[japan tech summit 2017] sec 005
TRANSCRIPT
![Page 1: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/1.jpg)
Microsoft Tech Summit 2017本情報の内容(添付文書、リンク先などを含む)は、Microsoft Tech Summit 2017 開催日(2017 年 11 月 8日 - 9 日)時点のものであり、予告なく変更される場合があります。
![Page 2: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/2.jpg)
![Page 3: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/3.jpg)
うちの営業職たちに、外出先から社内システム使わせたいんだけどさ
iPadとかも使えるようにしてよ
![Page 4: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/4.jpg)
![Page 5: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/5.jpg)
![Page 6: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/6.jpg)
![Page 7: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/7.jpg)
![Page 8: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/8.jpg)
?
![Page 9: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/9.jpg)
![Page 10: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/10.jpg)
![Page 11: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/11.jpg)
Azure Active Directory http://sales/
http://sales/
https://sales-teppeiy.msappproxy.net/
![Page 12: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/12.jpg)
Azure Active Directory http://sales/
http://sales/
https://sales-teppeiy.msappproxy.net/
![Page 13: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/13.jpg)
すべてのOffice 365、Microsoft Azure のお客様は Azure Active Directoryを利用
9.5億ユーザー
90 %の Fortune 500が利用
1,220億回の認証/月2017年8月
56,000有償サブスクリプション
1,200万テナント
![Page 14: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/14.jpg)
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-get-started
![Page 15: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/15.jpg)
![Page 16: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/16.jpg)
https://www.microsoft.com/ja-jp/cloud-platform/azure-active-directory-features
![Page 17: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/17.jpg)
1.1 Azureポータル (portal.azure.com) でAppProxyの有効化
1.2 オンプレサーバーにコネクタをインストール
2.1 Azureポータル (portal.azure.com) でアプリを追加
2.2 追加したアプリにユーザーの割り当て(アクセス権限付与)
Azure AD(Office 365)のテナントを持っていない場合、こちらから取得
https://azure.microsoft.com/ja-jp/trial/get-started-active-directory/
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-enable
![Page 18: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/18.jpg)
ステップ 1.1: portal.azure.comでAppProxyの有効化
![Page 19: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/19.jpg)
ステップ 1.2: コネクタのインストール(ダウンロード)
![Page 20: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/20.jpg)
ステップ 1.2: コネクタのインストール
![Page 21: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/21.jpg)
ステップ 1.2: コネクタのインストール(確認)
![Page 22: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/22.jpg)
ステップ 1.2: コネクタのインストール(確認)
![Page 23: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/23.jpg)
送信ポート番号 説明
80 セキュリティ検証用の送信 HTTP トラフィックに使用されます。
443 Azure AD に対するユーザー認証に使用されます (コネクタ登録プロセスでのみ必要)。
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-enable#open-your-ports
*.msappproxy.net
*.servicebus.windows.netlogin.windows.net (コネクタ登録時のみ)
login.microsoftonline.net (コネクタ登録時のみ)
もしくは、毎週更新される Azure DataCenter IP 範囲
![Page 24: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/24.jpg)
C:¥Program Files¥Microsoft AAD App Proxy Connector¥ApplicationProxyConnectorService.exe.config
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-working-with-proxy-servers
![Page 25: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/25.jpg)
ステップ 1.2: コネクタのインストール(確認)
![Page 26: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/26.jpg)
1. インフラのセットアップ1.1 Azureポータル (portal.azure.com) でAppProxyの有効化
1.2 オンプレサーバーにコネクタをインストール
Azure AD(Office 365)のテナントを持っていない場合、こちらから取得
https://azure.microsoft.com/ja-jp/trial/get-started-active-directory/
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-enable
![Page 27: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/27.jpg)
ステップ 2.1: アプリの追加
![Page 28: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/28.jpg)
ステップ 2.1: アプリの追加
![Page 29: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/29.jpg)
ステップ 2.1: アプリの追加
http://sales/
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-custom-domains
![Page 30: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/30.jpg)
ステップ 2.2: ユーザーの割り当て
![Page 31: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/31.jpg)
![Page 32: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/32.jpg)
![Page 33: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/33.jpg)
![Page 34: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/34.jpg)
![Page 35: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/35.jpg)
内部URL配下のみ公開される
→ ルートを公開
http://sales/
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-troubleshoot#the-page-is-not-rendered-correctly
![Page 36: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/36.jpg)
Beforehttp://sales/top/ ←意図するページ
Afterhttp://sales/ ← でもこっちに飛ぶ
→ ホームページURLの設定
![Page 37: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/37.jpg)
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-office365-app-launcher
![Page 38: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/38.jpg)
→ 社内URL=社外URL
→ リンク変換公開している他アプリの内部URLを外部URLへ変換
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-link-translation
<a href=http://support/>サポートオペレーション情報</a>
<a href=https://support-teppeiy.msappproxy.net/>サポートオペレーション情報</a>
![Page 39: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/39.jpg)
![Page 40: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/40.jpg)
![Page 41: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/41.jpg)
Azure Active Directory http://sales/
https://sales-teppeiy.msappproxy.net/
①
![Page 42: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/42.jpg)
Azure Active Directory http://sales/
https://sales-teppeiy.msappproxy.net/
②①
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-sso-azure-portal
![Page 43: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/43.jpg)
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-sso-using-kcd
http://sales/
https://sales-teppeiy.msappproxy.net/
Azure Active Directory
Kerberos の制約付き委任(KCD)の利用
1. コネクタがユーザーの代理でDCに認証2. ケルベロスチケットをもらう
3. コネクタがアプリにチケットを渡す
![Page 44: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/44.jpg)
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-sso-overview
![Page 45: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/45.jpg)
https://docs.Microsoft.com/ja-jp/azure/active-directory/application-proxy-publish-remote-desktop
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-enable-remote-access-sharepoint
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-teams
![Page 46: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/46.jpg)
![Page 47: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/47.jpg)
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-understand-connectors#capacity-planning
コア RAM 予想される待機時間 (ミリ秒) - P99 最大 TPS
2 8 325 586
4 16 320 1150
8 32 270 1190
16 64 245 1200*
![Page 48: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/48.jpg)
![Page 49: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/49.jpg)
豊洲データセンター
AWS東京リージョン
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-connectors-azure-portal
![Page 50: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/50.jpg)
![Page 51: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/51.jpg)
![Page 52: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/52.jpg)
Ring1
Ring2
![Page 53: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/53.jpg)
https://docs.microsoft.com/ja-jp/azure/active-directory/application-proxy-network-topology-considerations
②① ③
![Page 54: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/54.jpg)
![Page 55: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/55.jpg)
![Page 56: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/56.jpg)
![Page 57: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/57.jpg)
https://docs.microsoft.com/ja-jp/intune/app-configuration-managed-browser#how-to-configure-application-proxy-settings-for-the-managed-browser
![Page 58: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/58.jpg)
http://*.contoso.local
営業 Sales.contoso.local
サポート Support.contoso.local
人事 HR.contoso.local
![Page 59: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/59.jpg)
![Page 60: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/60.jpg)
![Page 61: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/61.jpg)
![Page 62: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/62.jpg)
Office 365 の延長でSSO
VPN張らないと・・・なんてことがなくなる
攻撃対象をゼロに、対策はマイクロソフトに任す
アクセス制御をAzure ADに集約
複雑なインフラの維持管理が不要
DMZも不要に
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-application-proxy-get-started
![Page 63: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/63.jpg)
うちの営業職たちに、外出先から社内システム使わせたいんだけどさ
iPadとかも使えるようにしてよ
![Page 64: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/64.jpg)
![Page 65: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/65.jpg)
Session ID Title
SEC004 Active Directory/Azure Active Directory の構成パターンと正しい認証方式の選択
SEC006 Office 365 関係者に告ぐ「"脱 AD FS"の準備は整った」 Azure AD による SSO とアクセス制御
SEC010 Secure Modern Workstyle を実現するための EMS 活用の基礎
![Page 66: [Japan Tech summit 2017] SEC 005](https://reader033.vdocuments.net/reader033/viewer/2022051404/5a6479027f8b9a52568b4657/html5/thumbnails/66.jpg)