Step 8: Deploy the Web Application Proxy
Updated: June 24, 2013
Applies To: Windows Server 2012 R2
Web Application Proxy – a new Remote Access role service in Windows Server® 2012 R2 – can enable you to provide access to applications using Active Directory Federation Services (AD FS) authentication mechanisms. In order to deploy Web Application Proxy, complete the following steps:
Import an SSL certificate
Install Web Application Proxy role service
Configure Web Application Proxy
Verify Web Application Proxy
Import an SSL certificate
First you must export the SSL certificate from your primary federation server.
To export the SSL certificate from your primary federation server
On your federation server computer, open the Certificates snap-in for the Local Machine and click the Personal store.
Double-click the SSL certificate that you used for the federation service.
On the Details tab, click Copy to file, and then click Next.
Choose Yes to export the private key and click Next.
Ensure pfx is selected and Include all certificates in the certification path if possible is checked.
Click to Export all extended properties and then click Next.
Select password, enter a password, and then click Next.
Select a file location and name and click Next.
Click Finish.
Next you must import this SSL certificate from the .pfx file to the local computer Personal store on your Web Application Proxy computer.
To Import the SSL certificate from the .pfx file to the Web Application Proxy computer
On the Web Application Proxy computer, browse to any share where you want to place the .pfx file and copy the .pfx file locally.
Open the Certificates MMC snap-in for the local machine account on your Web Application Proxy computer.
Right-click the local computer Personal Store and click All tasks -> Import.
Complete the import wizard, selecting the local copy of the .pfx file and entering the proper password for the certificate when prompted.
Look in the local computer Personal store on your Web Application Proxy computer. Verify that the SSL certificate is now displayed.
Install Web Application Proxy role service
Important
To publish applications that use Integrated Windows authentication, you must join Web Application Proxy to the same forest as the published applications and the users who will access the application. If you do not plan to publish applications that use Integrated Windows authentication, the Web Application Proxy can be non-domain joined.
To install the Web Application Proxy role service via the user interface
On the edge server, open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop.
In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu.
In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.
On the Select server roles dialog, select Remote Access, and then click Next.
Click Next twice.
On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.
On the Confirm installation selections dialog, click Install.
On the Installation progress dialog, verify that the installation was successful, and then click Close.
To install the Web Application Proxy role service via Windows PowerShell
On the computer that you want to configure as the Web Application Proxy, open the Windows PowerShell command window and run the following command:
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
Configure Web Application Proxy
Important
Make sure to set the Windows Firewall rules on the federation Server.
On your primary federation server computer, ensure inbound Windows Firewall rules allowing TCP port 80 and TCP port 443 have been created.To configure Web Application Proxy via the user interface
On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, type Remote Access Management, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the Remote Access Management console, in the navigation pane, click Web Application Proxy.
In the middle pane, click Run the Web Application Proxy Configuration Wizard.
In the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.
On the Federation Server dialog, do the following, and then click Next:
In the Federation service name box, enter the fully qualified domain name (FQDN) of the federation service in the format of federation_service_farm_name.domain_name.com, such as fs.contoso.com.
To locate this value, open the AD FS Management console, click Service, in the Actions pane, click Edit Federation Service Properties, and then find the value in the Federation Service name text box.
In the User name and Password boxes, enter the credentials of a domain user account that is a local administrator on the AD FS servers.
On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate you imported above to be used by the Web Application Proxy certificate for AD FS proxy functionality, and then click Next.
On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.
On the Results dialog, verify that the configuration was successful, and then click Close.
To configure Web Application Proxy via Windows PowerShell
On the computer that you want to configure as the Web Application Proxy, open the Windows PowerShell command window and run the following command:
fscred = get-credential
Enter the credentials for a domain user account (not the federation service account) that is a local administrator on the federation server. Enter the account name in the format of DOMAIN\username.
Run the following command:
dir Cert:\LocalMachine\My
. This will display the certificate you imported earlier, with its thumbprint.Run the following command:
Install-WebApplicationProxy –FederationServiceCredential $fscred -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_farm_name.domain_name.com>
. Replace <certificate_thumbprint> with the value of the certificate thumbprint you obtained in the step above. <federation_service_farm_name.domain_name.com> can be fs.contoso.com, for example.
Verify Web Application Proxy
The best way to verify the proxy is from another computer. On this other computer, try to browse to the federation metadata site, for example, if your federation service name is fs.contoso.com, try to browse to https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml.
Note
You may get a certificate error if you have not imported the root CA to this computer’s trusted root certificates store, but if you click through Continue to this web site (not recommended), you should see the metadata.
Next, try the to browse to the IDP initiated sign-in page, for example,https://fs.contoso.com/adfs/ls/idpinitiatedsignon.htm.
This should resolve the sign-in page.
Note
You may get a certificate error if you have not imported the root CA to this computer’s trusted root certificates store, but if you click through Continue to this web site (not recommended), you should be able to sign in with domain\administrator credentials with no errors.