Installing Web Application Proxy
Let’s fire up the Add Roles Wizard from Server Manager
As noted in the previous post, there is no longer a separate AD FS proxy role in Windows 2016. The Remote Access feature provides VPN, Direct Access and Web Application Proxy (WAP) functionality. It is the latter that we need to install.
Select Remote Access
Unless you want to add any features, like telnet * for troubleshooting purposes later, click next.
The Remote Access role selection process starts.
In our case we just want to install the Web Application Proxy role service, so select that and click next
Confirm the choice, and then install.
Once the necessary WAP role services are installed, we are then able to launch the Web Application Proxy Wizard to configure WAP.
The installation process will complete, click to close the wizard.
Configure Web Application Proxy
We need to configure the WAP proxy with the necessary information so that it knows it will be publishing our internal AD FS server and how to access AD FS. Under administrative tools, open the Remote Access Management console.
Select the Web Application Proxy role which is listed on the left hand pane, and then the option to run the Web Application proxy configuration wizard will be displayed.
The wizard will then initiate the process to configure the Web Application Publishing service.
The screen below is where most configuration issues arise with this process. What a lot of folks do is interpret the Federation service name as the display name of the AD FS server.
In the same way that we require a SSL certificate on the AD FS server, the same is true on the WAP as clients will establish SSL sessions to this machine. WAP will then us a SSL session to the internal AD FS server on TCP 443.
Since the certificate was previously installed and verified, use the same certificate that has been use previously on the ADFS server.
Verify the details, and click configure.
The wizard starts to configure the AD FS proxy
And shortly thereafter completes!
Quickest way with Powershell
Install-WebApplicationProxy-CertificateThumbprint “4380E873723A02A5F7878C3C9DB0D5176764FFCA”-FederationServiceName “adfs01.domain.com“
Dont forget to create a local user on the adfs01.domain.com server that will need to be used when you launch the command.
If the command failed, i had to manually enter the ip address of the adfs01.domain.com server in the hostfile.
Apply the same configuration on the second server.
Validate in the event viewer for any type of errors or success.
Network Load Balancing configuration
Apply the same configuration on both web proxy servers