Web application proxy - база полезных знаний

Plan Network Location

Web Application Proxy can be deployed in several topologies. For example, you can deploy Web Application Proxy behind a frontend firewall to separate it from the Internet, or between two firewalls; a frontend firewall to separate it from the Internet, a backend firewall to separate it from the corporate network. In both topologies, Web Application Proxy provides a protection layer against malicious HTTP requests that originate from the Internet through the following features:

Preauthentication—Make sure that only authenticated traffic can get into the corporate network.
Network Isolation—Incoming web traffic cannot directly access backend servers.
Selective Publishing—Only specific applications and paths within these applications are accessible.
DDoS Protection—Incoming traffic arrives at Web Application Proxy before entering the corporate network. Because Web Application Proxy acts as a buffer, many DDoS attacks can be prevented from reaching the backend servers.

Plan Firewalls

Deploying Web Application Proxy behind a firewall adds network level protection and reduces the attack surface of the Web Application Proxy servers. If the Web Application Proxy server is located in front of a firewall that separates it from the corporate network, you must make sure that the firewall does not block traffic to URLs configured for the backend servers. This could be over HTTP or HTTPS and on any specified port. Note that if you deploy Web Application Proxy on a domain-joined server, it must have connectivity to the domain controller, see 1.3. Plan Active Directory.

All firewall servers must be configured to allow HTTPS traffic because the firewall servers must publish Web Application Proxy using port 443 so that Web Application Proxy in the perimeter network can access the federation server in the corporate network. Port 443 is also required for device registration using Workplace Join.

Note

All federation server communications to and from client devices also occur over HTTPS.

In the federated world of AD FS, client requests are typically made to a specific URL, for example, a federation server identifier URL such as https://fs.fabrikam.com. Because these client requests originate from the Internet, the Internet-facing firewall server must be configured to publish the federation server identifier URL for each Web Application Proxy server that is deployed in the perimeter network.

If you want to use client certificate authentication, you must also configure the firewall to allow traffic on port 49443.

Installing the Web Application Proxy Server Role

To begin, Open up Server Managerand clickManage clickAdd Roles and Features

Click Next:

Select Role-based or feature-based installation, click Next:

Select the server you want to install this role on to and then click Next:

Select Remote Access then click Next:

No additional Features are needed. Click Next:

Click Next:

Select Web Application Proxy:

On the pop up click Add Features

The Web Application Proxy role does not required a reboot. Click Install

Once complete click Close

Web Application Proxy is now installed but you need the AD FS certificate to continue.

You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:

Go to File > Add/Remove Snap-ins > select Certificates then click Add:

When you click OK you will get the following pop up. Select Computer account then click Next:

On AD FS Server: Scroll down to Personal > Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks > Export. Save to a location that your Web Application Proxy can access. Make sure you export the Private Key and certificate as a .pfx file format.

On Web Application Proxy: Right click on Personal > Certificates then go to All Tasks > Import:

This will bring up the Certificate Import Wizard. Click Next

Browse to the certificate that you exported from your AD FS server and select it. Click Next

Enter the password for the private key and check the box to make the key exportable. Click Next

Leave the default certificate store as Personal. Click Next

Click Finish

You should now see the certificate from your AD FS servers on your Web Application Proxy server

Now you are ready to start the Post Configuration settings.

Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:

Click Next:

Enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next:

On the drop down menu select the certificate you imported from your AD FS server. Click Next

Click Configure

Once finished click Close

Remote Access Management Console should open when you clicked Close. On Operations Status you should see all the objects as green

Finally, its time to publish apps. In the Remote Access Management Console click Web Application Proxy then Publish

Click Next:

Pass-through will let WAP act like a reverse proxy.

Here you have two options: (AD FS and Pass-through) self-explanatory. I have already set up AD FS in your environment then go with the first option otherwise 2nd is my choice since at the moment I don’t have AD FS.

Select Pass-through and click Next

Name: Enter a display name

External URL: Enter the URL that will be coming in your the WAP server externally

External Certificate: The drop down menu will show certificates that are added on the WAP server. Select the same certificate that you used while setting up your application. In my case I used my wildcard certificate.

Backend server URL: Enter the web URL of the server you want the external URL forwarded

Click Next:

Copy the PowerShell command down and with some minor edits you can easily add additional PassThrough applications with ease.

Click Publish:

Click Close to finish:

Here you can see the published web application is ready for testing.

Before you move to test your published app, ask your network guy to set up 443 port redirection to WAP server on firewall to make it possible to access web applications from the external network.

Once done.

Then from the external network (for example on your smartphone or a PC) from home, try to access your web link like https://rds.techsupportpk.com and the following page will show up.

Подготовка служб ADFS к публикации Exchange

Первый шаг состоит в подготовке служб ADFS к публикации Exchange. Но, перед тем как начинать, в Exchange инфраструктуре должны быть корректно настроены URL адреса веб-каталогов OWA и ECP.

В самом ADFS потребуется создать два новых отношения доверия с проверяющей стороной (Relying Party Trust) для OWA и ECP. В этом поможет PowerShell скрипт, который необходимо выполнить на master ноде:

$owaURL=»https://mail.ithelpspb.blogspot.com/owa» # URL веб-каталога OWA

$ecpURL=»https://mail.ithelpspb.blogspot.com/ecp» # URL веб-каталога ECP

$IssuanceAuthorizationRules=@’

@RuleTemplate = «AllowAllAuthzRule»

=> issue(Type = «http://schemas.microsoft.com/authorization/claims/permit»,

Value = «true»);

‘@

$IssuanceTransformRules=@’

@RuleName = «ActiveDirectoryUserSID»

c:[Type == «http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname», Issuer == «AD AUTHORITY»]

=> issue(store = «Active Directory», types = («http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid»), query = «;objectSID;{0}», param = c.Value);

@RuleName = «ActiveDirectoryGroupSID»

c:[Type == «http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname», Issuer == «AD AUTHORITY»]

=> issue(store = «Active Directory», types = («http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid»), query = «;tokenGroups(SID);{0}», param = c.Value);

@RuleName = «ActiveDirectoryUPN»

c:[Type == «http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname», Issuer == «AD AUTHORITY»]

=> issue(store = «Active Directory», types = («http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn»), query = «;userPrincipalName;{0}», param = c.Value);

‘@

Add-ADFSRelyingPartyTrust -Name «Outlook Web App» -Enabled $true -WSFedEndpoint $owaURL -Identifier $owaURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

Add-ADFSRelyingPartyTrust -Name «Exchange Control Panel» -Enabled $true -WSFedEndpoint $ecpURL -Identifier $ecpURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

Не забудьте поменять переменные URL адресов OWA и ECP на собственные.

Результат его работы:

Интеграция Exchange инфраструктуры с ADFS

На каждом сервере Exchange c Client Access Services необходимо выполнить еще один PowerShell скрипт:

$ADFSSigningCertificateThumbprint=»2F4A8553226E3AC3BCDBA171A4F73E9B23A486DD» # Thumbprint

$owaURL=»https://mail.ithelpsb.blogspot.com/owa»

$ecpURL=»https://mail.ithelpsb.blogspot.com/ecp»

$ADFSIssuerURL=»https://sts.ithelpsb.blogspot.com/adfs/ls/» # URL ADFS фермы

$uris = @($owaURL,$ecpURL)

Set-OrganizationConfig -AdfsIssuer $ADFSIssuerURL -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint $ADFSSigningCertificateThumbprint

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

Обратите внимание, что указаны переменные ADFSSigningCertificateThumbprint и ADFSIssuerURL. Значение первой можно получить в оснастке ADFS:. Открыв свойства сертификата ADFS Signing.

Открыв свойства сертификата ADFS Signing.

Этот сертификат необходимо экспортировать и импортировать в доверенные ЦС каждого Exchange сервера.

Значение второй переменной можно получить подставить FQDN фермы ADFS. Выполняем его в Exchange Management Shell.

Перегружаем IIS командой IISReset.

После перезагрузки веб сервера и его инициализации можно выполнить проверку работоспособности. Перейдем на URL ECP.

Автоматически отработает перенаправление на страницу входа ADFS, где необходимо пройти аутентификацию.

В случае если ADFS Signing сертификат не был импортирован в доверенные ЦС Exchange сервера, будет получена ошибка WrongAudienceUriOrBadSigningCert:

Using Active Directory Federation Services

This scenario describes the additions and changes that you must make to your AD FS servers to provide the following functionality:

Application publishing—For all applications and services that you want to publish through Web Application Proxy, you must configure a relying party on the AD FS server.
Authentication—No specific configuration is required to provide authentication for published applications. However, to use workplace join, MFA, or multifactor access control in your deployment, you must perform additional configuration as described in the following guides:
- Workplace Join—Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications
- MFA—Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
- Multifactor access control—Manage Risk with Conditional Access Control.

Prerequisites

Web Application Proxy and Active Directory Federation Services can not be deployed on same server. You need an additional server to set up web proxy. We assume that the following services are already installed and configured accordingly.

Active Directory Domain Services
Active Directory Federation Services