How to setup Microsoft Web Application Proxy

Microsoft Web Application Proxy [WAP] is a new service added in Windows Server 2012 R2 that allows you to access web applications from outside your network. WAP functions as a reverse proxy and an Active Directory Federation Services [AD FS] proxy to pre-authenticate user access.

Web Application Proxy Overview

vBoring Blog Series:

  1. How to setup Microsoft Active Directory Federation Services [AD FS]
  2. How to setup Microsoft Web Application Proxy

Requirements:

  • The only hard requirement of WAP is having an AD FS server. Refer to step 1 for setting that up.
  • WAP cannot be installed on a server that AD FS is installed on. They must be separate servers.

Installing the Web Application Proxy Server Role:

Open Server Manager and click Manage -> Add Roles and Features:

Microsoft Web Application Proxy 1 - Add Roles and Features

Click Next:

Microsoft Web Application Proxy 2 - Before you Begin

Role-based or feature-based installation should be selected then click Next:

Microsoft Web Application Proxy 3 - Installation Type

Select the server you want to install this role on to and then click Next:

Note: Web Application Proxy role and AD FS cannot be installed on the same computer.

Microsoft Web Application Proxy 4 - Server Selection

Select Remote Access then click Next:

Microsoft Web Application Proxy 5 - Server Roles

No additional Features are needed. Click Next:

Microsoft Web Application Proxy 6 - Features

Click Next:

Microsoft Web Application Proxy 7 - Remote Access

Select Web Application Proxy:

Microsoft Web Application Proxy 8-1 - Role Services

On the pop up click Add Features:

Microsoft Web Application Proxy 8-2 - Role Services Additional Services

The Web Application Proxy role does not required a reboot. Click Install:

Microsoft Web Application Proxy 9 - Confirmation

Once complete click Close:

Microsoft Web Application Proxy 10 - Results

Web Application Proxy is now installed but you need the AD FS certificate to continue.

Export & Import the AD FS Certificate:

You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:

WAP Import Certificate 1 - Open MMC

Go to File -> Add/Remove Snap-ins -> select Certificates then click Add:

WAP Import Certificate 2 - Add Certificate Snapin

When you click OK you will get the following pop up. Select Computer account then click Next:

WAP Import Certificate 3 - Use Computer Account

On AD FS Server: Drill down to Personal -> Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks -> Export. Save to a location that your Web Application Proxy can access. Ensure you export the Private Key and certificate as a .PFX file.

WAP Import Certificate 6-1 - Export Certificate

On Web Application Proxy: Right click on Personal -> Certificates then go to All Tasks -> Import:

WAP Import Certificate 4 - Import Certificate

This will bring up the Certificate Import Wizard. Click Next:

WAP Import Certificate 5 - Welcome to Certificate Import Wizard

Browse to the certificate that you exported from your AD FS server and select it. Click Next:

WAP Import Certificate 6 - File to Import

Enter the password for the private key and check the box to make the key exportable. Click Next:

WAP Import Certificate 7 - Private Key Protection

Leave the default certificate store as Personal. Click Next:

WAP Import Certificate 8 - Certificate Store

Click Finish:

WAP Import Certificate 9 - Complete

You should now see the certificate from your AD FS servers on your Web Application Proxy server.

WAP Import Certificate 10 - Certificate Imported

Now we are ready to perform the Post Configuration.

Post-Deployment Configuration:

Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:

WAP Configuration 11 - Post-Deployment Configuration

Click Next:

WAP Configuration 12 - Welcome

Enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next:

WAP Configuration 13 - Federation Server

On the drop down menu select the certificate you imported from your AD FS server. Click Next:

WAP Configuration 14 - AD FS Proxy Certificate

Click Configure:

WAP Configuration 15 - Confirmation

Once finished click Close:

WAP Configuration 16 - Results

Remote Access Management Console should open when you clicked Close. On Operations Status you should see all the objects as green.

WAP Configuration 17 - Operations Status

Publish Web Applications:

Now we are finally ready for the magic. In the Remote Access Management Console click Web Application Proxy then Publish:

WAP Publish 1 - Publish

Click Next:

WAP Publish 2 - Welcome

Pass-through will let WAP act like a reverse proxy. I will have documentation on setting up AD FS link soon!

Select Pass-through and click Next:

WAP Publish 3 - Preauthentication

Name: Enter a display name

External URL: Enter the URL that will be coming in your the WAP server externally

External Certificate: The drop down menu will show certificates that are added on the WAP server. Select the same certificate that you used while setting up your application. In my case I used my wildcard certificate.

Backend server URL: Enter the web URL of the server you want the external URL forwarded

Click Next:

WAP Publish 4 - Publishing Settings

Copy the PowerShell command down and with some minor edits you can easily add additional PassThrough applications with ease.

Click Publish:

WAP Publish 5 - Confirmation

Click Close to finish:

WAP Publish 6 - Results

You will now see the published web application and ready for testing.

WAP Publish 7 - Web Address Published

You are ready to test the application!

Configure Firewall for 443 Port Forwarding:

Before you can test you need to ensure you have port 443 (HTTPS) being sent to your WAP server. This step does not involve configuration of your WAP environment but on your firewall. Since this can vary greatly I will give you two examples of this step:

For pfSense you would create a NAT: Port Forward Rule:

WAP - pfSense NAT Example

For DD-WRT you would go to NAT / QOS then Port Forwarding:

WAP - DDWRT Port Forwarding Example

Once added you are ready to test!

From outside your network (like on your phone or a PC elsewhere) try to access your web link. You should get your internal web page through your WAP externally! Success!

WAP - Confirmation

Coming Soon!! Setting up Microsoft RDS to use AD FS authentication through WAP!

 

33 thoughts on “How to setup Microsoft Web Application Proxy”

    • Hi Bob! WAP is a replacement for Microsoft Forefront Unified Access Gateway [UAG]. You can have multiple websites going through WAP! You just need to import the SSL cert that will be used for the website then publish the URL. It works perfectly if you have a single public IP address! Thanks for reading!!

      Reply
  1. Thanks Daniel awesome stuff
    I have a couple of question,
    1. can you use WAP for publishing exchange and lync ?
    2. Can pre-authentication method used used is ADFS pre-auth rather than passthrough ?

    it would be appreciated if you have step by step for the above questions.

    thank you and keep up the good work.

    Reply
    • Hi Lambros, Yes WAP serves as reverse proxy.I haven’t setup a SharePoint portal behind it but WAP should work just about anything, especially other MS products. I have used it for VMware Horizon View and Citrix XenDesktop with no issues at all.

      Reply
  2. Hi Daniel,
    Can we configure WAP for anonymous sites i.e public sites without any authentication ?
    Do we need to configure ADFS in this case

    Reply
  3. Hi Daniel,

    First of all, thank you for your blog. It really helped us in our deployment.

    Can you please confirm that in the firewall we only have to open https pointing to WAP in DMZ? Whatever applications are published in WAP has no bearing to how the firewall is configured. Correct?

    Reply
  4. Hi Daniel,

    I came across your comment on working with WAP for XD and Horizon. For XD are you using WAP to point to AG or to SF directly ( Assuming its AG I am getting the famous 1110 unknown client error ) All ports open internally and AG address externally pointing to WAP.

    Any Ideas on how it worked out for you with XenDesktop.

    Thanks.

    Reply
  5. Does the WAP server have to be domain joined? If so, does this mean that if it sits in the DMZ it also will need ports opened for Active Directory?

    Reply
  6. Very Helpful article,

    I have few questions. We recently setup ADFS and is directly opened with public IP to internet with some firewall rules and I think is not a good idea.

    Scenerio:
    Server Name: ADFSServer
    SSL Cert : abc.abc.com
    Public Ip : 222.222.222.222
    internal IP: 10.10.10.10
    So abc.abc.com is resolving our ADFS

    WAP server
    IP: 172.12.12.12
    SSL cert from ADFS is imported in WAP
    WAP is all setup using above mentioned steps in this article.

    Que 1: Should we need to change FW rule to point the public IP (222.222.222.222) to WAP (172.12.12.12) rather ADFS (10.10.10.10)?
    Que 2: Our WAP is on external network and able to setup with ADFS with NAT rules. Do we need to join the WAP server to internal domain?

    Please advise and thanks in advance.

    Reply
  7. Good post.
    I have a question.
    Corect me if i’m wrong. ADFS server is joind to a Domain. WAP doeant connect to domain environment.?
    What about not routable domain? I put UPN to domain and trusts and thats it?

    Reply
  8. Can I configure WAP to use Client Certificate authentication (authenticates the client based on the certificate) and back end server to use Windows Authentication?

    Reply
  9. Great write up, we used it with Server 2019 to setup our ADFS and WAP system. I would like to note that where it ask for an account, that needs to be an account that has admin rights to the ADFS server. If you had ADFS create the Group Managed Service Account (which was used in the ADFS setup), then you need to use a different account to authenticate to the ADFS server. The creds are not saved, just used to authenticate and create the cert. Once created ADFS and WAP will talk using the cert. Here is a forum post that talks about it:

    https://social.technet.microsoft.com/Forums/en-US/73fdc035-b6c3-41e4-a6b0-0963b38b9b0a/connecting-wap-to-adfs-cant-use-group-managed-service-account?forum=ADFS

    Reply

Leave a Reply