How to troubleshoot Azure AD Application Proxy connectivity problems


Azure AD Application Proxy requires a number of ports to be open to function correctly. These ports are needed for registering a new connector, to maintain the existing connectors and for the actual traffic. All of the traffic on these ports are outbound from the organization to Azure datacenters with no inbound connections created. You can find the networking prerequisites to enable Application Proxy services listed here: https://msdn.microsoft.com/en-us/library/azure/dn768214.aspx.

Several errors might occur if your organization firewall blocks any of these ports for external access. This would occur mainly during registration and when the connector needs to pull traffic from the cloud service.

An easy way to verify that your port connectivity is to open http://testport.cloudapp.net/ from a browser on the machine that runs the connector. If all ports have green “V” next to them, then you are good to go. Be aware that the user browser connectivity may differ from a service connection due to proxy configuration settings or authentication requirements. You may need to account for this with your testing.

If some of these ports are blocked, you need to ask the networking admin to open them for outbound traffic through the firewall or forward proxy. From our experience, most forward proxies handle this traffic correctly if the ports are enabled.

If your organization requires limiting the scope for the additional ports, you have three options:

  1. Limit only to traffic coming from the connector machines.

  2. Limit the traffic only to requests for the msappproxy.net domain name – if your firewall support such filtering

  3. Enable only traffic to Azure data centers based on the destination IP addresses. As the service is spread across several different data centers for high availability and optimization, you must include all Azure datacenters IP range as specified here: http://www.microsoft.com/en-us/download/details.aspx?id=41653.

For more troubleshooting tips and tools look at our troubleshooting guide: https://msdn.microsoft.com/en-us/library/azure/dn768218.aspx

Comments (3)

  1. Anonymous says:

    Pingback from NeWay Technologies – Weekly Newsletter #140 – March 27, 2015 | NeWay

  2. Steve Beaumont says:

    Hi, the http://testport.cloudapp.net/ URL doesn’t seem to be working anymore.
    Is there a new site?

  3. Robert Hardy says:

    This is out of date. testport.cloudapp.net’s DNS record is pointing to 0.0.0.0 which obviously won’t work.
    You probably want https://aadap-portcheck.connectorporttest.msappproxy.net/ instead.

Skip to main content