Export (0) Print
Expand All

Configure Web Application Proxy for a hybrid environment

SharePoint 2013
 

Applies to: SharePoint Server 2013

Topic Last Modified: 2014-05-01

Summary: Learn how to configure Windows Server 2012 R2 with Web Application Proxy (WA-P) as a reverse proxy device in a SharePoint 2013 hybrid environment.

Stage two of a SharePoint hybrid deployment

This article provides guidance for Phase 2 of the SharePoint hybrid environment deployment process, which integrates SharePoint Server 2013 and SharePoint Online.

Phase 2: Configure a reverse proxy device

 

This figure represents steps to be completed

This is the second phase in the process to configure a SharePoint hybrid solution. The procedures in these articles must be completed in the order shown:

  1. Configure a hybrid topology for SharePoint Server 2013

  2. Configure a reverse proxy device for SharePoint Server 2013 hybrid (this phase)

  3. Configure identity management for a hybrid topology in SharePoint Server 2013

  4. Configure a hybrid solution for SharePoint Server 2013

For an overview of the whole process, see Plan SharePoint Server 2013 hybrid.

This article describes Web Application Proxy and helps you set it up to use as a reverse proxy for a hybrid SharePoint Server 2013 environment.

When you have completed the procedures in this article, you can continue to Phase 3 of the hybrid deployment process, Configure identity management for a hybrid topology in SharePoint Server 2013.

Accessibility note: SharePoint Server 2013 supports the accessibility features of common browsers to help you administer deployments and access sites. For more information, see Accessibility for SharePoint 2013.

Web Application Proxy is a Remote Access service in Windows Server 2012 R2 that publishes web applications that users can interact with from many devices. It also includes proxy functionality for Active Directory Federation Services (AD FS). This helps system administrators provide secure access to an AD FS server. By using Web Application Proxy, system administrators choose how users authenticate themselves to a web application and can determine who is authorized to use one.

In hybrid SharePoint Server 2013 environments in which SharePoint Online requests data from SharePoint Server 2013, you can use Windows Server 2012 R2 with Web Application Proxy as a reverse proxy device to securely relay requests from the Internet to your on-premises SharePoint Server 2013 farm.

ImportantImportant:
To use Web Application Proxy as a reverse proxy device in a hybrid SharePoint Server 2013 environment, you must also deploy AD FS in Windows Server 2012 R2.
NoteNote:
To install and configure the Web Application Proxy feature, you must be a local administrator on the computer where Windows Server 2012 R2 is installed. The Windows Server 2012 R2 server running the Web Application Proxy feature can be a member of a domain or a workgroup.

For information about installing AD FS in Windows Server 2012 R2, see Active Directory Federation Services Overview.

For information about installing the Web Application Proxy feature in Windows Server 2012 R2, see Install Server Roles and Features on a Server Core Server.

This section describes how to configure the Web Application Proxy feature after it is installed:

  1. Web Application Proxy matches the thumbprint against the secure channel certificate, which must be imported and installed in the local computer’s Personal certificate store on the Web Application Proxy server.

  2. Configure Web Application Proxy with a published application that can accept inbound requests from your SharePoint Online tenant.

You must import the Secure Channel SSL certificate into the Personal store of the local computer account and then set permissions on the certificate’s private key to allow the service account of the Web Application Proxy Service (appproxysvc) Full Control.

NoteNote:
The default service account of the Web Application Proxy Service is the local computer Network Service.

 

Edit icon

The location of the Secure Channel SSL certificate is recorded in Row 1 (Secure Channel SSL Certificate location and Filename) of Table 4b: Secure Channel SSL Certificate.

If the certificate contains a private key, you will need to provide the certificate password, which is recorded in Row 4 (Secure Channel SSL Certificate password) of Table 4b: Secure Channel SSL Certificate.

For information about how to import an SSL certificate, see Import a Certificate.

NoteNote:
The steps in this section can be performed only by using Windows PowerShell.

To configure a published application to accept and relay requests from your SharePoint Online tenant, type the following Windows PowerShell command.

Add-WebApplicationProxyApplication -ExternalPreauthentication ClientCertificate -ExternalUrl <external URL> -BackendServerUrl <bridging URL> -name <friendly name of the published application> -ExternalCertificateThumbprint <certificate thumbprint> -ClientCertificatePreauthenticationThumbprint <certificate thumbprint> -DisableTranslateUrlInRequestHeaders:$False -DisableTranslateUrlInResponseHeaders:$False

Where:

  • <externalUrl> is the external URL for the web application. This is the public URL to which SharePoint Online will send inbound requests for SharePoint Server 2013 content and resources.

     

    Edit icon

    The external URL is recorded in Row 3 (External URL) of Table 3: Public Domain Info in the SharePoint Hybrid worksheet.

  • <bridging URL> is the internal URL you configured for the primary web application in your on-premises SharePoint Server 2013 farm. This is the URL to which Web Application Proxy will relay inbound requests from SharePoint Online.

     

    Edit icon

    The bridging URL is recorded in one the following locations in the SharePoint Hybrid worksheet:

    • If your primary web application is configured with a host-named site collection, use the value in Row 1 (Primary web application URL) of Table 5a: Primary web application (host-named site collection).

    • If your primary web application is configured with a path-based site collection, use the value in Row 1 (Primary web application URL) of Table 5b: Primary web application (path-based site collection without AAM).

    • If your primary web application is configured with a path-based site collection with AAM, use the value in Row 5 (Primary web application URL) of Table 5c: Primary web application (path-based site collection with AAM).

  • <friendly name of the published application> is a name you choose to identify the published application in Web Application Proxy.

  • <certificate thumbprint> is the certificate thumbprint, as a string with no spaces, of the certificate to use for the address specified by the ExternalUrl parameter. This value should be entered twice, once for the ExternalCertificateThumbprint parameter and again for the ClientCertificatePreauthenticationThumbprint parameter.

     

    Edit icon

    This is the thumbprint of the Secure Channel SSL certificate. The location of this certificate file is recorded in Row 1 (Secure Channel SSL Certificate location and Filename) of Table 4b: Secure Channel SSL Certificate.

For additional information about the Add-WebApplicationProxyApplication cmdlet, see Add-WebApplicationProxyApplication.

To validate the published application, use the Get-WebApplicationProxyApplication cmdlet. Type the following Windows PowerShell command.

Get-WebApplicationProxyApplication |fl

The output should resemble the content in the following table.

 

ADFSRelyingPartyID

:<populated at run time>

ADFSRelyingPartyName

:<relying party name>

BackendServerAuthenticationMode

:ADFS

BackendServerAuthenticationSPN

: None

BackendServerCertificateValidation

: None

BackendServerUrl

: https://<bridging URL>/

ClientCertificateAuthenticationBindingMode 

: None

ClientCertificatePreauthenticationThumbprint :

: <certificate thumbprint>

DisableTranslateUrlInRequestHeaders

: False

DisableTranslateUrlInResponseHeaders

: False

ExternalCertificateThumbprint

: <certificate thumbprint>

ExternalPreauthentication

: PassThrough

ExternalUrl

: https://<external URL>/

ID

: 91CFE805-44FB-A8A6-41E9-6197448BEA72

InactiveTransactionsTimeoutSec

: 300

Name

: <friendly name of the published application>

UseOAuthAuthentication

: False

PSComputerName

:

Web Application Proxy logs events and errors to the Application and Remote Access Windows Server event logs. Logging plays an important role in troubleshooting issues with connectivity and authentication between SharePoint Server 2013 and SharePoint Online. Identifying the component that is causing a connection failure can be challenging, and reverse proxy logs are the first place you should look for clues. Troubleshooting can involve comparing log events from Web Application Proxy event logs, SharePoint Server 2013 ULS logs, Windows Server event logs, and Internet Information Services (IIS) logs on multiple servers.

For more information on troubleshooting techniques and tools for SharePoint Server 2013 hybrid environments, see Troubleshooting hybrid environments.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft