How to Set Up Web Application Proxy on Windows Server 2012 R2

Web Application Proxy (WAP) is a reverse proxy service introduced in Windows Server 2012 R2 that enables external users to access web applications hosted on internal servers. WAP is part of the Remote Access role and provides pre-authentication using Active Directory Federation Services (AD FS) before forwarding requests to internal applications, adding an authentication layer in front of your web infrastructure. WAP supports two publishing modes: pass-through (no pre-authentication) and AD FS pre-authentication for federated identity. It is commonly used to publish Outlook Web Access, SharePoint, custom web applications, and the AD FS sign-in portal to external users.

Prerequisites

Web Application Proxy requires a separate server in the perimeter network (DMZ) with two NICs: one facing the internet (external) and one facing the internal network. For AD FS pre-authentication, you need a working AD FS deployment (see Post 41). The WAP server must have network connectivity to the AD FS federation server on port 443. An SSL certificate for each published application is required — typically a wildcard certificate or multi-SAN certificate. DNS records must be configured so external users can resolve published application names. The WAP server should NOT be domain-joined for security reasons (it sits in the DMZ).

Installing the Web Application Proxy Role

Install the WAP role on the perimeter server. Even though WAP is part of Remote Access, you only install the Web Application Proxy component:

# Install Web Application Proxy role (on the perimeter/DMZ server)
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

# Verify installation
Get-WindowsFeature Web-Application-Proxy

Preparing the SSL Certificate

The WAP server requires an SSL certificate. For multiple published applications, a wildcard certificate (*.contoso.com) or a multi-SAN certificate is most practical:

# Import the SSL certificate if obtained externally
# The PFX must be imported to the Local Computer Personal store
$CertPassword = ConvertTo-SecureString "CertPassword123!" -AsPlainText -Force
Import-PfxCertificate -FilePath "C:Certswildcard-contoso.pfx" `
    -CertStoreLocation Cert:LocalMachineMy `
    -Password $CertPassword

# Get the thumbprint of the imported certificate
Get-ChildItem Cert:LocalMachineMy | 
    Where-Object {$_.Subject -like "*contoso.com*"} |
    Select-Object Subject, Thumbprint

Configuring Web Application Proxy with AD FS Integration

The WAP server must be configured with a reference to the AD FS federation server. This establishes trust between WAP and AD FS for pre-authentication:

# Configure WAP to use AD FS for pre-authentication
# Replace thumbprint with your AD FS certificate thumbprint
$ADFSCertThumbprint = "A1B2C3D4E5F6789012345678901234567890ABCD"
$WAPCertThumbprint = "B2C3D4E5F6789012345678901234567890ABCDE1"

# Install WAP with AD FS integration
Install-WebApplicationProxy `
    -CertificateThumbprint $WAPCertThumbprint `
    -FederationServiceName "sts.contoso.com"

# You will be prompted for AD FS service account credentials
# Use the AD FS service account or a Domain Admin account

If AD FS is not yet deployed, or you want pass-through authentication first, configure WAP in pass-through mode initially:

# Verify WAP is installed and configured
Get-WebApplicationProxyApplication

Publishing a Web Application with Pass-Through Authentication

Pass-through mode publishes an internal application without pre-authentication. The application handles authentication itself:

# Publish an internal intranet site with pass-through authentication
Add-WebApplicationProxyApplication `
    -Name "Intranet Portal" `
    -ExternalUrl "https://portal.contoso.com/" `
    -ExternalCertificateThumbprint $WAPCertThumbprint `
    -BackendServerUrl "http://intranet.contoso.local/" `
    -BackendServerAuthenticationMode NoAuthentication `
    -PreAuthentication PassThrough

# Publish Outlook Web Access (Exchange) with pass-through
Add-WebApplicationProxyApplication `
    -Name "Outlook Web Access" `
    -ExternalUrl "https://mail.contoso.com/owa/" `
    -ExternalCertificateThumbprint $WAPCertThumbprint `
    -BackendServerUrl "https://exchangeserver.contoso.local/owa/" `
    -BackendServerAuthenticationMode NoAuthentication `
    -PreAuthentication PassThrough `
    -DisableTranslateUrlInResponseHeaders $false

Publishing a Web Application with AD FS Pre-Authentication

AD FS pre-authentication requires users to authenticate to the AD FS portal before being forwarded to the internal application. This is the more secure option:

# Pre-requisite: Create a Relying Party Trust in AD FS for the application
# Then publish the application in WAP with AD FS pre-authentication

Add-WebApplicationProxyApplication `
    -Name "SharePoint Portal" `
    -ExternalUrl "https://sharepoint.contoso.com/" `
    -ExternalCertificateThumbprint $WAPCertThumbprint `
    -BackendServerUrl "http://sharepoint.contoso.local/" `
    -PreAuthentication ADFS `
    -ADFSRelyingPartyName "SharePoint" `
    -BackendServerAuthenticationMode IntegratedWindowsAuthentication

# For publishing the AD FS sign-in portal itself (so external users can access it)
Add-WebApplicationProxyApplication `
    -Name "AD FS Sign-In" `
    -ExternalUrl "https://sts.contoso.com/adfs/" `
    -ExternalCertificateThumbprint $WAPCertThumbprint `
    -BackendServerUrl "https://adfssrv.contoso.local/adfs/" `
    -PreAuthentication PassThrough

Configuring Kerberos Constrained Delegation for Backend Authentication

When WAP pre-authenticates users via AD FS, it needs to forward Kerberos credentials to the backend application. This requires Kerberos Constrained Delegation (KCD) configured in Active Directory:

# On a domain controller, configure KCD for the WAP server's computer account
# Allow the WAP computer account to delegate to the SharePoint service

# Get the WAP computer account
$WAPComputer = Get-ADComputer -Identity "WAP-Server"

# Get the SPN of the backend SharePoint server
$BackendSPN = "http/sharepoint.contoso.local"

# Configure KCD - allow WAP to delegate to SharePoint service
Set-ADComputer -Identity $WAPComputer `
    -Add @{'msDS-AllowedToDelegateTo' = $BackendSPN}

# Set the delegation type to "Use any authentication protocol" (for protocol transition)
Set-ADObject -Identity $WAPComputer.DistinguishedName `
    -Replace @{userAccountControl = 0x01001000}  # WORKSTATION_TRUST + TRUSTED_TO_AUTH_FOR_DELEGATION

Configuring Windows Firewall for WAP

Configure Windows Firewall on the WAP server to allow only required inbound connections:

# Allow HTTPS inbound from internet
New-NetFirewallRule -DisplayName "WAP HTTPS Inbound" -Direction Inbound `
    -Protocol TCP -LocalPort 443 -Action Allow

# Allow HTTP inbound (for redirect to HTTPS)
New-NetFirewallRule -DisplayName "WAP HTTP Inbound" -Direction Inbound `
    -Protocol TCP -LocalPort 80 -Action Allow

# Allow outbound to AD FS on 443
New-NetFirewallRule -DisplayName "WAP to ADFS" -Direction Outbound `
    -Protocol TCP -RemotePort 443 `
    -RemoteAddress "192.168.1.100" -Action Allow  # ADFS server IP

# Allow outbound to backend web servers
New-NetFirewallRule -DisplayName "WAP to Backend Servers" -Direction Outbound `
    -Protocol TCP -RemotePort @(80,443) `
    -RemoteAddress "192.168.10.0/24" -Action Allow

Managing Published Applications

Use PowerShell to manage the lifecycle of published applications:

# List all published applications with details
Get-WebApplicationProxyApplication | 
    Select-Object Name, ExternalUrl, BackendServerUrl, PreAuthentication |
    Format-Table -AutoSize

# Update a published application's backend URL
Set-WebApplicationProxyApplication -Name "Intranet Portal" `
    -BackendServerUrl "http://newserver.contoso.local/"

# Disable a published application
Set-WebApplicationProxyApplication -Name "OldApp" -Disable $true

# Remove a published application
Remove-WebApplicationProxyApplication -Name "OldApp"

Monitoring and Troubleshooting

# View WAP event logs
Get-WinEvent -LogName "Microsoft-Windows-WebApplicationProxy/Admin" -MaxEvents 30 |
    Where-Object {$_.Level -le 3} |
    Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-List

# View WAP operational events
Get-WinEvent -LogName "Microsoft-Windows-WebApplicationProxy/Operational" -MaxEvents 20 |
    Select-Object TimeCreated, Id, Message | Format-List

# Check connectivity from WAP to ADFS backend
Test-NetConnection -ComputerName sts.contoso.com -Port 443

# Verify WAP trust with ADFS
Get-WebApplicationProxyHealth

Summary

Web Application Proxy on Windows Server 2012 R2 provides a secure reverse proxy capability for publishing internal applications to external users. For maximum security, deploy WAP in the perimeter network without domain membership and use AD FS pre-authentication to validate user identity before any request reaches internal servers. Pass-through mode is suitable for applications that handle their own authentication. Managing WAP through PowerShell enables automation and consistent configuration across multiple published applications. Monitor the WAP and AD FS event logs regularly to detect authentication failures and proxy errors.