VMware Cloud Community
pmichelli
Hot Shot
Hot Shot
‎09-27-2023 05:40 AM

Has anyone setup Azure AD with 8.0 U2 release? I need some help

I found this article : https://core.vmware.com/resource/vCenterAzureADFederation#QA

They give some instructions with a Video but want you to expose vCenter which is not going to pass security team. They go on to mention this, but provide zero guidance on what or how this was setup.

"In our example, we used an Azure Application proxy configuration. We installed the Application proxy connector in a Windows Server on the internal network, with access to vCenter.  We pointed Azure AD SCIM application to the external interface of this Application proxy, and let the same tool handle the FQDN overwrite"

Does anyone know what this proxy is and where / how to configure it?

You mentioned there must be communication from the Azure SCIM Application to the vCenter server. We don’t want to publish our vCenter server.

Neither do we. If your organization has been working with Azure AD for a long time, you probably  have this requirement already figured out, via some form of secure interconnection between your corporate network and Azure.

Regardless of the option chosen, there are a couple of points that should be considered:

  • Azure AD must be able to resolve and reach the FQDN set in the enterprise application tenant URL field.  This will be used to push the users and groups from Azure AD to vCenter Server.
  • vCenter Server will validate the FQDN against its own configuration, it must match. This means, the header received by vCenter Server must be directed to its own FQDN. 

 

This certainly can be a challenge for some organizations, as it goes beyond the vCenter Server configuration.  A potential workaround is having a Load Balancer, reverse proxy or App gateway responding to the URL set in the Tenant and overwriting it with the internal  FQDN of vCenter Server before forwarding the traffic to it. 

In our example, we used an Azure Application proxy configuration. We installed the Application proxy connector in a Windows Server on the internal network, with access to vCenter.  We pointed Azure AD SCIM application to the external interface of this Application proxy, and let the same tool handle the FQDN overwrite. 

Reply
0 Kudos
1 Reply
Nunchuck
Contributor
Contributor
‎09-30-2023 04:45 PM

I have gotten mine partially setup, having some difficulty with the User Provisioning but here is the guide that I used to setup the Azure Application Proxy.

Allow External Access to vCenter Using Azure Application Proxy – TheSleepyAdmins

Its a start hope it helps.

Reply
0 Kudos