Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Overview: Connect to Applications and Services from Anywhere with Web Application Proxy

Published: June 24, 2013

Updated: August 28, 2013

Applies To: Windows Server 2012 R2



This scenario describes how you can use Web Application Proxy – a new Remote Access role service in Windows Server® 2012 R2 – to provide access to a sample web application using claims-based authentication and a sample website using Integrated Windows authentication, both websites use Active Directory Federation Services (AD FS) preauthentication. This scenario also uses the following AD FS features:

  • Workplace Join—Joining devices to the workplace connects these devices with Active Directory in your workplace. When you join personal devices to your workplace they become known devices and will provide seamless second factor authentication and single-sign-on to workplace resources and applications.

    This scenario configures the device registration service (DRS) to enable you to join the client device to the workplace.

  • Multifactor authentication—This enables you to require users to provide more than one form of authentication when connecting to published applications and services. For example, using one-time passwords or smart cards. You can configure Web Application Proxy and AD FS to use multifactor authentication for all authentication requests, or per-application. In addition, configuring AD FS to allow access to only registered devices creates two-factor seamless authentication because the user must provide credentials, and the device must be registered.

    This scenario uses certificate authentication to provide the additional factor when authenticating.

  • Multifactor access control—Access control in AD FS is implemented with authorization claim rules that are used to issue a permit or deny claims that will determine whether a user or a group of users will be allowed to access AD FS-secured resources or not. In AD FS in Windows Server 2012 R2, access control is enhanced with multiple factors, including user, device, location, and authentication data. This is made possible by a greater variety of claim types available for the authorization claim rules.

Web Application Proxy also provides built-in AD FS proxy capabilities. The following diagram shows the topology used in this scenario for Web Application Proxy to publish Microsoft applications and other line-of-business (LOB) applications.

Web Application Proxy Topology

This scenario demonstrates how to plan and deploy Web Application Proxy in your organization to provide end users located outside of an organization access to applications and services running on servers inside the organization. Web Application Proxy publishing enables end users to access their organization’s applications from their own devices, so that users are not limited to corporate laptops to do their work, they can use their home computer, their tablet, or their smartphone. Web Application Proxy can be used on clients with a standard browser, an Office client or a rich client using OAuth (for example Windows Store apps). Web Application Proxy serves as a reverse proxy for any application that is published through it and as such, the end user experience is the same as if the end user’s device connects directly to the application.

This scenario describes the additions and changes that you must make to your AD FS servers to provide the following functionality:

This scenario does not describe using Web Application Proxy as a proxy for AD FS. However, this functionality is enabled by default when you install the Web Application Proxy role service. Any AD FS endpoint that is enabled for proxy publishing is automatically published by Web Application Proxy after completing the Web Application Proxy Configuration Wizard.

The following table lists the roles and features that are part of this scenario and describes how they support it.

 

Role/feature How it supports this scenario

Active Directory Federation Services Overview

AD FS is required to provide authentication and authorization services to Web Application Proxy and to store the Web Application Proxy configuration.

Remote Access (DirectAccess, Routing and Remote Access) Overview

Remote Access is the role containing the Web Application Proxy role service.

Active Directory Domain Services Overview

Active Directory® Domain Services is required as a prerequisite before you can deploy AD FS.

Web Server (IIS) Overview

The Web Server (IIS) role is used in this scenario to host a sample application that can be published by Web Application Proxy.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.