Microsoft Web Application Proxy [WAP] is a new service added in Windows Server 2012 R2 that allows you to access web applications from outside your network. WAP functions as a reverse proxy and an Active Directory Federation Services [AD FS] proxy to pre-authenticate user access.
vBoring Blog Series:
- How to setup Microsoft Active Directory Federation Services [AD FS]
- How to setup Microsoft Web Application Proxy
- The only hard requirement of WAP is having an AD FS server. Refer to step 1 for setting that up.
- WAP cannot be installed on a server that AD FS is installed on. They must be separate servers.
Installing the Web Application Proxy Server Role:
Open Server Manager and click Manage -> Add Roles and Features:
Role-based or feature-based installation should be selected then click Next:
Select the server you want to install this role on to and then click Next:
Note: Web Application Proxy role and AD FS cannot be installed on the same computer.
Select Remote Access then click Next:
No additional Features are needed. Click Next:
Select Web Application Proxy:
On the pop up click Add Features:
The Web Application Proxy role does not required a reboot. Click Install:
Once complete click Close:
Web Application Proxy is now installed but you need the AD FS certificate to continue.
Export & Import the AD FS Certificate:
You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:
Go to File -> Add/Remove Snap-ins -> select Certificates then click Add:
When you click OK you will get the following pop up. Select Computer account then click Next:
On AD FS Server: Drill down to Personal -> Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks -> Export. Save to a location that your Web Application Proxy can access. Ensure you export the Private Key and certificate as a .PFX file.
On Web Application Proxy: Right click on Personal -> Certificates then go to All Tasks -> Import:
This will bring up the Certificate Import Wizard. Click Next:
Browse to the certificate that you exported from your AD FS server and select it. Click Next:
Enter the password for the private key and check the box to make the key exportable. Click Next:
Leave the default certificate store as Personal. Click Next:
You should now see the certificate from your AD FS servers on your Web Application Proxy server.
Now we are ready to perform the Post Configuration.
Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:
Enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next:
On the drop down menu select the certificate you imported from your AD FS server. Click Next:
Once finished click Close:
Remote Access Management Console should open when you clicked Close. On Operations Status you should see all the objects as green.
Publish Web Applications:
Now we are finally ready for the magic. In the Remote Access Management Console click Web Application Proxy then Publish:
Pass-through will let WAP act like a reverse proxy. I will have documentation on setting up AD FS link soon!
Select Pass-through and click Next:
Name: Enter a display name
External URL: Enter the URL that will be coming in your the WAP server externally
External Certificate: The drop down menu will show certificates that are added on the WAP server. Select the same certificate that you used while setting up your application. In my case I used my wildcard certificate.
Backend server URL: Enter the web URL of the server you want the external URL forwarded
Copy the PowerShell command down and with some minor edits you can easily add additional PassThrough applications with ease.
Click Close to finish:
You will now see the published web application and ready for testing.
You are ready to test the application!
Configure Firewall for 443 Port Forwarding:
Before you can test you need to ensure you have port 443 (HTTPS) being sent to your WAP server. This step does not involve configuration of your WAP environment but on your firewall. Since this can vary greatly I will give you two examples of this step:
For pfSense you would create a NAT: Port Forward Rule:
For DD-WRT you would go to NAT / QOS then Port Forwarding:
Once added you are ready to test!
From outside your network (like on your phone or a PC elsewhere) try to access your web link. You should get your internal web page through your WAP externally! Success!
Coming Soon!! Setting up Microsoft RDS to use AD FS authentication through WAP!