Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Configure a reverse proxy device for SharePoint Server 2013 hybrid

Duet Online

Applies to: SharePoint Online, SharePoint Server 2013

Topic Last Modified: 2015-05-15

Summary: Learn about supported reverse proxy devices for SharePoint Server 2013 hybrid deployments.

This article is part of a roadmap of procedures for configuring SharePoint hybrid solutions. Be sure you're following a roadmap when you do the procedures in this article.

This topic provides an overview of the role of reverse proxy devices in a SharePoint Server 2013 hybrid deployment and links to device-specific configuration guidance.

In this article:

SharePoint Server 2013 and SharePoint Online can be configured in a hybrid configuration to securely combine search results and external data from Microsoft Business Connectivity Services (BCS) and Duet Enterprise. Reverse proxy devices play a role in the secure configuration of a hybrid SharePoint Server 2013 deployment when inbound traffic from SharePoint Online needs to be relayed to your on-premises SharePoint Server 2013 farm. For example, if a federated user uses a SharePoint Online search portal that is configured to return hybrid search results, a reverse proxy device intercepts and pre-authenticates the request for on-premises SharePoint Server 2013 content and then relays it to SharePoint Server 2013. The reverse proxy device in a hybrid topology provides a secure endpoint for inbound traffic using SSL encryption and client certificate authentication.

The following diagrams show how a reverse proxy device is used for inbound connectivity.

With an inbound search solution, only the SharePoint Online site has search results from both locations.

Inbound connectivity

A graphic of an inbound proxy.

In the example below, a federated user on the Internet uses the SharePoint Online search portal to search for content in both SharePoint Online and her company’s on-premises SharePoint Server 2013 server.

A federated user on the Internet searches for content that’s located on her company’s on-premises server.

This graphic explains how extranet users access files through TMG.

The following list describes the steps shown in the preceding picture.

  1. From the Internet, a federated user browses to her SharePoint Online site.

  2. SharePoint Online (SPO) queries the search index in SPO and also sends the search query to the external URL of the on-premises SharePoint farm which resolves to the external endpoint of the reverse proxy device.

  3. The reverse proxy device pre-authenticates the request using the Secure Channel SSL certificate and relays the request to the URL of the primary web application.

  4. The SharePoint farm service account queries the on-premises search index and security trims the search results in the context of the user who sent the search request.

  5. Security trimmed search results are returned to SPO and displayed on the search results page. This result set includes search results from the SPO search index and search results from the search index of the SharePoint Server 2013 farm.

Inbound connectivity enables access to content and resources in your on-premises SharePoint Server 2013 farm from the internet only if the user has an active, secure connection to the intranet network over VPN or DirectAccess or if the SharePoint Server 2013 farm is configured in an extranet topology.

For a more detailed description of this process, that shows how certificates are used and authentication and authorization work in this topology, see Poster: SharePoint 2013 Hybrid Topology: Certificate, Authentication, and Authorization flow.

In a hybrid SharePoint Server 2013 scenario, the reverse proxy must be able to:

  • Support client certificate authentication with a wildcard or SAN SSL certificate.

  • Support pass-through authentication for OAuth 2.0, including unlimited OAuth bearer token transactions.

  • Accept unsolicited inbound traffic on TCP port 443 (HTTPS).

    No ports other than TCP 443 need to be opened on the external reverse proxy endpoint to support hybrid connectivity.
  • Bind a wildcard or SAN SSL certificate to a published endpoint.

  • Relay traffic to an on-premises SharePoint Server 2013 farm or load balancer without rewriting any packet headers.

The table below lists the currently supported reverse proxy devices for SharePoint Server 2013 hybrid deployments. This list will be updated as new devices are tested for supportability. Follow the steps in the configuration article for the reverse proxy device that you want to use. When you've completed configuring the reverse proxy device, return to your roadmap.


Supported reverse proxy devices Configuration article Additional information

Windows Server 2012 R2 with Web Application Proxy (WA-P)

Configure Web Application Proxy for a hybrid environment

Web Application Proxy (WA-P) is a Remote Access service in Windows Server 2012 R2 that publishes web applications that users can interact with from many devices.

To use Web Application Proxy as a reverse proxy device in a hybrid SharePoint Server 2013 environment, you must also deploy AD FS in Windows Server 2012 R2.

Forefront Threat Management Gateway (TMG) 2010

Configure Forefront TMG for a hybrid environment

Forefront TMG 2010 is a comprehensive, secure, web gateway solution that provides secure reverse proxy functionality.

Forefront TMG 2010 is no longer sold by Microsoft but will be supported through 4/14/2020. For more information, see Microsoft Support Lifecycle information for TMG 2010.


Enabling SharePoint 2013 Hybrid Search with the BIG-IP

External content managed by F5 Networks.

Citrix NetScaler

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

External content managed by Citrix.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft