How to Configure Windows Server 2016 Web Application Proxy

Web Application Proxy (WAP) is a Remote Access role service in Windows Server 2016 that acts as a reverse proxy, enabling external users to securely access applications hosted inside the corporate network. WAP integrates tightly with Active Directory Federation Services (AD FS) to provide pre-authentication, ensuring that only authenticated and authorized users can reach published applications. Common use cases include publishing Exchange OWA, SharePoint, Remote Desktop Gateway, and custom web applications to the internet without placing them in a DMZ directly.

Prerequisites

Web Application Proxy requires an AD FS server already deployed and operational in your environment. The WAP server must be domain-joined and able to reach the AD FS server. You need a valid SSL certificate covering both the AD FS service name and any application hostnames you plan to publish. The WAP server typically resides in a perimeter network (DMZ) with inbound access from the internet and outbound access to the internal network.

Verify connectivity to your AD FS server before installation:

Test-NetConnection -ComputerName adfs.corp.local -Port 443
Resolve-DnsName adfs.corp.local

Step 1: Install the Web Application Proxy Role Service

Install the Web Application Proxy role service from the Remote Access role:

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

Confirm installation completed successfully:

Get-WindowsFeature Web-Application-Proxy | Select Name, InstallState

Step 2: Install the AD FS SSL Certificate on WAP

The WAP server needs the AD FS SSL certificate in its local certificate store. Import the certificate including its private key (PFX format):

$pfxPassword = ConvertTo-SecureString -String "YourPfxPassword" -Force -AsPlainText
Import-PfxCertificate -FilePath "C:certsadfs-cert.pfx" -CertStoreLocation Cert:LocalMachineMy -Password $pfxPassword

Verify the certificate was imported and note its thumbprint:

Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.Subject -like "*adfs*" } | Select Subject, Thumbprint, NotAfter

Step 3: Configure Web Application Proxy

Run the WAP configuration wizard using the Install-WebApplicationProxy cmdlet. You need the AD FS service name, the certificate thumbprint, and credentials for an AD FS administrator account:

$certThumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
$adfsCredential = Get-Credential -Message "Enter AD FS administrator credentials"

Install-WebApplicationProxy -CertificateThumbprint $certThumbprint `
    -FederationServiceName "adfs.yourdomain.com" `
    -FederationServiceTrustCredential $adfsCredential

This command establishes trust between WAP and AD FS and configures the proxy to forward authentication requests.

Step 4: Publish an Application with AD FS Pre-Authentication

Publish an internal web application through WAP with AD FS pre-authentication. This requires users to authenticate with AD FS before WAP forwards the request to the backend server:

Add-WebApplicationProxyApplication `
    -BackendServerUrl "https://webapp.corp.local/" `
    -ExternalCertificateThumbprint $certThumbprint `
    -ExternalUrl "https://webapp.yourdomain.com/" `
    -Name "Internal Web App" `
    -ExternalPreAuthentication ADFS `
    -ADFSRelyingPartyName "WebApp-RP"

Step 5: Publish an Application with Pass-Through Authentication

For applications that handle their own authentication (such as applications with Integrated Windows Authentication), use pass-through pre-authentication:

Add-WebApplicationProxyApplication `
    -BackendServerUrl "https://intranet.corp.local/" `
    -ExternalCertificateThumbprint $certThumbprint `
    -ExternalUrl "https://intranet.yourdomain.com/" `
    -Name "Intranet Portal" `
    -ExternalPreAuthentication PassThrough

Step 6: Publish Remote Desktop Gateway

Publishing an RD Gateway through WAP is a common scenario. Use the RDWeb application type with specific backend URL patterns:

Add-WebApplicationProxyApplication `
    -BackendServerUrl "https://rdgw.corp.local/RDWeb/" `
    -ExternalCertificateThumbprint $certThumbprint `
    -ExternalUrl "https://rdweb.yourdomain.com/RDWeb/" `
    -Name "RD Web Access" `
    -ExternalPreAuthentication PassThrough `
    -DisableTranslateUrlInRequestHeaders:$false `
    -DisableTranslateUrlInResponseHeaders:$false

Step 7: Configure Windows Firewall on WAP

The WAP server in the DMZ needs inbound rules for HTTPS and HTTP, and outbound rules to reach internal servers and AD FS:

New-NetFirewallRule -DisplayName "WAP HTTPS Inbound" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
New-NetFirewallRule -DisplayName "WAP HTTP Inbound" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
New-NetFirewallRule -DisplayName "WAP to ADFS" -Direction Outbound -Protocol TCP -RemotePort 443 -Action Allow

Step 8: Manage and Monitor Published Applications

List all currently published applications and their status:

Get-WebApplicationProxyApplication | Select Name, ExternalUrl, BackendServerUrl, ExternalPreAuthentication, IsEnabled

Update an existing published application’s settings:

Set-WebApplicationProxyApplication -ID (Get-WebApplicationProxyApplication -Name "Internal Web App").ID `
    -BackendServerUrl "https://webapp2.corp.local/"

Check the WAP service health and configuration:

Get-WebApplicationProxyHealth
Get-WebApplicationProxyConfiguration

Troubleshooting

Review WAP and AD FS proxy event logs for connection issues:

Get-EventLog -LogName "AD FS/Admin" -Newest 20 | Select TimeGenerated, EntryType, Message
Get-WinEvent -LogName "Microsoft-Windows-WebApplicationProxy/Admin" -MaxEvents 20 | Select TimeCreated, LevelDisplayName, Message

Web Application Proxy provides a secure, scalable, and centrally managed way to publish internal applications to external users. By combining WAP with AD FS pre-authentication, organizations gain fine-grained access control and single sign-on for all published applications, reducing attack surface compared to traditional DMZ-based publishing methods.