by This blog post is all about CNAME record and Application Proxy. CNAME record can be used as an Internet URL in the Application Proxy. Is not necessary, but nice to have. Otherwise, you have to enter the FQDN of the NDES server.
Here are the links to the previous parts:
- Configure Microsoft Intune – Certificate – Part 1: Intro
- Configure Microsoft Intune – Certificate – Part 2: Certification Authority
- Configure Microsoft Intune – Certificate – Part 3: Azure Application Proxy Connector
- Configure Microsoft Intune – Certificate – Part 4: Certificate Templates
Alrighty then, let’s try
Create a CNAME record
CNAME will be used as an internal URL in Application Proxy. We will use the CNAME instead of the FQDN of the NDES server. This makes in it easier if you have more than one NDES servers running or planned to add on a later time.
 |
Go to your DNS server and open the DNS MMC via Server Manager. |
 |
Go to Forward Lookup Zones -> Domain.local |
 |
Right-click on domain.local node and click on New Alias (CNAME) |
 |
Give the CNAME a name, like ndes (domain.local). Browse to the NDES server. Click on the Ok button. |
 |
The CNAME is created and can be used for the application proxy and certificates. You can close the DNS MMC. |
Azure Application Proxy
You have already installed the Azure Application Proxy connector on a server. Now we need a proxy app in Azure Active Directory. This app will proxy the request to the NDES server. During the creating of the app, you get an external URL. You need this URL if you creating the SCEP profile in Intune.
 |
Go to the Azure portal -> Azure Active Directory -> Application Proxy. Click on the button Configure an app. |
 |
Give the application a name. You must also enter an internal URL. If you have made a CNAME, then you can use this as an internal URL. Otherwise, you have to use here the FQDN of the NDES server.
Change Pre-Authentication to Passthrough. Click on the add button. The External URL is the URL you have to use for the SCEP profile in Intune. |
 |
The app was created successfully. You can verify the configuration by testing the external URL, like https://ndesintune-tenantname.msappproxy.net/certsrv/mscep/mscep.dll. We will test this later in the blog. |
Permissions on CA for Intune NDES service account
We need to give the Intune NDES Service account special permissions on the CA server. These permissions are necessary to request a certificate to the CA.
 |
Go back to your CA server and go to Server Manager -> Tools -> Certification Authority. |
 |
Right click on the CA server node and click on Properties. |
 |
Go to the security tab and click on the add button. |
 |
Search for your Intune NDES service account and click on the Ok button. |
 |
Give the service account Issue and Manage certificates allow permissions and click Ok. |
Final
What we did in this blog is:
- Created a CNAME and we have used this an internal URL in App Proxy.
- Created an Application Proxy and we got an external URL for the SCEP profile.
- Gave Intune NDES service account special permissions on the CA.
Next part is about creating certificates and installing the NDES role.
Thanks for reading the blog. If you have any questions or comments about this, do not hesitate to contact me by email or by posting a comment here below. I am also active on social media and some community forums, like Technet forum, Yammer, and Techcommunity.
Good luck and Take care now, bye bye then…
ALBERTNEEF.TECH 
5 Comments