If an on-premises web application does not support modern authentication, using Microsoft Entra application proxy can be a great way to add strong authentication (MFA) to the web app. This can provide multiple benefits: Firstly, when creating an Entra application proxy app, it is assigned a service principle in the Entra tenant and can therefore be targeted by conditional access polices to enforce strong authentication before access is granted. Secondly, Microsoft Entra application proxy allows access to internal web applications without the need for an VPN or opening up any ports on the firewall.
Genetec is a very robust and popular physical security software. Organizations use this platform to manage surveillance cameras and door access controls. Currently as of the date of writing this guide, Gentec supports adding third-party identity providers for authentication where strong authentication can be applied; however, there is not a supported way to turn off authentication with one of the local Genetec accounts or an account synced by Active Directory. In this article, we will attempt to mitigate this short coming by creating a Microsoft Entra application proxy app that will be used to access the Genetec web app and enforce strong authentication before the app proxy can be accessed.
Prerequisites
- Entra ID P1 or P2
- A Genetec subscription with at least the Professional level license.
- A Windows member server with the Entra app proxy agent installed that has line-of-sight with the server hosting the web app.
- Windows Server 2012 R2 or later