Pritunl VPN behind Azure App Proxy

Hey guys, i have a running pritunl vpn server in my company in our internal network currently configured with a nat. The Webserver part of pritunl is only accessible from within the network for security reasons. Though once conencted to it and after settting up their vpn profile, they can normally connect to the vpn.

Now we are migrating all of our internal services to “Azure App Proxy” which is basically a proxy provided by microsoft azure to give external access to internal resources. The catch is, that one can configure things like pre-authentication through entra id (formerly azure ad) and we would like to use that for pritunl aswell.

So my question here is, is this possible for pritunl? I have found this in the documentation but i am unsure if this is what would do the trick Security ?
How would i need to configure this then?

Azure App Proxy is quite simple to configure, i just need to provide an external url and an internal url and the proxy is basically doing the rest. You can configure separate subdomains and even subfolders with different settings if this helps. So for the webui i could configure .com or .com/web with pre-authentication and leave .com or .com/vpn without pre-auth through the azure app proxy.

Hopefully someone can help me figure out, how i can get this. I guess also a problem is the internal nat that is being done?

The design of the client won’t work with that system. If you don’t plan on using any of the features that require the client to communicate with the Pritunl web server access to the web server isn’t required. Features that require the client to access the web server include single sign-on connection authentication (this does not include single sign-on without connection authentication), dynamic firewall, configuration sync, WireGuard and importing profiles with the URI. Profiles can still be imported by clicking show more on the profile page and downloading the profile archive to import into Pritunl.

There is little benefit from adding additional authentication to the web server. The web server is already well hardened. When running on a RHEL distribution the web process has included SELinux profiles to restrict the process. The command sudo pritunl set app.web_systemd true will also run the web server in a separate systemd service with the systemd isolation options. The high security environment documentation has more information.

The OpenVPN process is a significantly higher risk than the web server and this risk can be almost fully removed by keeping the web server open and using the dynamic firewall to keep the OpenVPN port closed. This will keep the port to the OpenVPN process closed until the client validates their IP address with an authentication request to the web server.