Deploy Microsoft Web Application Proxy

Microsoft Web Application Proxy [WAP] is a new service added in Windows Server 2012 R2 that allows you to access web applications from outside your network. WAP functions as a reverse proxy and an Active Directory Federation Services [AD FS] proxy to pre-authenticate user access.

Web Application Proxy Overview


  • The only hard requirement of WAP is having an AD FS server. Refer to step 1 for setting that up.
  • WAP cannot be installed on a server that AD FS is installed on. They must be separate servers.

Installing the Web Application Proxy Server Role:

Open Server Manager and click Manage -> Add Roles and Features:

Microsoft Web Application Proxy 1 - Add Roles and Features

Click Next:

Microsoft Web Application Proxy 2 - Before you Begin

Role-based or feature-based installation should be selected then click Next:

Microsoft Web Application Proxy 3 - Installation Type

Select the server you want to install this role on to and then click Next:

Note: Web Application Proxy role and AD FS cannot be installed on the same computer.

Microsoft Web Application Proxy 4 - Server Selection

Select Remote Access then click Next:

Microsoft Web Application Proxy 5 - Server Roles

No additional Features are needed. Click Next:

Microsoft Web Application Proxy 6 - Features

Click Next:

Microsoft Web Application Proxy 7 - Remote Access

Select Web Application Proxy:

Microsoft Web Application Proxy 8-1 - Role Services

On the pop up click Add Features:

Microsoft Web Application Proxy 8-2 - Role Services Additional Services

The Web Application Proxy role does not required a reboot. Click Install:

Microsoft Web Application Proxy 9 - Confirmation

Once complete click Close:

Microsoft Web Application Proxy 10 - Results

Web Application Proxy is now installed but you need the AD FS certificate to continue.

Export & Import the AD FS Certificate:

You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:

WAP Import Certificate 1 - Open MMC

Go to File -> Add/Remove Snap-ins -> select Certificates then click Add:

WAP Import Certificate 2 - Add Certificate Snapin

When you click OK you will get the following pop up. Select Computer account then click Next:

WAP Import Certificate 3 - Use Computer Account

On AD FS Server: Drill down to Personal -> Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks -> Export. Save to a location that your Web Application Proxy can access. Ensure you export the Private Key and certificate as a .PFX file.

WAP Import Certificate 6-1 - Export Certificate

On Web Application Proxy: Right click on Personal -> Certificates then go to All Tasks -> Import:

WAP Import Certificate 4 - Import Certificate

This will bring up the Certificate Import Wizard. Click Next:

WAP Import Certificate 5 - Welcome to Certificate Import Wizard

Browse to the certificate that you exported from your AD FS server and select it. Click Next:

WAP Import Certificate 6 - File to Import

Enter the password for the private key and check the box to make the key exportable. Click Next:

WAP Import Certificate 7 - Private Key Protection

Leave the default certificate store as Personal. Click Next:

WAP Import Certificate 8 - Certificate Store

Click Finish:

WAP Import Certificate 9 - Complete

You should now see the certificate from your AD FS servers on your Web Application Proxy server.

WAP Import Certificate 10 - Certificate Imported

Now we are ready to perform the Post Configuration.

Post-Deployment Configuration:

Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:

WAP Configuration 11 - Post-Deployment Configuration

Click Next:

WAP Configuration 12 - Welcome

Enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next:

WAP Configuration 13 - Federation Server

On the drop down menu select the certificate you imported from your AD FS server. Click Next:

WAP Configuration 14 - AD FS Proxy Certificate

Click Configure:

WAP Configuration 15 - Confirmation

Once finished click Close:

WAP Configuration 16 - Results

Remote Access Management Console should open when you clicked Close. On Operations Status you should see all the objects as green.

WAP Configuration 17 - Operations Status

Publish Web Applications:

Now we are finally ready for the magic. In the Remote Access Management Console click Web Application Proxy thenPublish:

WAP Publish 1 - Publish

Click Next:

WAP Publish 2 - Welcome

Pass-through will let WAP act like a reverse proxy. I will have documentation on setting up AD FS link soon!

Select Pass-through and click Next:

WAP Publish 3 - Preauthentication

Name: Enter a display name

External URL: Enter the URL that will be coming in your the WAP server externally

External Certificate: The drop down menu will show certificates that are added on the WAP server. Select the same certificate that you used while setting up your application. In my case I used my wildcard certificate.

Backend server URL: Enter the web URL of the server you want the external URL forwarded

Click Next:

WAP Publish 4 - Publishing Settings

Copy the PowerShell command down and with some minor edits you can easily add additional PassThrough applications with ease.

Click Publish:

WAP Publish 5 - Confirmation

Click Close to finish:

WAP Publish 6 - Results

You will now see the published web application and ready for testing.

WAP Publish 7 - Web Address Published

You are ready to test the application!





Leave a Reply

Your email address will not be published. Required fields are marked *