Redirect hardcoded links for apps published with Azure AD Application Proxy
Azure AD Application Proxy makes our on-premises apps available to users who are remote or on their own devices. Some apps, however, were developed with local links embedded in the HTML. These links don't work correctly when the app is used remotely. When we have several on-premises applications point to each other, our users expect the links to keep working when they're not at the office.
The best way to make sure that links work the same both inside and outside of our corporate network is to configure the external URLs of our apps to be the same as their internal URLs. Use custom domains to configure our external URLs to have our corporate domain name instead of the default application proxy domain.
If we can't use custom domains in our tenant, there are several other options for providing this functionality. All of these are also compatible with custom domains and each other, so we can configure custom domains and other solutions if needed.
Option 1: Use the Managed Browser – This solution is only applicable if we plan to recommend or require that users access the application through the Intune Managed Browser. It will handle all published URLs.
Option 2: Use the MyApps Extension – This solution requires users to install a client-side browser extension, but it will handle all published URLs and works with most popular browsers.
Option 3: Use the link translation setting – This is an admin side setting that is invisible to users. However, it will only handle URLs in HTML and CSS. Hard-coded internal URLs generated through Javascript (for example) will not work.
These three features keep our links working no matter where our users are. When we have apps that point directly to internal endpoints or ports, we can map these internal URLs to the published external Application Proxy URLs.
Note
The last option is only for tenants that, for whatever reason, can't use custom domains to have the same internal and external URLs for their apps. Before we enable this feature, see if custom domains in Azure AD Application Proxy can work for us.
Or, if the application we need to configure with link translation is SharePoint, see Configure alternate access mappings for SharePoint 2013 for another approach to mapping links.
Option 1: Intune Managed Browser Integration
We can use the Intune Managed Browser to further protect our application and content. To use this solution, we need to require/recommend users access the application through the Intune Managed Browser. All internal URLs published with Application Proxy will be recognized by the Managed Browser and redirected to the corresponding external URL. This ensures that all the hard-coded internal URLs work, and if a user goes to the browser and directly types the internal URL, it works even if the user is remote.
To learn more, including how to configure this option, please see the Managed Browser documentation.
Option 2: MyApps Browser Extension
With the MyApps Browser Extension, all internal URLs published with Application Proxy are recognized by the extension and redirected to the corresponding external URL. This ensures that all the hard-coded internal URLs work, and if a user goes to the browser's address bar and directly types the internal URL, it works even if the user is remote.
To use this feature, the user needs to download the extension and be logged in. There is no other configuration needed for admins or the users.
Option 3: Link Translation Setting
When link translation is enabled, the Application Proxy service searches through HTML and CSS for published internal links and translates them so that our users get an uninterrupted experience.
How link translation works
After authentication, when the proxy server passes the application data to the user, Application Proxy scans the application for hardcoded links and replaces them with their respective, published external URLs.
Application Proxy assumes that applications are encoded in UTF-8. If that's not the case, specify the encoding type in an HTTP response header, like Content-Type:text/html;charset=utf-8.
Which links are affected?
The link translation feature only looks for links that are in code tags in the body of an app. Application Proxy has a separate feature for translating cookies or URLs in headers.
There are two common types of internal links in on-premises applications:
- Relative internal links that point to a shared resource in a local file structure like /claims/claims.html. These links automatically work in apps that are published through Application Proxy, and continue to work with or without link translation.
- Hardcoded internal links to other on-premises apps like http://expenses or published files like http://expenses/logo.jpg. The link translation feature works on hardcoded internal links, and changes them to point to the external URLs that remote users need to go through.
How do apps link to each other?
Link translation is enabled for each application, so that we have control over the user experience at the per-app level. Turn on link translation for an app when we want the links from that app to be translated, not links to that app.
For example, suppose that we have three applications published through Application Proxy that all link to each other: Benefits, Expenses, and Travel. There's a fourth app, Feedback, that isn't published through Application Proxy.
When we enable link translation for the Benefits app, the links to Expenses and Travel are redirected to the external URLs for those apps, but the link to Feedback is not redirected because there is no external URL. Links from Expenses and Travel back to Benefits don't work, because link translation has not been enabled for those two apps.
Which links aren't translated?
To improve performance and security, some links aren't translated:
- Links not inside of code tags.
- Links not in HTML or CSS.
- Internal links opened from other programs. Links sent through email or instant message, or included in other documents, won't be translated. The users need to know to go to the external URL.
If we need to support one of these two scenarios, use the same internal and external URLs instead of link translation.
Enable link translation
Getting started with link translation is as easy as clicking a button:
Sign in to the Azure portal as an administrator.
Go to Azure Active Directory > Enterprise applications > All applications > select the app we want to manage > Application proxy.
Turn Translate URLs in application body to Yes.
Select Save to apply our changes.
Now, when our users access this application, the proxy will automatically scan for internal URLs that have been published through Application Proxy on our tenant.
Send feedback
We want your help to make this feature work for all your apps. We search over 30 tags in HTML and CSS. If you have an example of generated links that aren't being translated, send a code snippet to Application Proxy Feedback.