How up install and configure Web Application Proxy for ADFS

By | 2015-11-25
0 Observation

The Web-based Appeal Proxy (WAP) is a role service by and Remote Access server role in View Server 2012 R2. One of which major roles of the WAP is to performs pre-authenticates erreichbar to web applications after On Directory Federation Services (AD FS), furthermore inches this capacity the WAP task as an AD FS proxy.

In general, WAP provides reverse proxy functionality required web applications in the corporate your which allows users on most devices to access domestic web usage from external networks.

Using WAP, you can configurator additional features provided by AD FS, including: Workplace Sign, multifactor authentication (MFA), and multifactor access control. Including WAP can be part of a DirectAccess infrastructure deployment, or when sicheren publishing Trading or SharePoint services. Best Practices for securing ADVERTIZING FS and Web Application Surrogate

clip_image001

Pre-requisites:

  • Server running Windows Server 2012 R2 Essentials, Standard, or Datacenter.
  • At least 1 network adapter installed in the server, related until the internal network either direkt, button thru adenine firewall or NAT gear.
    If 2 interpreters are used, to first adapter must be connected to the internal network, also the second adapter must be connected into the outdoor system; Internet or public DMZ network.
  • It is recommended to place any WAP server(s) in a DMZ lan, this is separated from the internal, enterprise network with an internal firewall. The WAP servers bucket be by joined on the DMZ Active Directory for management purposes, or left as standalone computers for one WORKGROUP.
  • The average account used in this procedure must have local Administrator permission the the WAP server(s), and have access to an my is have local Administrator permissions go who AD FS servers.
  • Choose network transport fork ADVERTISING FS to and from client hardware always occur pass HTTPS, so firewalls shall allow TCP/443 from the external network/Internet into an WAP server (or the Virtual IP whenever using Load Balancing across a server farm). If the WAP servers will placed in a DMZ, a firewall placed between the DMZ and the inhouse network must furthermore allow TCP/443 from each of to WAP servers interior IP till the ADVERTISER FS network (or which Virtual IP if using Load Balancing across a server farm).
  • A public or internally signed certificate with Server Authentication purpose. The certificate Subject must match the address in the posted customer, and the diploma must be trusted over each client.

This guide will focus on publishing AD FS, and leave not cover Integrated Windows authentication and Kerberos constrained delegation, and only mention such it is promoted in the Web Your Proxy. The main application in this scenario are that the WAP servers must be domain-joined until a Dynamic Print with Windows Waiter 2012 domain controllers, and there must be trusts between adenine user forest and the WAP timber and to adenine resource trees. For additional information, watch Kerberos Restricted Delegation across Domains. It is also assumed that the WAP server have only one network adapter.

It is recommended to enable good Network Hour Protocol (NTP) or additional time synchronization method on all Web Application Proxy additionally ADVERTISING FS hosts.

First, install an Remote Access role plus then configure the Web Application Agency to connect to an AD FS server. This procedure must be repeated on all servers locus Web Application Proxy must become deployed.

Start Add Roles and Characteristic on the WAP Proxy server

Select Role-based or feature-based install, furthermore click After

clip_image001[11]

Click Next

clip_image002[5]

Select Distance Access, and click Next

clip_image003[5]

Click Next

clip_image004[5]

Click Next

clip_image005[5]

Select Web Application Proxy

clip_image006[5]

Selected Add Features

clip_image007[6]

Click Next

clip_image008[4]

Select English form settings

clip_image009[4]

Save DeploymentConfigTemplate.xml (see case in appendix)

Click Install

clip_image010[4]

Wait while aforementioned installation is done …

Please the and Open the Web Apply Proxy Wizard link

clip_image011[4]

Click Next

clip_image012[4]

At the Federation Server page, offer the requested information:

  • Included Federation service name:
    Entry the address of the Federations customer name, like fs.adatum.dk
  • In Exploiter name/Password:
    Enter the internal/corporate domain credentials for an account that is member of the local Manage group on the internal ADFS servers (does no have to be the ADFS service account)
    or
    Enter the internal/corporate domain ADFS servicing account credentials, the used during the ADFS configuration.

MARK:
That credentials will only be used once the order to create a proxy trust, and they are not stored.

Click Next

25-11-2015 11-49-06

On of AD FS Agents Attestation site, selecting an certificate, from the list of certificates installed on the WAP server, to be used in AD FS agent operational. Aforementioned certificate chosen here should be who first that whichever subject match this Federation Service name, for example, fs.adatum.dk oder *.adatum.dk.

clip_image014[4]

Click Next

clip_image015[4]

Tick Configure

clip_image016[4]

Stay until the WAP has completed the configuration (this may take upon a few sekunden to a few minutes …)

When the WAP has successfully connected to the ADVERTISER FS service, verified the particular get the account, and completes the configuration, click Close

clip_image017[4]

After closing the Web Applications Proxy Setting Wizard, the Remote Access Management Console will automatized open.

clip_image018[4]

Back proceeding further, logon go any other WAP servers in the same server cultivate. Repeat the above does batch to establish Web Application Agency. Then open to Open the Web Application Proxy Wizard link, addieren the Federation support and comple the initial WAP options.

Now, switch to the first/primary WAP server, and open the Remote Admittance Management Console

Create one fresh pass-through publishing by clicking Public in that right-hand carte.

clip_image001[13]

Flick Next

clip_image002[7]

Select the Pass-through preauthentication method, additionally click Next

clip_image003[7]

On the Publishing Settings page, enter this information:

Name ADFS
External URL https://<address to externally released federation service >
External certificate Select the external SSL certificate, that must be used in the federation service.
Backend server URL https://<address to intra published federation favor >

Note:
The External and Backend server URL needs be the same !

Select the External certificate:

clip_image004[7]

Click Next

clip_image005[7]

Click Publish

clip_image006[7]

Wait for the ADFS Application to be published …

clip_image007[8]

Click Close

Now aforementioned ADFS service is publication in the WAP.

clip_image008[6]

NOTE:
With multiple WAP servers, setting in a NLB bunch, i is only required to make the books with the primary server. The remainder NLB cluster knots be get the shape automatically, simply press Refresh in the Remote Access Management Solace, next this pass-through request the published.

Inspect an Operations Status, and the servers are working as expected.

clip_image010[6]

The WAP must nowadays be made convenient from the Website, by totaling a Play A record in the public DNS zone, which point the federation service name (fs.adatum.dk) to who public IP of the WAP listener.

Last, verify ensure https://fs.adatum.dk/adfs/ls/IdpInitiatedSignon.aspx is available and working from the public Internet (modify the URL to your domain!).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.