshark.
The following examples are specific to Message Analyzer, but the principles can be applied to any analysis tool.
Take a capture of connector traffic
For initial troubleshooting, perform the following steps:
From services.msc, stop the Microsoft Entra private network connector service.
Run Message Analyzer as an administrator.
Select Start local trace.
Start the Microsoft Entra private network connector service.
Stop the network capture.
Check if the connector traffic bypasses outbound proxies
If you expect the connector to make direct connections to application proxy services, SynRetransmit responses on port 443 are an indication that you have a network or firewall problem.
Use the Message Analyzer filter to identify failed Transmission Control Protocol (TCP) connection attempts. Enter property.TCPSynRetransmit in the filter box and select Apply.
A synchronization (SYN) packet is the first packet sent to establish a TCP connection. If this packet doesn’t return a response, the SYN is reattempted. You can use the filter to see any retransmitted SYN packets. Then, you can check whether these SYN packets correspond to any connector-related traffic.
Check if the connector traffic uses outbound proxies
If you configured your private network connector traffic to go through the proxy servers, look for failed https connections to your proxy.
Use the Message Analyzer filter to identify failed HTTPS connection attempts to your proxy. Enter (https.Request or https.Response) and tcp.port==8080 in the Message Analyzer filter, replacing 8080 with your proxy service port. Select Apply to see the filter results.
The preceding filter shows just the HTTPs requests and responses to/from the proxy port. You're looking for the CONNECT requests that show communication with the proxy server. Upon success, you get an HTTP OK (200) response.
If you see other response codes, such as 407 or 502, that means that the proxy is requiring authentication or not allowing the traffic for some other reason. At this point, you engage your proxy server support team.
Learn how to provide secure access to internal applications for remote workers by deploying and configuring Microsoft Entra application proxy in a Microsoft Entra Domain Services managed domain
Microsoft Entra ID has an application proxy service that enables users to access on-premises applications by signing in with their Microsoft Entra account. This tutorial shows you how to prepare your environment for use with application proxy. Then, it uses the Microsoft Entra admin center to add an on-premises application to your Microsoft Entra tenant.
Learn answers to frequently asked questions (FAQ) about using Microsoft Entra application proxy to publish internal, on-premises applications to remote users.