Configure the Web Application Proxy Infrastructure
Updated: August 26, 2013
Applies To: Windows Server 2012 R2
This content is relevant for the on-premises version of Web Application Proxy. To enable secure access to on-premises applications over the cloud, see the Azure AD Application Proxy content.
This topic describes how to configure the infrastructure required for an Web Application Proxy deployment. Before beginning the deployment steps, ensure that you have completed the planning steps described in Plan the Web Application Proxy Infrastructure [WAP].
Configure the server network settings on the Web Application Proxy server.
Configure additional firewalls, if required.
Configure DNS settings for the Web Application Proxy deployment.
Join the Web Application Proxy server to the Active Directory domain, if required.
Configure Active Directory Federation Services (AD FS) servers for authentication and authorization.
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.
Network interface settings on the Web Application Proxy server are configured by using Change adapter settings in the Windows Networking and Sharing Center. Specific IP address requirements depend on the topology and any other organizational requirements.
When the Web Application Proxy is separated from client devices or from the internal network by a firewall, you must configure the firewalls to allow traffic for the protocol and port number used by the published web applications. You must also configure the firewall to allow HTTPS traffic on port 443 for clients to communicate with the AD FS server.
Configure the backend firewall to enable connectivity to backend servers, including:
A rule to allow connectivity to the AD FS on port 443
Open the port on which you are running your apps
Connectivity to Active Directory
For more information on backend server configuration, see Active Directory and Active Directory Domain Services Port Requirements.
Configure DNS servers internally and externally as required by your published web applications.
Web Application Proxy requires internal name resolution to resolve the names of backend servers, and infrastructure servers such as the AD FS servers.
When publishing web applications via Web Application Proxy, every web application you publish requires an external URL. For clients to reach these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the same IP address as the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server.
If your deployment uses Integrated Windows authentication, the Web Application Proxy server must be joined to an AD DS domain. For information about domain and forest trusts when deploying Web Application Proxy, see 1.4. Plan Active Directory.
To join the Web Application Proxy server to a domain
In Server Manager, click Local Server. In the details pane, click the link next to Computer name.
On the System Properties dialog box, click the Computer Name tab. On the Computer Name tab, click Change.
In Computer Name, type the name of the computer if you are also changing the computer name when joining the server to the domain. Under Member of, click Domain, and then type the name of the domain to which you want to join the server; for example, corp.contoso.com, and then click OK.
When you are prompted for a user name and password, enter the user name and password of a user with rights to join computers to the domain, and then click OK.
When you see a dialog box welcoming you to the domain, click OK.
When you are prompted that you must restart the computer, click OK.
On the System Properties dialog box, click Close.
When you are prompted to restart the computer, click Restart Now.
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
Note that you must supply domain credentials after entering the Add-Computer command below.
Add-Computer -DomainName <domain_name> Restart-Computer
To allow users to access applications that use Integrated Windows authentication, the Web Application Proxy server must be able to provide delegation for users to the published application.
This procedure assumes that the Web Application Proxy server is named EDGE1 and the domain is contoso.com.
To configure Kerberos constrained delegation
On the domain controller, open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop.
Click Tools, and then click ADSI Edit.
On the Action menu, click Connect To, and then on the Connection Settings dialog box, accept the default settings to connect to the default naming context, and then click OK.
In the left pane, expand Default naming context, expand DC=contoso,DC=com, expand CN=Computers, right-click CN=EDGE1, and then click Properties.
On the CN=EDGE1 Properties dialog box, on the Attribute Editor tab, in the Attributes list, select servicePrincipalName, and then click Edit.
On the Multi-valued String Editor dialog box, in Value to add, enter HTTP/EDGE1.contoso.com and click Add. Then enter HTTP/EDGE1 and click Add.
The Values list now contains two new entries; for example, HTTP/EDGE1.contoso.com and HTTP/EDGE1.
On the Multi-valued String Editor dialog box, click OK.
On the CN=EDGE1 Properties dialog box, click OK.
In Server Manager, click Tools, and then click Active Directory Users and Computers.
In the navigation pane, under contoso.com, click Computers. In the details pane, right-click the Web Application Proxy server, and then click Properties.
On the EDGE1 Properties dialog box, on the Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.
Click Add, and on the Add Services dialog box, click Users or Computers.
On the Select Users or Computers dialog box, in Enter the object names to select, enter the name of the web servers that use Integrated Windows authentication; for example, WebServ1, and then click OK.
On the Add Services dialog box, in the Available services list, select the http service type, and then click OK.
On the EDGE1 Properties dialog box, click OK.
Configuring AD FS is described in detail in the Windows Server 2012 AD FS Deployment Guide.
For all web applications that you intend to publish using AD FS preauthentication, you must configure a relying party trust for each application on the AD FS server. See Create a Relying Party Trust Using Federation Metadata.
For all AD FS endpoints that you require to be published by Web Application Proxy, in the AD FS Management console, you must set the endpoint to be Proxy Enabled.