AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam

Deploy and Configure Web Application Proxy

Web Application Proxy is a server role in Windows Server that acts as a reverse proxy for on-premises web applications. It integrates with Active Directory Federation Services (AD FS) to enforce preauthentication and provide secure external access. By publishing resources through this proxy, organizations can protect internal apps while still allowing users to access them from the internet. Learning to deploy and configure this role helps maintain the security and availability of critical web services.

To get started, you must install the Remote Access role service on the Windows Server that will host the proxy. This process is done through Server Manager and does not require advanced scripting skills. During the setup, you specifically select the Web Application Proxy role service. The wizard guides you step-by-step, ensuring that all required components are installed.

• Open Server Manager and select Add Roles and Features.
• Choose Remote Access as the server role.
• On the Role Services page, check Web Application Proxy.
• Complete the wizard and restart the server if prompted.

Once installed, the proxy server must join an AD FS farm to establish a trust relationship with the federation servers. This step ensures that authentication requests are correctly forwarded and validated. In the Web Application Proxy configuration wizard, you enter the AD FS server name and credentials of a domain account with federation admin rights. After a few minutes, the proxy will sync its configuration and be ready to publish applications.

Securing connections for external users relies on proper SSL certificates. You need a certificate from a trusted Certificate Authority (CA) that matches your external domain. After importing the certificate into the server’s certificate store, you bind it to the Web Application Proxy during setup or through IIS Manager. This step ensures all traffic between the user’s browser and the proxy is encrypted over HTTPS.

With the proxy connected to AD FS and secured by SSL, you can now define application publishing rules. These rules tell the proxy how to route incoming requests to your on-premises web applications. In the Remote Access Management Console, you specify both the Internal URL and the External URL that users will access. You also choose a preauthentication method, usually Microsoft Entra ID, to enforce single sign-on (SSO).

• Open Remote Access Management Console and select Web Application Proxy.
• Click Publish and enter the Internal URL and the External URL.
• Pick Microsoft Entra ID for preauthentication and configure any extra settings.
• Confirm and apply the rule.

Finally, you should verify secure external access by testing from a network outside your corporate perimeter. Use the External URL in a web browser and confirm that you receive a valid HTTPS connection. Ensure the AD FS login page appears and accepts your credentials. If there are any issues, check firewall rules, network settings, and review the event logs on both the proxy server and AD FS server.

Conclusion

Deploying and configuring Web Application Proxy involves installing the Remote Access role service, joining the proxy server to an AD FS farm, and securing connections with SSL certificates. You then create application publishing rules to map internal applications to public URLs with proper preauthentication. Finally, validating secure external access ensures that end users can reach on-premises applications safely. By following these steps, you maintain a robust and protected web access environment.