How to Configure Web Application Proxy on Windows Server 2019

How to Configure Web Application Proxy on Windows Server 2019

Web Application Proxy (WAP) is a reverse proxy role service in Remote Access on Windows Server 2019 that provides secure external access to applications hosted on internal servers. It acts as a pre-authentication gateway, validating user credentials via AD FS before forwarding requests to backend applications. WAP supports pass-through authentication for applications that handle their own authentication, and pre-authentication using AD FS for web applications and the AD FS endpoint itself. It replaces Microsoft Forefront Unified Access Gateway (UAG) in modern Windows deployments.

Prerequisites

WAP requires a functioning AD FS farm (or access to an AD FS farm). The WAP server should be placed in a DMZ (perimeter network) or semi-trusted network segment, separate from the internal AD FS servers. The WAP server needs an SSL certificate for its external name (e.g., remote.corp.example.com) and must be able to reach the AD FS server’s federation service FQDN (e.g., fs.corp.example.com) on port 443.

# On the WAP server - install the Remote Access role
Install-WindowsFeature -Name Web-Application-Proxy -IncludeManagementTools

# Verify
Get-WindowsFeature -Name Web-Application-Proxy

Configuring WAP to Connect to AD FS

WAP connects to the AD FS server using the AD FS proxy certificate (trust channel). Configure the WAP to establish this trust:

Import-Module WebApplicationProxy

# Get the SSL certificate for the WAP server's external name
$cert = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*remote.corp.example.com*"}

# Configure WAP to connect to AD FS
# The -FederationServiceTrustCredential must be a member of the AD FS Administrators group
Install-WebApplicationProxy `
    -FederationServiceName "fs.corp.example.com" `
    -FederationServiceTrustCredential (Get-Credential "CORPAdministrator") `
    -CertificateThumbprint $cert.Thumbprint

# Verify WAP configuration
Get-WebApplicationProxyConfiguration

Publishing Applications via WAP

Publish internal web applications to make them accessible externally. WAP supports two modes: Pass-Through (no pre-authentication) and AD FS Pre-Authentication (requires authentication via AD FS before accessing the app):

# Publish an application with AD FS pre-authentication (recommended for sensitive apps)
Add-WebApplicationProxyApplication `
    -Name "Internal SharePoint" `
    -ExternalUrl "https://sharepoint.remote.corp.example.com/" `
    -BackendServerUrl "http://sharepoint.corp.example.com/" `
    -ExternalCertificateThumbprint $cert.Thumbprint `
    -ADFSRelyingPartyName "SharePoint" `
    -ExternalPreAuthentication ADFS

# Publish an application with pass-through authentication
Add-WebApplicationProxyApplication `
    -Name "Internal Web App" `
    -ExternalUrl "https://webapp.remote.corp.example.com/" `
    -BackendServerUrl "https://webapp.corp.example.com/" `
    -ExternalCertificateThumbprint $cert.Thumbprint `
    -ExternalPreAuthentication PassThrough

# Publish the AD FS proxy endpoint (required for external federation access)
Add-WebApplicationProxyApplication `
    -Name "AD FS Proxy" `
    -ExternalUrl "https://fs.corp.example.com/adfs/" `
    -BackendServerUrl "https://fs.corp.example.com/adfs/" `
    -ExternalCertificateThumbprint $cert.Thumbprint `
    -ExternalPreAuthentication PassThrough

# List all published applications
Get-WebApplicationProxyApplication | Select-Object Name, ExternalUrl, BackendServerUrl, ExternalPreAuthentication

Configuring Kerberos Constrained Delegation for WAP

For applications using Windows Integrated Authentication, configure Kerberos Constrained Delegation (KCD) so WAP can obtain Kerberos service tickets on behalf of authenticated users:

# On the domain controller, configure KCD for the WAP server's computer account
$wapComputer = Get-ADComputer -Identity "WAP01"

# Allow WAP to delegate to the SharePoint HTTP SPN
Set-ADObject $wapComputer -Add @{
    "msDS-AllowedToDelegateTo" = @(
        "http/sharepoint.corp.example.com",
        "http/sharepoint"
    )
}

# Enable Protocol Transition for WAP (required for KCD from SAML tokens)
Set-ADAccountControl -Identity "WAP01$" -TrustedToAuthForDelegation $true

# Configure the published application to use Windows Integrated Authentication with KCD
Set-WebApplicationProxyApplication `
    -Name "Internal SharePoint" `
    -BackendServerAuthenticationMode IntegratedWindowsAuthentication `
    -BackendServerAuthenticationSPN "http/sharepoint.corp.example.com"

Configuring WAP SSL Certificate

WAP uses the SSL certificate to terminate external HTTPS connections. Use a wildcard certificate or a certificate with multiple SANs to cover all published application external URLs with a single certificate:

# View the certificate bound to WAP
Get-WebApplicationProxyConfiguration | Select-Object CertificateThumbprint, ADFSUrl

# Update the WAP certificate (after importing a new certificate)
$newCert = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*remote.corp.example.com*" -and $_.NotAfter -gt (Get-Date)}
Set-WebApplicationProxyConfiguration -CertificateThumbprint $newCert.Thumbprint

# Update certificate on an individual published application
Set-WebApplicationProxyApplication `
    -Name "Internal SharePoint" `
    -ExternalCertificateThumbprint $newCert.Thumbprint

Monitoring WAP Activity and Health

# Check WAP service status
Get-Service appproxysvc | Select-Object Name, Status, StartType

# View WAP configuration
Get-WebApplicationProxyConfiguration | Format-List

# View all published applications
Get-WebApplicationProxyApplication | Format-Table Name, ExternalUrl, ExternalPreAuthentication, BackendServerUrl -AutoSize

# View WAP activity log (admin events)
Get-WinEvent -LogName "Microsoft-Windows-WebApplicationProxy/Admin" -MaxEvents 30 | `
    Select-Object TimeCreated, LevelDisplayName, Message

# View operational log (per-connection events)
Get-WinEvent -LogName "Microsoft-Windows-WebApplicationProxy/Operational" -MaxEvents 50 | `
    Where-Object {$_.LevelDisplayName -ne "Information"} | `
    Select-Object TimeCreated, LevelDisplayName, Message

# Test connectivity from WAP to backend server
Test-NetConnection -ComputerName "sharepoint.corp.example.com" -Port 443

# Test connectivity from WAP to AD FS
Test-NetConnection -ComputerName "fs.corp.example.com" -Port 443
Invoke-WebRequest -Uri "https://fs.corp.example.com/adfs/probe" -UseBasicParsing

Configuring WAP High Availability

Deploy multiple WAP servers behind an external hardware or software load balancer for high availability. All WAP servers connect to the same AD FS farm and maintain the same published application configuration:

# Configure the second WAP server identically to the first
# Install the role and connect to the same AD FS farm
Install-WindowsFeature -Name Web-Application-Proxy -IncludeManagementTools

Install-WebApplicationProxy `
    -FederationServiceName "fs.corp.example.com" `
    -FederationServiceTrustCredential (Get-Credential "CORPAdministrator") `
    -CertificateThumbprint $cert.Thumbprint

# Applications are automatically synchronized between WAP nodes
# Verify on the second WAP server:
Get-WebApplicationProxyApplication | Select-Object Name, ExternalUrl

# Health probe endpoint for load balancer:
# GET https://wap02.dmz.example.com/adfs/probe
# Returns HTTP 200 if WAP is healthy

# Configure load balancer VIP to point to both WAP servers
# Set persistence based on client IP for session consistency

Removing a Published Application

# Remove a published application
Remove-WebApplicationProxyApplication -Name "Old Application" -Confirm:$false

# Disable WAP temporarily (stop service for maintenance)
Stop-Service appproxysvc

# Re-enable after maintenance
Start-Service appproxysvc

Web Application Proxy provides a secure and manageable way to publish internal applications externally without a full reverse proxy solution. Always use AD FS pre-authentication for sensitive applications to ensure only authenticated users reach backend servers. Combine WAP with Conditional Access policies in AD FS to enforce MFA, device compliance requirements, or location-based access restrictions for users connecting from outside the corporate network. Maintain WAP certificates proactively — a certificate expiration on the WAP server will immediately prevent all external users from accessing published applications.

-BackendServerUrl “https://webapp.corp.example.com/” `
-ExternalCertificateThumbprint $cert.Thumbprint `
-ExternalPreAuthentication PassThrough

# Publish the AD FS login endpoint itself (required for external federation)
# This is typically done automatically when WAP joins the AD FS farm as a proxy

# List all published applications
Get-WebApplicationProxyApplication | Select-Object Name, ExternalUrl, BackendServerUrl, ExternalPreAuthentication