Export (0) Print
Expand All

Installing and Configuring Web Application Proxy for Publishing Internal Applications

Published: August 26, 2013

Updated: August 26, 2013

Applies To: Windows Server 2012 R2

This scenario describes how you can use Web Application Proxy – a new Remote Access role service in Windows Server® 2012 R2 - to provide reverse proxy functionality for corporate web applications and services. When you use Web Application Proxy with Active Directory Federation Services (AD FS), you can manage the risk of exposing your applications to the Internet by configuring features provided by AD FS, including: Workplace Join, multifactor authentication (MFA), and multifactor access control.

Web Application Proxy also functions as an AD FS proxy.

The following diagram shows the topology used in this scenario for Web Application Proxy to publish Microsoft applications and other line-of-business (LOB) applications.

Web Application Proxy Topology

This scenario demonstrates how to plan and deploy Web Application Proxy in your organization to provide selective access to applications running on servers inside the organization to end users located outside of the organization. The process to make the application available externally is known as publishing. Web Application Proxy publishing enables end users to access their organization’s applications from their own devices, so that users are not limited to corporate laptops to do their work, they can use their home computer, their tablet, or their smartphone. Web Application Proxy serves as a reverse proxy for any application that is published through it and as such, the end user experience is the same as if the end user’s device connects directly to the application.

The following table lists the roles and features that are part of this scenario and describes how they support it.


Role/feature How it supports this scenario

Active Directory Domain Services Overview

Active Directory® Domain Services is required as a prerequisite before you can deploy AD FS. It is also required for Web Application Proxy deployments that use Kerberos constrained delegation.

Active Directory Federation Services Overview

AD FS is required to provide authentication and authorization services to Web Application Proxy and to store the Web Application Proxy configuration.

Remote Access (DirectAccess, Routing and Remote Access) Overview

Remote Access is the role containing the Web Application Proxy role service.

Hardware requirements for this scenario include the following:

  • A computer that meets the hardware requirements for Windows Server 2012 R2 running one of the following server editions: Essentials, Standard, or Datacenter.

  • The server must have at least one network adapter installed, enabled, and connected to the internal network either directly, or through a firewall or NAT device. When two adapters are used, there should be one adapter connected to the internal corporate network, and one connected to the external network (Internet, or private network).

Software requirements for this scenario include the following:

  • If the Web Application Proxy server is located behind an edge firewall or NAT device, the device must be configured to allow traffic to and from the Web Application Proxy server.

  • The person deploying Web Application Proxy on the server requires local administrator permissions on the server. In addition, when you connect the Web Application Proxy server to the AD FS server, you require the credentials of the local administrator on the AD FS servers.

  • You must deploy AD FS on a server running Windows Server 2012 R2 in your organization before you can deploy Web Application Proxy.

  • If you want to remotely manage Web Application Proxy servers, you must enable remote PowerShell management on the Web Application Proxy servers. See Running Remote Commands.

The following are known issues when configuring Web Application Proxy:

  • When the token-signing certificate is updated in the Federation Service, the public key of the certificate is not automatically updated on the Web Application Proxy servers. To resolve this issue, you must manually import the new token-signing certificate to the Web Application Proxy servers.

  • When you configure the Device Registration Service on your Federation Service, you can also enable device authentication for all relying parties with the following PowerShell command:

    Set-AdfsGlobalAuthenticationPolicy –DeviceAuthenticationEnabled $true
    When you publish applications with Web Application Proxy, you can publish more than one application using the same host name. You can also configure each application to authenticate the certificate presented by client devices. To validate client certificates for an application, use the following PowerShell command:

    Set-WebApplicationProxyApplication -id <Published Application ID> -ClientCertificateAuthenticationBindingMode ValidateCertificate
    Because Web Application Proxy uses the HTTP protocol stack (http.sys), this configuration setting must be identical for all applications that use the same host name.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft