Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira with Azure AD Application Proxy

Jorden Van Bogaert
Jorden Van Bogaert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 16, 2021

Hi

We're having some issues with a specific setup where we use Azure AD Application Proxy to allow all users to access the Jira site without VPN by first logging into Azure AD.

  1. Users browse to jira.mysite.com
  2. User is prompted to login to Azure AD
  3. User is forwarded to Jira
  4. User can login to Jira or access company "public" data without logging in to Jira itself (they would not be able to access Jira without logging into the proxy, so we have confirmed they are employees).

This all works fine except for some specific cases.

  • Gadgets on dashboards have their titles/configuration to say _MSG_Gadget_... because Jira accesses itself to fill these in
  • REST API calls to Jira (from within Jira via groovy scripts) fail as they use the Base URL which points to jira.mysite.com as they are prompted to login (I think this is the problem)
  • Possibly other issues regarding the system making calls to itself

The Azure Proxy is setup as follows: jira.mysite.com (external URL) directs to the proxy which directs to jira.mysite.internal (Internal URL) which points to the IP of the server. All users should access the Jira via the jira.mysite.com and not use the internal URL.

Is there a way to tell Jira not to go to jira.mysite.com but directly to itself as in the IP address to load gadgets, and all the other cool stuff?

I tried changing the /etc/hosts file on Linux to point jira.mysite.com to the IP address of itself, but that doesn't seem to do anything for the gadgets.

Anyone have experience with this or an idea of how to approach this?

Thanks in advance8

Answer
Watch
Like Be the first to like this
3385 views

3 answers

1 accepted

1 vote
Answer accepted
Jorden Van Bogaert
Jorden Van Bogaert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 12, 2021

For those interested, we've managed to resolve this problem by using the following setup:

  • We are using a split DNS setup, meaning that the URL is both registered publicly, but from within the local company network, we use a different DNS pointing the URL directly to the server, instead of to the Azure Proxy.
  • E.g.: https://jira.mysite.com on a public network will access public DNS and direct to the Azure proxy. However internally the local DNS will handle the request and point to the server for the same URL.
  • On the Jira server we have an apache proxy handling the incoming requests (of both the azure traffic and the internal network traffic)
  • As Jira is hosted on a server within the local network, it will use the local DNS and be directed directly to it's own server --> gadgets work

Generally we still advise our users to use the company VPN for optimal experience. If the don't, they need to keep the following into account:

  • Communication breakdown errors can happen when the azure authentication token expires as Jira does not refresh these in the background. If you have pages open for extended periods of time and try to do actions, it will throw an error. A simple refresh is the solution
  • Traffic is slightly slower
  • Confluence specifically --> Atlassian Companion app does not work via the proxy
View More Comments
afernandes
afernandes March 6, 2022

Hi Jorden,

Thanks for your answer! I am facing the same problem. 

Can you please provide more details regarding the Apache proxy config?

Thanks in advance, 

Ariana

Like
Jorden Van Bogaert
Jorden Van Bogaert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 17, 2022

Hi @afernandes 

We used the documentation from Atlassian: https://confluence.atlassian.com/kb/securing-your-atlassian-applications-with-apache-using-ssl-838284349.html

On the Application Proxy you need to provide a PFX file which holds the details of the certificates that apache proxy is working with. This will make sure that both the application proxy as any other direct traffic is all running securely over SSL.

Kind regards
Jorden

Like afernandes likes this
Reply
0 votes
Chris Kasper
Chris Kasper February 8, 2023

I'm in the same situation as the others here, I'm actively trying to get this setup but nothing I try or any guide I find from MS or Atlassian seem to work. Hopefully this bumps up and we get some support.

Reply
0 votes
David Clarke
David Clarke July 7, 2021

Hey mate - this is literally a nightmare.  We have been through it.  Contact me on LinkedIn https://au.linkedin.com/in/davidclarke08 and ill help you.

View More Comments
Jorden Van Bogaert
Jorden Van Bogaert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 12, 2021

Hi David,

Thanks for the reply. I've sent you an invite on LinkedIn, but in regards to the problem, we've already been able to fix it. (But yes, it was indeed a nightmare :D )

Thanks though! I'll post a comment with our approach below.

Kind regards
Jorden

Like
Shashank Agrawal
Shashank Agrawal January 27, 2023

Hi Jorden,

We are planning to setup MSProxy for Jira. Could you please help us with he steps to set it up?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events