One of the new additions with Windows Server 2012 R2 was the Web Application Proxy (WAP) feature. If you have deployed AD FS on Windows Server 2008 R2, the WAP replaces the AD FS proxy. WAP is not a direct replacement for AD FS – it is much more.

Once you have installed AD FS, you can install the first WAP server to publish AD FS. You’ll need to have a number of prerequisites in order prior to beginning the installation process:

  • Server or virtual machine – ensure that the host meets the minimum requirements for Windows Server 2012 R2
  • Firewall – the WAP will need SSL (TCP443) access to the AD FS federation server. If you are domain joining WAP, it must also have access to domain controllers.
  • SSL Certificate – install a certificate that matches the AD FS host name (e.g. fs.cohovines.com) or a wildcard certificate in the machine certificate store. You should plan to use a commercially issued certificate from a public certification authority such as DigiCert.
If you will be using the Device Registration Service for Workplace Join, you will need to add subject alternate names (SANs) to your SSL certificate. For each User Principal Name (UPN) suffix that will be supported, you must add a SAN in the format of enterpriseregistration.<UPN Suffix>. For example, in my environment, users have a UPN suffix of cohovines.com. To support Workplace Join, my service communications certificate will need a SAN of enterpriseregistration.cohovines.com.

Once you have all the prerequisite items in place, you can begin installing the first WAP server.

  1. Open Server Manager and click ‘Add roles and features’.
  2. During the Server Selection step of the Add Roles and Features Wizard, shown below, you can elect to install WAP on multiple servers if you have added them to a pool in Server Manager. If you will be installing a server farm, this is a handy time saving feature.

SNAG-0002

  1. On the next screen, Server Roles, select Remote Access as shown below.

SNAG-0003

  1. On the Remote Access Role Services screen, select Web Application proxy as shown below.

SNAG-0004

  1. Complete the wizard to install the WAP service of the Remote Access role.

Once WAP is installed, you can use the Remote Access Management Console to configure WAP to publish AD FS.

  1. Launch the Remote Access Management Console. This Console is accessible from the Tools menu in Server Manager.
  2. Select Web Application Proxy on the left side of the window and then click Run the Web Application Proxy Configuration Wizard.

SNAG-0017

  1. Enter the FQDN of your AD FS farm as well as a local administrator account on the AD FS servers. This account is only used to setup trust during the configuration process.
If the FQDN of your AD FS farm does not resolve to the correct IP address, you must add the AD FS farm FQDN to the HOSTS file on your WAP server. The HOSTS file is located in c:\windows\system32\drivers\etc.

SNAG-0016

  1. Select a certificate from the machine’s store for WAP to listen with when proxying to AD FS.

SNAG-0014

Once the wizard completes, you can publish the WAP server through your firewall on TCP port 443. This completes the tasks necessary to publish AD FS externally with WAP.