ADFS – Web Application Proxy 2016 Installation & Configuration

Prepare two Windows 2016 servers with Windows Updates. Dont join them to the domain.

Installing Web Application Proxy

Let’s fire up the Add Roles Wizard from Server Manager

Windows Server 2016 Add Roles and Features Wizard

As noted in the previous post, there is no longer a separate AD FS proxy role in Windows 2016.  The Remote Access feature provides VPN, Direct Access and Web Application Proxy (WAP) functionality.  It is the latter that we need to install.

Select Remote Access

Windows Server 2016 Add Roles and Features Wizard - Select Remote Access Role

Unless you want to add any features, like telnet * for troubleshooting purposes later, click next.

Optional - If Additional Features Are to be Enabled

The Remote Access role selection process starts.

Add Roles and Features Wizard - Remote Access

In our case we just want to install the Web Application Proxy role service, so select that and click next

Chose Which Role Service To Install

Web Application Proxy Role Installed - Additional Required Features Automatically Added

Confirm the choice, and then install.

Add Roles and Features Wizard - Confirm Selection

Once the necessary WAP role services are installed, we are then able to launch the Web Application Proxy Wizard to configure WAP.

Windows Server 2016 Web Application Proxy Installation In Progress

The installation process will complete, click to close the wizard.

Windows Server 2016 Web Application Proxy Installation Completed

Configure Web Application Proxy

 

We need to configure the WAP proxy with the necessary information so that it knows it will be publishing our internal AD FS server and how to access AD FS.  Under administrative tools, open the Remote Access Management console.

Select the Web Application Proxy role which is listed on the left hand pane, and then the option to run the Web Application proxy configuration wizard will be displayed.

Remote Access Management Console - Start WAP Configuration Wizard

The wizard will then initiate the process to configure the Web Application Publishing service.

Starting WAP Configuration Wizard

The screen below is where most configuration issues arise with this process.  What a lot of folks do is interpret the Federation service name as the display name of the AD FS server.

WAP Configuration Wizard - Select Federation Server

Enter adfs01.domain.com

Untitled

In the same way that we require a SSL certificate on the AD FS server, the same is true on the WAP as clients will establish SSL sessions to this machine.  WAP will then us a SSL session to the internal AD FS server on TCP 443.

Since the certificate was previously installed and verified, use the same certificate that has been use previously on the ADFS server.

WAP Configuration Wizard - Select AD FS Certificate

Verify the details, and click configure.

WAP Configuration Wizard - Confirm Selection

The wizard starts to configure the AD FS proxy

WAP Configuration Wizard - Starting Configuration

And shortly thereafter completes!

Quickest way with Powershell

Install-WebApplicationProxy-CertificateThumbprint “4380E873723A02A5F7878C3C9DB0D5176764FFCA”-FederationServiceName “adfs01.domain.com

Dont forget to create a local user on the adfs01.domain.com server that will need to be used when you launch the command.

If the command failed, i had to manually enter the ip address of the adfs01.domain.com server in the hostfile.

Apply the same configuration on the second server.

Validate in the event viewer for any type of errors or success.

https://blogs.technet.microsoft.com/rmilne/2017/05/10/how-to-install-ad-fs-2016-for-office-365-part-2/

Network Load Balancing configuration

Apply the same configuration on both web proxy servers

image2018-6-12_17-25-30

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s