Microsoft Web Application Proxy [WAP] is a new service added in Windows Server 2012 R2 that allows you to access web applications from outside your network. WAP functions as a reverse proxy and an Active Directory Federation Services [AD FS] proxy to pre-authenticate user access.
vBoring Blog Series:
- How to setup Microsoft Active Directory Federation Services [AD FS]
- How to setup Microsoft Web Application Proxy
Requirements:
- The only hard requirement of WAP is having an AD FS server. Refer to step 1 for setting that up.
- WAP cannot be installed on a server that AD FS is installed on. They must be separate servers.
Installing the Web Application Proxy Server Role:
Open Server Manager and click Manage -> Add Roles and Features:
Click Next:
Role-based or feature-based installation should be selected then click Next:
Select the server you want to install this role on to and then click Next:
Note: Web Application Proxy role and AD FS cannot be installed on the same computer.
Select Remote Access then click Next:
No additional Features are needed. Click Next:
Click Next:
Select Web Application Proxy:
On the pop up click Add Features:
The Web Application Proxy role does not required a reboot. Click Install:
Once complete click Close:
Web Application Proxy is now installed but you need the AD FS certificate to continue.
Export & Import the AD FS Certificate:
You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:
Go to File -> Add/Remove Snap-ins -> select Certificates then click Add:
When you click OK you will get the following pop up. Select Computer account then click Next:
On AD FS Server: Drill down to Personal -> Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks -> Export. Save to a location that your Web Application Proxy can access. Ensure you export the Private Key and certificate as a .PFX file.
On Web Application Proxy: Right click on Personal -> Certificates then go to All Tasks -> Import:
This will bring up the Certificate Import Wizard. Click Next:
Browse to the certificate that you exported from your AD FS server and select it. Click Next:
Enter the password for the private key and check the box to make the key exportable. Click Next:
Leave the default certificate store as Personal. Click Next:
Click Finish:
You should now see the certificate from your AD FS servers on your Web Application Proxy server.
Now we are ready to perform the Post Configuration.
Post-Deployment Configuration:
Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:
Click Next:
Enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next:
On the drop down menu select the certificate you imported from your AD FS server. Click Next:
Click Configure:
Once finished click Close:
Remote Access Management Console should open when you clicked Close. On Operations Status you should see all the objects as green.
Publish Web Applications:
Now we are finally ready for the magic. In the Remote Access Management Console click Web Application Proxy then Publish:
Click Next:
Pass-through will let WAP act like a reverse proxy. I will have documentation on setting up AD FS link soon!
Select Pass-through and click Next:
Name: Enter a display name
External URL: Enter the URL that will be coming in your the WAP server externally
External Certificate: The drop down menu will show certificates that are added on the WAP server. Select the same certificate that you used while setting up your application. In my case I used my wildcard certificate.
Backend server URL: Enter the web URL of the server you want the external URL forwarded
Click Next:
Copy the PowerShell command down and with some minor edits you can easily add additional PassThrough applications with ease.
Click Publish:
Click Close to finish:
You will now see the published web application and ready for testing.
You are ready to test the application!
Configure Firewall for 443 Port Forwarding:
Before you can test you need to ensure you have port 443 (HTTPS) being sent to your WAP server. This step does not involve configuration of your WAP environment but on your firewall. Since this can vary greatly I will give you two examples of this step:
For pfSense you would create a NAT: Port Forward Rule:
For DD-WRT you would go to NAT / QOS then Port Forwarding:
Once added you are ready to test!
From outside your network (like on your phone or a PC elsewhere) try to access your web link. You should get your internal web page through your WAP externally! Success!
Coming Soon!! Setting up Microsoft RDS to use AD FS authentication through WAP!
Great tutorial
Great article! Is WAP a replacement for IIS ARR? Can I host multiple SSL websites using WAP if I have a single public IP?
Hi Bob! WAP is a replacement for Microsoft Forefront Unified Access Gateway [UAG]. You can have multiple websites going through WAP! You just need to import the SSL cert that will be used for the website then publish the URL. It works perfectly if you have a single public IP address! Thanks for reading!!
Thanks Daniel! Your website is awesome! I’ve already setup a few items in my lab using your guides 😉
Thank you for the kind words!!! 😀
Thanks Daniel awesome stuff
I have a couple of question,
1. can you use WAP for publishing exchange and lync ?
2. Can pre-authentication method used used is ADFS pre-auth rather than passthrough ?
it would be appreciated if you have step by step for the above questions.
thank you and keep up the good work.
Hello,
Is reverse proxy supported at all? Struggling to publish my SharePoint portal over WAP using reverse proxy, something that worked great on UAG.
Hi Lambros, Yes WAP serves as reverse proxy.I haven’t setup a SharePoint portal behind it but WAP should work just about anything, especially other MS products. I have used it for VMware Horizon View and Citrix XenDesktop with no issues at all.
Great article, thanks. Have you finished the AD FS article yet? if so, can you provide a pointer to it. that’s the scenario I’m covering.
Helped a lot.
Thanks
I am using iis url rewriting as a reverse proxy for lync and others. Is this a complete replacement?!
Awesome. I’m blessed to have to have found your website! Keep up the good work.
Hi Daniel,
Can we configure WAP for anonymous sites i.e public sites without any authentication ?
Do we need to configure ADFS in this case
You can configure ADFS for Passthrough, then it just functions as a reverse proxy
Hi Daniel,
First of all, thank you for your blog. It really helped us in our deployment.
Can you please confirm that in the firewall we only have to open https pointing to WAP in DMZ? Whatever applications are published in WAP has no bearing to how the firewall is configured. Correct?
We opened 443 from the internet, and 80 to the internal server. Also ports for sccm management, DNS, etc…I suppose you could publish services on nonstandard ports too, which would be super helpful if you limited public IP space.
Thank you. I suppose 443 should be opened from WAP to ADFS, and WAP to the backend Web Server.
(Note: We used a public SSL certificate.)
Totally. It all depends on what you’re going to reverse proxy.
Has anyone successfully publish Citric XenDesktop behind WAP? Please provide the procedures to do so.
Hi Daniel,
I came across your comment on working with WAP for XD and Horizon. For XD are you using WAP to point to AG or to SF directly ( Assuming its AG I am getting the famous 1110 unknown client error ) All ports open internally and AG address externally pointing to WAP.
Any Ideas on how it worked out for you with XenDesktop.
Thanks.
Hi Dan,
I have no ADFS running and planning to replace ISA2004 with WAP. can i configure WAP without ADFS?
Thanks
Great article!! Very straight forward, thank you!
Does the WAP server have to be domain joined? If so, does this mean that if it sits in the DMZ it also will need ports opened for Active Directory?
Hello, yes, WAP server needs to be domain joined, if you plan pre-authentication other than pass-through.
Very Helpful article,
I have few questions. We recently setup ADFS and is directly opened with public IP to internet with some firewall rules and I think is not a good idea.
Scenerio:
Server Name: ADFSServer
SSL Cert : abc.abc.com
Public Ip : 222.222.222.222
internal IP: 10.10.10.10
So abc.abc.com is resolving our ADFS
WAP server
IP: 172.12.12.12
SSL cert from ADFS is imported in WAP
WAP is all setup using above mentioned steps in this article.
Que 1: Should we need to change FW rule to point the public IP (222.222.222.222) to WAP (172.12.12.12) rather ADFS (10.10.10.10)?
Que 2: Our WAP is on external network and able to setup with ADFS with NAT rules. Do we need to join the WAP server to internal domain?
Please advise and thanks in advance.
Should i create any entry on GoDaddy for WAP and ADFS to work properly from outside? For now everything is working internally. Appreciate your help.
You can ignore above Q. I was able to get necessary entry on GoDaddy. All working fine.
Are there any extra CAL’s required for users who want to access resources via WAP/ADFS?
Good post.
I have a question.
Corect me if i’m wrong. ADFS server is joind to a Domain. WAP doeant connect to domain environment.?
What about not routable domain? I put UPN to domain and trusts and thats it?
Can I configure WAP to use Client Certificate authentication (authenticates the client based on the certificate) and back end server to use Windows Authentication?
Import certificate ADFS with Private Key is wrong, It is PKI infrastructure and needs Public Key on WAP.
Great write up, we used it with Server 2019 to setup our ADFS and WAP system. I would like to note that where it ask for an account, that needs to be an account that has admin rights to the ADFS server. If you had ADFS create the Group Managed Service Account (which was used in the ADFS setup), then you need to use a different account to authenticate to the ADFS server. The creds are not saved, just used to authenticate and create the cert. Once created ADFS and WAP will talk using the cert. Here is a forum post that talks about it:
https://social.technet.microsoft.com/Forums/en-US/73fdc035-b6c3-41e4-a6b0-0963b38b9b0a/connecting-wap-to-adfs-cant-use-group-managed-service-account?forum=ADFS