Hi all,
I’m interested in hearing from anyone who has successfully implemented Azure Application Proxy as a front door to a BeyondTrust PRA appliance, specifically to reduce direct exposure to the internet.
Current Environment
- BeyondTrust PRA appliances hosted on-premises
- Appliances are internal-only (no direct internet exposure)
- Internal user authentication handled via SAML with Microsoft Entra ID
Requirement
We are looking to enable access for external 3rd-party (guest) users while maintaining a zero/low direct exposure footprint.
Key goals:
- Avoid publishing the PRA appliance directly to the internet
- Leverage Azure App Proxy as the external entry point
- Use Entra ID authentication (including B2B guest users) for access control
- Maintain alignment with our existing guest onboarding and governance model (via Entra B2B)
- Avoid using the BeyondTrust vendor portal where possible
Proposed Approach
- Expose a dedicated external URL via Azure App Proxy
- Require pre-authentication with Entra ID (including Conditional Access, MFA, etc.)
- Upon successful authentication, route traffic internally to the PRA appliance
- Potentially segregate external access via a separate App Proxy endpoint / URL
Questions
- Has anyone successfully implemented Azure App Proxy in front of BeyondTrust PRA?
- Were there any technical challenges or limitations
- Did you need to make any changes to PRA configuration (e.g., base URLs, redirect URLs, public hostname, certificate handling)?
- Are there any documented best practices, KBs, or architectural patterns available?
Any shared experiences, design recommendations, or lessons learned would be greatly appreciated.
Thanks in advance!
