Export (0) Print
Expand All

Configure a reverse proxy device for SharePoint Server 2013 hybrid

SharePoint 2013

Applies to: SharePoint Server 2013, SharePoint Online

Topic Last Modified: 2014-10-16

Summary: Learn about supported reverse proxy devices for SharePoint Server 2013 hybrid deployments.

Stage two of a SharePoint hybrid deployment

This topic provides an overview of the role of reverse proxy devices in a SharePoint Server 2013 hybrid deployment and links to device-specific configuration guidance.

In this article:

The table below lists the currently supported reverse proxy devices for SharePoint Server 2013 hybrid deployments. This list will be updated as new devices are tested for supportability.


Supported reverse proxy devices Configuration article Additional information

Windows Server 2012 R2 with Web Application Proxy (WA-P)

Configure Web Application Proxy for a hybrid environment

Web Application Proxy (WA-P) is a Remote Access service in Windows Server 2012 R2 that publishes web applications that users can interact with from many devices.

To use Web Application Proxy as a reverse proxy device in a hybrid SharePoint Server 2013 environment, you must also deploy AD FS in Windows Server 2012 R2.

Forefront Threat Management Gateway (TMG) 2010

Configure Forefront TMG for a hybrid environment

Forefront TMG 2010 is a comprehensive, secure, web gateway solution that provides secure reverse proxy functionality.

Forefront TMG 2010 is no longer sold by Microsoft but will be supported through 4/14/2020. For more information, see Microsoft Support Lifecycle information for TMG 2010.


Enabling SharePoint 2013 Hybrid Search with the BIG-IP

External content managed by F5 Networks.

Citrix NetScaler

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

External content managed by Citrix.

SharePoint Server 2013 and SharePoint Online can be configured in a hybrid configuration to securely combine search results and external data from Microsoft Business Connectivity Services (BCS) and Duet Enterprise. Reverse proxy devices play a role in the secure configuration of a hybrid SharePoint Server 2013 deployment when inbound traffic from SharePoint Online needs to be relayed to your on-premises SharePoint Server 2013 farm. For example, if a federated user uses a SharePoint Online search portal that is configured to return hybrid search results, a reverse proxy device intercepts and pre-authenticates the request for on-premises SharePoint Server 2013 content and then relays it to SharePoint Server 2013. The reverse proxy device in a hybrid topology provides a secure endpoint for inbound traffic using SSL encryption and client certificate authentication.

The following diagrams show how reverse proxy devices are used in each of the supported SharePoint hybrid topologies. The search solution is used as to describe how each topology can be used.

One-way outbound hybrid topology

In a one-way outbound hybrid topology, only the Intranet site has search results from both locations.

One-way outbound hybrid topology

Graphic of how an outbound proxy works.

One-way inbound hybrid topology

In a one-way inbound hybrid topology, only the SharePoint Online site has search results from both locations.

One-way inbound hybrid topology

A graphic of an inbound proxy.

Two-way hybrid topology

In a two-way hybrid topology, both the Intranet and SharePoint Online sites have search results from both locations.

Two-way hybrid topology

A graphic of how a two-way traffic works in a Hybrid SharePoint environment.

In this example, a federated user on the Internet uses the SharePoint Online search portal to search for content in both SharePoint Online and her company’s on-premises SharePoint Server 2013 server.

A federated user on the Internet searches for content that’s located on her company’s on-premises server.

This graphic explains how extranet users access files through TMG.

The following list describes the steps shown in the preceding picture.

  1. From the Internet, a federated user browses to her SharePoint Online site.

  2. SharePoint Online (SPO) queries the search index in SPO and also sends the search query to the external URL of the on-premises SharePoint farm which resolves to the external endpoint of the reverse proxy device.

  3. The reverse proxy device pre-authenticates the request using the Secure Channel SSL certificate and relays the request to the URL of the primary web application.

  4. The SharePoint farm service account queries the on-premises search index and security trims the search results in the context of the user who sent the search request.

  5. Security trimmed search results are returned to SPO and displayed on the search results page. This result set includes search results from the SPO search index and search results from the search index of the SharePoint Server 2013 farm.

A one-way inbound or two-way hybrid SharePoint Server 2013 topology supports access to content and resources in your on-premises SharePoint Server 2013 farm from the internet only if the user has an active, secure connection to the intranet network over VPN or DirectAccess or if the SharePoint Server 2013 farm is configured in an extranet topology.

For a more detailed description of this process, that shows how certificates are used and authentication and authorization work in this topology, see Poster: SharePoint 2013 Hybrid Topology: Certificate, Authentication, and Authorization flow.

In a hybrid SharePoint Server 2013 scenario, the reverse proxy must be able to:

  • Support client certificate authentication with a wildcard or SAN SSL certificate.

  • Support pass-through authentication for OAuth 2.0, including unlimited OAuth bearer token transactions.

  • Accept unsolicited inbound traffic on TCP port 443 (HTTPS).

    No ports other than TCP 443 need to be opened on the external reverse proxy endpoint to support hybrid connectivity.
  • Bind a wildcard or SAN SSL certificate to a published endpoint.

  • Relay traffic to an on-premises SharePoint Server 2013 farm or load balancer without rewriting any packet headers.

There are three principal categories of proxy devices: open, forward, and reverse proxies.

  • Open proxy (gateway proxy) devices relay requests and responses passively from one network to another, without making any modifications.

  • Forward proxy devices relay requests from an intranet network to the Internet. This type of proxy typically impersonates the client, replacing the client computer name in the request header of outbound packets with the name of the proxy server, and may also perform DNS name resolution of requested resources on behalf of the client.

  • Reverse proxy devices accept connection requests from the Internet and then relay those requests to intranet servers and applications. In other words, when a computer on the Internet requests a resource located on a server in a different network, a reverse proxy can be configured to accept requests for the internal computer, pre-authenticate the request, resolve the internal hostname of the destination server, and relay the request. Reverse proxies are commonly used on a network edge, such as a network perimeter, to authenticate and relay requests that originate on the Internet and also provide encryption and decryption for the external connection.

    Cloud services such as SharePoint Online communicate with your reverse proxy as if it was the destination of all traffic to your intranet network and does not directly connect to servers on your corporate network.

An open proxy device passively relays requests from the Intranet to the Internet and vice versa.

Open proxy example

How information is passed through a proxy

The primary direction of traffic in a forward proxy scenario is out to the Internet, from the Intranet.

Forward proxy example

How a forward proxy works.

The primary direction of traffic in a reverse proxy scenario is in from the Internet and into your Intranet.

Reverse proxy example

A graphic of how Reverse Proxies work.

Properly configured and maintained proxy servers provide network isolation and gateway management and assume some of the risk of interacting with computers in other domains, forests, or the Internet. A proxy server can typically be configured to:

  • Keep the original computer that made a request anonymous.

  • Cache resources computers that use the proxy request a lot and prevent multiple downloads.

  • Allow users and computers safer access to resources outside of their domains or businesses.

  • Block certain ports and deny certain website URLs.

  • Pre-authenticate user requests or sending data into your network.

Reverse proxy servers may also include firewall services that help protect your internal network from malware and other web-based attacks from the Internet with advanced features such as malware detection and port flooding mitigation.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft