With Windows Server 2012 R2, Microsoft has built in a reverse-proxy feature. The Web Application Proxy securely publishes internal resources out to the Internet for access by both corporate-owned devices and untrusted machines alike. Indeed, most deployments of, say, Work Folders or workplace join -- key "work anywhere" features that Microsoft put into Windows Server 2012 R2 -- demand a reverse proxy of some sort, so this requirement is likely to come up for you sooner or later.
As you may have heard, Microsoft killed its flagship reverse proxy product, Forefront Unified Access Gateway, back in December. Many organizations have used UAG to create DirectAccess tunnels as well as portals where applications could be securely accessed from all sorts of clients.
While UAG's capabilities were vast, it may have represented overkill for many applications, so Microsoft has built a capable, if less full-featured, successor into Windows Server 2012 R2. That's what this article is about.
Configuring the Web Application Proxy (WAP) role, however, involves a lot of moving parts, and in this piece I will walk through how to set up the WAP role in your lab with either an application of your choosing or a freely available sample claims application that Microsoft publishes as part of one of its software development kits. Let's begin.
Installing and configuring Active Directory Federation Services
Follow these steps to get started on the ADFS server.
1. On the machine that will host the ADFS role, open Server Manager and go to Add Roles and Features, and then check the box for Active Directory Federation Services.
2. Click through the rest of the wizard -- the screens are just descriptions of the service; there is no action required other than to read the text and click Next. Then press the Finish button to get the role installed.
3. Once the wizard finishes, click the yellow exclamation icon in Server Manager. This icon reminds you that even though the role is installed, ADFS is not functional yet; you need to further configure the service. Click the link within the status screen that pops up from the yellow icon to go directly to the configuration interface.
4. For this walkthrough, we can assume this is our first ADFS server, so choose the default option and click Next.
5. On the account selection page, choose an account that has domain administrator permissions and then click Next.