Using Application Proxy to Provide Access to SharePoint Server and Exchange Server

 

This content is relevant for the on-premises version of Web Application Proxy. To enable secure access to on-premises applications over the cloud, see the Azure AD Application Proxy content.

This topic describes the tasks necessary to publish SharePoint Server or Exchange Server through Web Application Proxy.

You can publish a SharePoint site through Web Application Proxy when the SharePoint site is configured for claims-based authentication or Integrated Windows authentication. If you want to use Active Directory Federation Services (AD FS) for preauthentication, you must configure a relying party using one of the wizards.

  • If the SharePoint site uses claims-based authentication, you must use the Add Relying Party Trust Wizard to configure the relying party trust for the application.

  • If the SharePoint site uses Integrated Windows authentication, you must use the Add Non-Claims-Based Relying Party Trust Wizard to configure the relying party trust for the application. You can use IWA with a claims-based web application provided that you configure KDC.

    To allow users to authenticate using Integrated Windows authentication, the Web Application Proxy server must be joined to a domain. See 1.3. Plan Active Directory.

    You must configure the application to support Kerberos constrained delegation. You can do this on the domain controller for any application. You can also configure the application directly on the backend server if it is running on Windows Server 2012 R2 or Windows Server 2012. For more information, see What's New in Kerberos Authentication. You must also make sure that the Web Application Proxy servers are configured for delegation to the service principal names of the backend servers. For a walkthrough of how to configure Web Application Proxy to publish an application using Integrated Windows authentication, see Configure a site to use Integrated Windows authentication.

If your SharePoint site is configured using either alternate access mappings (AAM) or host-named site collections, you can use different external and backend server URLs to publish your application. However, if you do not configure your SharePoint site using AAM or host-named site collections, you must use the same external and backend server URLs.

The following table describes the Exchange services that you can publish through Web Application Proxy and the supported preauthentication for these services:

Exchange service

Preauthentication

Notes

Outlook Web App

  • AD FS using non-claims-based authentication

  • Pass-through

  • AD FS using claims-based authentication for on-premises Exchange 2013 Service Pak 1 (SP1)

For more information see: Using AD FS claims-based authentication with Outlook Web App and EAC

Exchange Control Panel

Pass-through

Outlook Anywhere

Pass-through

You must publish three URLs for Outlook Anywhere to work correctly:

  • The autodiscover URL.

  • The external host name of the Exchange Server; that is, the URL that is configured for clients to connect to.

  • The internal FQDN of the Exchange Server.

Exchange ActiveSync

Pass-through

To publish Outlook Web App using Integrated Windows authentication, you must use the Add Non-Claims-Based Relying Party Trust Wizard to configure the relying party trust for the application.

To allow users to authenticate using Integrated Windows authentication, the Web Application Proxy server must be joined to a domain. See 1.3. Plan Active Directory.

You must configure the application to support Kerberos constrained delegation. You can do this on the domain controller for any application. You can also configure the application directly on the backend server if it is running on Windows Server 2012 R2 or Windows Server 2012. For more information, see What's New in Kerberos Authentication. You must also make sure that the Web Application Proxy servers are configured for delegation to the service principal names of the backend servers. For a walkthrough of how to configure Web Application Proxy to publish an application using Integrated Windows authentication, see Configure a site to use Integrated Windows authentication.

Show: