Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

JIRA / Confluence external access via Azure Application Proxy

Stian Bentsen Sveen
Contributor
October 15, 2018

Hi,

We recently exposed our on site JIRA to external access.

It requires Azure MFA and then runs via Azure application proxy.

Its mostly used by external consultants so they dont need a VPN connection if they are just working on project management and nothing else.

I've gotten a few tickets from some of these users regarding performance in JIRA. I've brushed it off as something local to their connection since none of our 200+ JIRA software users or 1700+ service desk users have complained about performance issues.

This weekend I worked from home and decided testing out JIRA via external access (without VPN) and I sometimes experienced similar issues to what some of the consultants were complaining about. My issue was being unable to click in the comment box and type text. It just displayed a "blocking" sign on my mouse and I wasnt able to click in the comment field.

Some of the consultants reported the same and others said they were unable to click a button (to f.ex do a transition). They could click it, but nothing happened.

Doing a force cache refresh in the browser 1 or more times fixed the issue for me.

We're only using Azure application proxy for JIRA and Confluence so far so were not that familiar with it, but couldnt see anything wrong there.

Anyone else have experience with accessing JIRA externally via Azure application proxy?

Br,

Stian

2 answers

2 accepted

0 votes
Answer accepted
Scott Neumann
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 16, 2019

Stian Bentsen Sveen,

I'm trying to roll out the same solution as you described above. (There doesn't seem to be a lot in the Jira support forums of folks doing this.)  I'm hoping maybe you can shed some light!  I'm getting this error on the login screen.  ***JIRA is reporting that it is using the URL scheme 'http', which does not match the scheme used to run these diagnostics, 'https'. This is known to cause JIRA to construct URLs using an incorrect hostname, which will result in errors in the dashboard, among other issues.***

It feels like I'm just missing the correct setting... Can you share what settings you configured for theAzure App Proxy and anything that you needs to be set on the Jira side? 

It seems to half work... I can log in, but some things do not seem to load correctly.

 

Thanks,

-Scott

Stian Bentsen Sveen
Contributor
April 16, 2019

Hi Scott,

There might not be a big usage around this as I think many people who want JIRA accessible via internet uses JIRA cloud, wheras hosted server is for "internal use". I couldnt find anything on the subject, so thats why I posted here.

 

It almost sounds like your JIRA is setup to run via HTTP but your external URL for in application proxy for JIRA is setup to run via HTTPS?

Are some of the things that doesnt seem to be loading correctly gadgets for the dashboard (you can load most of them but their names seem weird, like gadget.issue.filters instead of Issue Filter)?

In the application proxy configuration is your internal and external link the same?

Br,

Stian

Toto Tamberine
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 6, 2019

I have been trying to get this working as well with confluence and noticed a bunch of XSRF check failures, 403 Forbidden.

Would following this guide possible solve this? 

https://confluence.atlassian.com/kb/cross-site-request-forgery-csrf-protection-changes-in-atlassian-rest-779294918.html

Stian Bentsen Sveen
Contributor
May 7, 2019

Hi Toto,

Which version of Confluence are you running? Im running an old 6.4.0 version (upgrading soon) and I havent noticed any issues with Confluence via application proxy, only JIRA. When are you getting the errors?

Toto Tamberine
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 7, 2019

Running 6.4.3, I get those errors as soon as I go to edit a page. The page actually never fully loads

Darin Hafer
Contributor
July 14, 2019

@Stian Bentsen Sveen may I ask how you achieved running self-hosted Jira Server to integrate with Azure Application Proxy? Do you use a plugin to help with this? I'm trying to learn how to configure Jira Server 8.2.3 with the Azure App Proxy.

 

We want to use this proxy to achieve SSO with our Corporate system which will determine who can and can't log in (authn).

 

We also want to sync users and groups so we can define and apply groups and permissions. We did this in our old system using LDAP sync in User Directories. But with our new system (8.2.3), we want to somehow do this while leveraging Azure App Proxy.

My Azure engineer sent me a 'abc.msappproxy.net' URL and I can't see any default Jira config that natively supports the use of this.

 

I was looking at a plugin to help with this - https://www.miniorange.com/atlassian-jira-oauth-client-(sso) but am looking for some guidance from you or anyone on this topic. Thank You.

Stian Bentsen Sveen
Contributor
July 15, 2019

Hi @Darin Hafer ,

Our Azure App Proxy setup is only to allow access to our self-hosted JIRA for users outside of our company network with MFA. It does not give us SSO or any user sync.

The user sync is still configured with LDAP for syncing users and group.

The app proxy (as is) required no config on the JIRA side as its only for access to the website, so we've just setup an enterprise application in Azure, created a group associated with access to the application (which is basically everyone in the organization) and then configure application proxy, single sign on (password-based and Sign on URL your JIRA link with /login.jsp at the end) with conditional access enabled for MFA.

We also had to add our JIRA link to our public DNS.

 

I am currently looking into using SAML Single Sign On (SSO) Jira, SAML/SSO by resolution for SSO and user sync from Azure. The add-on so far seems really good, with good documentation and I was able to setup SSO and user sync for both my JIRA and Confluence test environment in about an hour.

I am hopefully getting some help from them soon to assist with how to do a user migration from our LDAP user directories to their user sync from Azure (all comments, reporter, assignee etc).

I havent tested the MFA part yet, but I think the setup will be the same as it is today, and then there's a separate setup for the actual SSO part which is described in detail by resolution for their add-on.

You will most likely have to use some add-on to achieve what you want, as I dont think JIRA natively supports this.

Darin Hafer
Contributor
July 15, 2019

Thank you @Stian Bentsen Sveen as it turns out, over the weekend, and since I posted this, our AD guru and I were able to use that same plugin by resolution :-) So far it does exactly what we need. 

Asa Gage
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 26, 2019

Have you been able to successfully use any external connectors?  I am having trouble trying to get any external application links to work through the azure app proxy with conditional access enabled.  It seems like we would need to configure some bypass to the conditional access rule for the remote apps that are connecting with the application link.

Darin Hafer
Contributor
July 26, 2019

This plugin is what we used for our issue.

Dawn Fama
Contributor
August 1, 2019

Have you tried the free Microsoft SSO add on for Azure proxy with Jira?

https://azuremarketplace.microsoft.com/en-in/marketplace/apps/aad.msjira?tab=Overview

0 votes
Answer accepted
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 16, 2018

It sounds like the proxy could be blocking certain rest calls periodically.  But this is difficult to confirm until you look closer at the client's browser console logs when this happens.   You can also try to recreate this problem and then generate a HAR file to see this too.

Basically, I would look for any HTTP error codes that you might see in the console logs when this happens.  Those specific error codes will tell us more about why this happening. 

Stian Bentsen Sveen
Contributor
October 17, 2018

Hi Andrew,

Thanks! I'll start debugging with the console logs. It doesnt happen that often, so i'll just try to provoke it. Thanks for a pointer in the right direction!

Br,

Stian

Suggest an answer

Log in or Sign up to answer
TAGS
atlassian, loom, AI, meeting recording, community

[NEW] Record your meetings with Loom

Welcome to great meetings, with less work. Automatically record, summarize, and share instant recaps of your meetings with Loom AI.

Learn more
AUG Leaders

Atlassian Community Events