What is Web Application Proxy (WAP)?
WAP is new feature introduced with Server 2012 R2. It was first introduced as ARR( Application Request Routing) in Server 2012.
As you know, Threat Management Gateway (TMG) and Unified Access Gateway (UAG) have a definitive end of life. ARR is a web farm extension meant for publishing web sites, however ARR does not do pre-authentication, there are no PowerShell cmdlets, no high availability, and there is no ongoing investment in ARR. A server role in Windows Server 2012 R2 – the Web Application Proxy or WAP.
WAP is a reverse proxy solution that relies on ADFS for publication of both claims aware and non-claims aware web applications. WAP is built for current and future web protocols; it understands ADFS, claims, OAUTH, it can also do protocol transition, and Kerberos constrained delegation. Specifically (and applicable to this post) protocol transition and KCD are required for smart card only authentication (authN) into extranet published Kerberos enabled web applications – one of the same functionality sets that TMG and UAG provided. This means that WAP can publish claims aware AND non-claims aware web applications using smart card only authN.
Web Application Proxy provides organizations with the ability to provide selective access to applications running on servers inside the organization to end users located outside of the organization. The process to make the application available externally is known as publishing. Web Application Proxy must always be deployed with AD FS. This enables you to leverage the features of AD FS, such as, single sign-on (SSO).
It provides better security to your internal Applications,
- When HTTPS traffic arrives that is directed to an address published by Web Application Proxy, it terminates the traffic and initiates new requests to the published applications. It therefore acts as a session-level buffer between external devices and published applications. That is, when users access published applications, they do not directly access the application, instead, they access the application through Web Application Proxy.
- Any other traffic that arrives at Web Application Proxy is dropped and not forwarded to the published applications. This includes any illegal HTTP or HTTPS requests that might be used as part of denial of service attacks, zero day attacks, SSL attacks, and so on.
- Any authenticated request that arrives at Web Application Proxy containing an authentication token from AD FS will be inspected to make sure that the token received was intended for the client sending the token. This is done by checking that the device (through the Workplace Join certificate) corresponds to the claim within the token that identified the device when authenticated to AD FS. Refer the Technet Article for more information about the WAP.
Now, We will see how to install WAP server in Server 2012 R2. I am so excited!!
Well, I have explained how to install ADFS in few of my earlier Articles,
1. How to install active directory federation services on server 2012
2. ADFS 3.0 Installation and Configuration with SQL Mirroring
After you successfully configured ADFS Server, You need to export the certificate with private keys of your communication certificate( Ideally Wild Card Certificate) and you need to import in the WAP server first and post that follow the below steps to configure.
Normally WAP server required two NIC cards. One is for backbone access and another one is for Internet Access. So you need to configure as mentioned in the diagram below,
in my test lab, I kept in the same way and continued further process,
WAP Feature is the part of Remote Access Role, hence select Remote Access
Select Web Application Proxy
Add ADFS URL and enter service account credentials to configure
So now WAP Installation is successfully completed. Now from the External network, Add how Entry pointing ADFS URL STS.Windowstechpro.com to WAP Server IP Address and try to access the Idp.
Great.It is successfully signed in.
You can add multiple servers in the WAP form if you want to highly load balance using HLB or NLB.