We have a similar situation as well.
We do not have a DMZ presence. Our application is internal.
However with all the mobile accessibility options today, we wanted our users to be able to respond to tickets outside business hours and off network to update approvals as well as transition issues without having to log onto the company network via VPN or citgo.
We decided to use Azure as a proxy and configure an Enterprise application.
This works somewhat.. as users can access the Azure proxy off network and login with their domain account then Azure passes them inside to the application, which then again prompts for a login, but then we get the gadget errors and marketplace access issues because the Azure proxy URL does not match the base URL.
We don't want a one way only option. (changing the base URL so everyone has to go through Azure). It doesn't make sense for on network users to login outside to get back inside.
We want in office users to be able to access via base URL and the external users access via Azure.
I have tried adding the proxy to the server.xml file or even in java registry parameters but this has no impact.
Microsoft recommends a
split-brain DNS approach. Then we can configure 2 Idps (enterprise apps on Azure)
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-custom-domain
However, we do not want to have to manage external and internal certificates and we don't want a public DNS.
we need this functionality for both Bitbucket and confluence.