Connect to Applications and Services from Anywhere with Web Application Proxy
Updated: August 28, 2013
Applies To: Windows Server 2012 R2
This scenario describes how you can use Web Application Proxy – a new Remote Access role service in Windows Server® 2012 R2 – to provide access to a sample web application using claims-based authentication and a sample website using Integrated Windows authentication, both websites use Active Directory Federation Services (AD FS) preauthentication. This scenario also uses the following AD FS features:
Workplace Join—Joining devices to the workplace connects these devices with Active Directory in your workplace. When you join personal devices to your workplace they become known devices and will provide seamless second factor authentication and single-sign-on to workplace resources and applications.
This scenario configures the device registration service (DRS) to enable you to join the client device to the workplace.
Multifactor authentication—This enables you to require users to provide more than one form of authentication when connecting to published applications and services. For example, using one-time passwords or smart cards. You can configure Web Application Proxy and AD FS to use multifactor authentication for all authentication requests, or per-application. In addition, configuring AD FS to allow access to only registered devices creates two-factor seamless authentication because the user must provide credentials, and the device must be registered.
This scenario uses certificate authentication to provide the additional factor when authenticating.
Multifactor access control—Access control in AD FS is implemented with authorization claim rules that are used to issue a permit or deny claims that will determine whether a user or a group of users will be allowed to access AD FS-secured resources or not. In AD FS in Windows Server 2012 R2, access control is enhanced with multiple factors, including user, device, location, and authentication data. This is made possible by a greater variety of claim types available for the authorization claim rules.
Web Application Proxy also provides built-in AD FS proxy capabilities. The following diagram shows the topology used in this scenario for Web Application Proxy to publish Microsoft applications and other line-of-business (LOB) applications.
This scenario demonstrates how to plan and deploy Web Application Proxy in your organization to provide end users located outside of an organization access to applications and services running on servers inside the organization. Web Application Proxy publishing enables end users to access their organization’s applications from their own devices, so that users are not limited to corporate laptops to do their work, they can use their home computer, their tablet, or their smartphone. Web Application Proxy can be used on clients with a standard browser, an Office client or a rich client using OAuth (for example Windows Store apps). Web Application Proxy serves as a reverse proxy for any application that is published through it and as such, the end user experience is the same as if the end user’s device connects directly to the application.
This scenario describes the additions and changes that you must make to your AD FS servers to provide the following functionality:
Application publishing—For all applications and services that you want to publish through Web Application Proxy, you must configure a relying party on the AD FS server.
Authentication—No specific configuration is required to provide authentication for published applications. However, to use workplace join, MFA, or multifactor access control in your deployment, you must perform additional configuration as described in the following guides:
This scenario does not describe using Web Application Proxy as a proxy for AD FS. However, this functionality is enabled by default when you install the Web Application Proxy role service. Any AD FS endpoint that is enabled for proxy publishing is automatically published by Web Application Proxy after completing the Web Application Proxy Configuration Wizard.
The following table lists the roles and features that are part of this scenario and describes how they support it.
How it supports this scenario
AD FS is required to provide authentication and authorization services to Web Application Proxy and to store the Web Application Proxy configuration.
Web Application Proxy is the technology that can be used to publish applications and services running on servers inside the organization so they can then be accessed by end users located outside of an organization.
Active Directory® Domain Services is required as a prerequisite before you can deploy AD FS.
The Web Server (IIS) role is used in this scenario to host a sample application that can be published by Web Application Proxy.
This scenario contains the following steps:
Walkthrough Guide: Connect to Applications and Services from Anywhere with Web Application Proxy—This walkthrough contains the following steps: