In this video, learn how to prepare a server—including the certificate—to be a web application proxy on a stand-alone Windows 2016 Server.
- [Instructor] Web Application Proxy is a service of the Remote Access role in Windows Server 2016. Its purpose is to provide an authentication interface ahead of your web applications and AD FS. We've seen that AD FS is tightly integrated with Active Directory, which could be a vulnerability. A Web Application Proxy can be a workgroup server, one that's not joined to your domain, and placed in the DMZ to provide a layer of protection, not only for your web applications, but for AD FS as well.
To set this up, you're going to need to install more than just a role, you're going to need to install your AD FS certificate. And by AD FS certificate, I mean the one that was originally created when the AD FS farm was first built. When AD FS was initially configured, I mentioned that this certificate had to be created from a template that would allow the private key to be exported. This is critical as we add more servers to the AD FS farm, or in this case, as we add a Web Application Proxy server to act as proxy for AD FS on the public network.
Now I can install the AD FS certificate before or after I install the role. It just has to be done before I can configure the role service. But I'm going to take care of it first. Here I am, logged in to the federation server on the landonhotel.com domain. And I'm going to take a look at installed certificates on this machine. So I'm going to right click the Start menu, Run, and I'm going to run the Microsoft Management Console and under the File menu, I'm going to add the snap-in for the certificates, and add certificates for the computer account.
As I close this out, I'll have the local certificate configuration of this computer. If I browse to the Personal certificate store, I'm going to see the adfs.landonhotel.com certificate. You'll see from the icon that there's a picture of a key. This means that this certificate can be exported with the private key, and that's important. I'm going to double-click the certificate and on the Details tab, select Copy to File.
After I click Next to begin the process, I'm going to say yes, I want to export the private key. And then I can specify other information about how I want to export this certificate. I do want to export all extended properties, but that should take care of me for now. On the next screen, I'm going to add some security to this exported file. I'm about to take this certificate, with its private key, and make a file that could be distributed.
It's important to add some protection to that. And I could use Active Directory groups or users to provide that security, or I can create a new password specifically for this certificate. After I assign it a password, I can click Next, and I'll pick a location and a filename for this certificate. I'll go ahead and add this to the Documents directory, and I'm going to name it HotelAdfsCert.
It has the extension .pfx, which indicates that this has extended information involved in the certificate. I'll go ahead and save that, click Next, and finish the export. As I close this out, I can open up a file browser, and in the Documents directory, I see the HotelAdfs certificate. This is the certificate that I have to install on my standalone server before I install the Web Application Proxy role.
So let me go ahead and copy it from this server and here on my proxy server, and open up the Documents directory, can paste that certificate here. Now installing this certificate should be pretty simple. I'm going to double-click it, we'll start the Import Wizard. Want to import it to the Local Machine. And I click Next, we'll verify the path and filename of the certificate that I want to import. Now I'm being prompted for a password to make the private key available for importing.
I'll type in the password that we used before, and I'm going to mark the key as exportable again, allowing me to use this as a source for the certificate if I need to distribute it further. After I click Next, I can allow Windows to guess which certificate store should hold this import, or I can say place it in following store. And I can browse and say place this in the Personal certificate store. In this case, Windows correctly identified where to put it, so it would have been okay either way.
Once I say Next, it reviews what I'm about to do and after I click Finish, it imports the certificate. Good, now we have this available for our Web Application Proxy. Like I said, it doesn't matter whether you install this certificate before or after you install the role, but it has to be done before you configure it. But now that it's complete, I can close out of these boxes, go back to the Server Manager, where I can click the Manage menu and add the role to this server.
I haven't installed any roles on this server yet, so I still get the Before You Begin page. I'm going to check the box, so that won't be here for future installs. The install type, once again, a role or feature for this server. The server I want to install on is hotelproxy. Finally, we get to the list of available roles. Web Application Proxy is not available under AD FS. It's a role service of Remote Access, so I'm going to select the Remote Access role and move forward with that.
And you'll notice that when I do, additional steps were added to the process off to the left. There are no Windows Server features that need to be added, so let's move on to the Remote Access role services. And here in the list is Web Application Proxy. After I select it, there are some remote administration tools and other prerequisites that are going to be applied. I'm going to accept those features and go ahead and click Next one more time, and Install.
And that took about two minutes to complete, and as with many other roles, this doesn't configure or start the role service. All it does is install the role. The next thing we need to do is configure that service.
- Installing and configuring ADFS
- Configuring multi-factor authentication
- Integrating Azure, Office 365, devices, and Microsoft Passport
- Implementing Web App Proxy (WAP)
- Installing and configuring AD Rights Management Service