One of the new additions with Windows Server 2012 R2 was the Web Application Proxy (WAP) feature. If you have deployed AD FS on Windows Server 2008 R2, the WAP replaces the AD FS proxy. WAP is not a direct replacement for AD FS – it is much more.
Once you have installed AD FS, you can install the first WAP server to publish AD FS. You’ll need to have a number of prerequisites in order prior to beginning the installation process:
- Server or virtual machine – ensure that the host meets the minimum requirements for Windows Server 2012 R2
- Firewall – the WAP will need SSL (TCP443) access to the AD FS federation server. If you are domain joining WAP, it must also have access to domain controllers.
- SSL Certificate – install a certificate that matches the AD FS host name (e.g. fs.cohovines.com) or a wildcard certificate in the machine certificate store. You should plan to use a commercially issued certificate from a public certification authority such as DigiCert.
Once you have all the prerequisite items in place, you can begin installing the first WAP server.
- Open Server Manager and click ‘Add roles and features’.
- During the Server Selection step of the Add Roles and Features Wizard, shown below, you can elect to install WAP on multiple servers if you have added them to a pool in Server Manager. If you will be installing a server farm, this is a handy time saving feature.
- On the next screen, Server Roles, select Remote Access as shown below.
- On the Remote Access Role Services screen, select Web Application proxy as shown below.
- Complete the wizard to install the WAP service of the Remote Access role.
Once WAP is installed, you can use the Remote Access Management Console to configure WAP to publish AD FS.
- Launch the Remote Access Management Console. This Console is accessible from the Tools menu in Server Manager.
- Select Web Application Proxy on the left side of the window and then click Run the Web Application Proxy Configuration Wizard.
- Enter the FQDN of your AD FS farm as well as a local administrator account on the AD FS servers. This account is only used to setup trust during the configuration process.
- Select a certificate from the machine’s store for WAP to listen with when proxying to AD FS.
Once the wizard completes, you can publish the WAP server through your firewall on TCP port 443. This completes the tasks necessary to publish AD FS externally with WAP.