How To Deploy Web Application Proxy on Windows Server 2016

Microsoft Web Application Proxy was introduced in Windows Server 2012 R2. It allows you to access web applications from outside your network and it acts as a reverse proxy and an Active Directory Federation Services proxy to pre-authenticate user access.

This guide walks you through the steps to install and configure web application proxy role on Windows Server 2016.

Web Application Proxy New Features

• Preauthentication for HTTP Basic application publishing
• HTTP Basic is the authorization protocol used by many protocols, including ActiveSync, to connect rich clients, including smartphones, with your Exchange mailbox. Web Application Proxy traditionally interacts with AD FS using redirections which is not supported on ActiveSync clients. This new version of Web Application Proxy provides support to publish an app using HTTP basic by enabling the HTTP app to receive a non-claims relying party trust for the application to the Federation Service.
• Wildcard domain publishing of applications
• To support scenarios such as SharePoint 2013, the external URL for the application can now include a wildcard to enable you to publish multiple applications from within a specific domain, for example, https://*.sp-apps.contoso.com. This will simplify publishing of SharePoint apps.
• HTTP to HTTPS redirection
• In order to make sure your users can access your app, even if they neglect to type HTTPS in the URL, Web Application Proxy now supports HTTP to HTTPS redirection.
• HTTP Publishing
• It is now possible to publish HTTP applications using pass-through preauthentication
• Publishing of Remote Desktop Gateway apps
• New debug log for better troubleshooting and improved service log for complete audit trail and improved error handling
• Administrator Console UI improvements
• Propagation of client IP address to backend applications

The following diagram explains the architectural layout of Web Application Proxy. 

Prerequisites

Web Application Proxy and Active Directory Federation Services can not be deployed on same server. You need an additional server to set up web proxy. We assume that the following services are already installed and configured accordingly.

• Active Directory Domain Services
• Active Directory Federation Services

Installing the Web Application Proxy Server Role

To begin, Open up Server Manager and click Manage click Add Roles and Features

Click Next:

Select Role-based or feature-based installation, click Next:

Select the server you want to install this role on to and then click Next:

Select Remote Access then click Next:

No additional Features are needed. Click Next:

Click Next:

Select Web Application Proxy:

On the pop up click Add Features

The Web Application Proxy role does not required a reboot. Click Install

Once complete click Close

Web Application Proxy is now installed but you need the AD FS certificate to continue.

You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:

Go to File > Add/Remove Snap-ins > select Certificates then click Add:

When you click OK you will get the following pop up. Select Computer account then click Next:

On AD FS Server: Scroll down to Personal > Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks > Export. Save to a location that your Web Application Proxy can access. Make sure you export the Private Key and certificate as a .pfx file format.

On Web Application Proxy: Right click on Personal > Certificates then go to All Tasks > Import:

This will bring up the Certificate Import Wizard. Click Next

Browse to the certificate that you exported from your AD FS server and select it. Click Next

Enter the password for the private key and check the box to make the key exportable. Click Next

Leave the default certificate store as Personal. Click Next

Click Finish

You should now see the certificate from your AD FS servers on your Web Application Proxy server

Now you are ready to start the Post Configuration settings.

Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:

Click Next:

Enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next: 

On the drop down menu select the certificate you imported from your AD FS server. Click Next

Click Configure

Once finished click Close

Remote Access Management Console should open when you clicked Close. On Operations Status you should see all the objects as green

Finally, its time to publish apps. In the Remote Access Management Console click Web Application Proxy then Publish

Click Next:

Pass-through will let WAP act like a reverse proxy. 

Here you have two options: (AD FS and Pass-through) self-explanatory. I have already set up AD FS in your environment then go with the first option otherwise 2nd is my choice since at the moment I don't have AD FS.

Select Pass-through and click Next

Name: Enter a display name

External URL: Enter the URL that will be coming in your the WAP server externally

External Certificate: The drop down menu will show certificates that are added on the WAP server. Select the same certificate that you used while setting up your application. In my case I used my wildcard certificate.

Backend server URL: Enter the web URL of the server you want the external URL forwarded

Click Next:

Copy the PowerShell command down and with some minor edits you can easily add additional PassThrough applications with ease.

Click Publish:

Click Close to finish:

Here you can see the published web application is ready for testing.

Before you move to test your published app, ask your network guy to set up 443 port redirection to WAP server on firewall to make it possible to access web applications from the external network.

Once done.

Then from the external network (for example on your smartphone or a PC) from home, try to access your web link like https://rds.techsupportpk.com and the following page will show up.

You have successfully deployed Web Application Proxy in your environment.