5.2 Implementing Web Application Proxy in Windows Server 2016 (Step by Step guide)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] so as goes from the rotting part of this video this is a basic routing that you can configure on the server and I'm not going to include because the video will become really lengthy and we are going to continue with configuring the web application proxy because this is the important part and this is actually the practical use of the web application proxy alongside with the ad FS so for this one I'm going to switch to my domain controller and I'm going to start by installing the ad FS role because we need an ad FS server and AD FS forum in our environment so I'm going to select the role and click Next and I'm going to install the ad FS role and we can configure the using the ID FS using the wizard afterwards now that the installation finished I'm going to click to configure the Federation services and you can see right here that I will need to create the first Federation server in the farm so I'm going to click Next I'm going to use my domain admin credentials and for SSL certificate I don't want to use the endo BD ce0 one so what I'm going to do is I'm going to open an MMC console and I'm going to add a snap in which is going to be certificates for the computer account ok and when I expand and go to personal certificates I'm going to request a new certificate that is going to be issued by my certificate server which is again this domain controller and I'm going to use the web NLB web server which I'm going to add a common name of AD FS adfs dot and i'll be lab calm and click at so this is going to be the common name for my certificate and i'm going to enroll wait for the wizard to finish and enrolling for this certificate of a succeeded and now i have my ad FS n OB lab comm certificate so i'm going to switch back to the wizard creek previous and next to refresh and this time select the ad FS NOP lab comm certificate the federation display name is going to be one second and all be ad FS click Next and I'm not going to configure any managed service account I'm going to click select and add my account but for if you are deploying this in an environment I think it's going to be a better I recommend using a managed service account not a default user account so I'm going to create the database using the internal data windows internal database but if you have a sequel server you can use it to store the database in there so I'm going to click Next and to see if the configuration will be able to add this one ok um as I had an ad FS server on this one I just wanted to show you how it's done I'm going to just click overwrite but you won't see this in your environment if you are deploying this on a brand new server so in my case I just want to show you how to implement the ad FS configuration and now you can view the script as well if you'd like and I'm going to click Next all the prerequisites finished so I'm going to click configure to start installing okay now we have successfully installed the ad FS server in my environment so I'm going to close this one as I don't need it anymore close this one as well so now we have an ad FS server so I'm going to open the management and just confirm that everything is functioning yes it is it's able to connect to the internal database and it's able to I'm able to browse all the settings on this server so after we have this one I'm going to show you what needs to be done in order for me in my case to implement the web application proxy and publish a website what I did in my case is I powered on another server and not this one but the network server which is NLB NW 0 1 and I've configured this server to have another network card and you can see if I open the adapter settings I have two network cards and one network card is for my n OB domain and if I go to properties this one is actually configured to access external IP addresses and this is going to basically test if this server has connectivity to the Internet which this at the moment does not but this will basically demonstrate how it's going to connect to the internet and the other one is my internal network card that connects to my internal environment and it mode in most cases this server won't be connected to your domain but just for the test purposes I'm just going to leave it the way it is at the moment and let me see this this is going to be the NOP lab I just had to refresh because I saw that it's connected to an unidentified network which means that the firewall profile is the public one so now that I'm connected to the domain network so as I was saying this server will not as this will act as our ad FS proxy in most cases it won't be connected to your domain and it is going to be in a DMZ Network so again it's going to have one internal network card one external network card but it's going to be placed in a DMZ Network where it's more secured and you will be only needing to open specific ports to connect the ad FS web application proxy to your ad FS server in your environment this way you can make things more secure so let's move and install the ad FS proxy role on this server we're going to select remote access next and install web application proxy installed so while this is installing I'm going to check if there is connectivity to my client and if I switch to my client real fast to show you so this is the the client virtual machine which again I've moved to a public network and this machine is currently with an external IP address for my internal lab and it does not have connectivity to my internal servers so if I try to ping for example NLB this is 0-1 the dns will not be able to resolve this record and basically this machine is out of my environment so I'm going to only try to ping the ad FS proxy server and you can see that I have connections to the external IP address of my proxy server at the moment only now that the ROH finished installing I'm going to open the web application proxy wizard and in here I need to specify the Federation service name which is going to be a DFS got a mobile app comm and in order for you at you see this record because this is not automatically created you need to switch to your DNS so if I go to my DNS settings and open my Annabella comm you will see that I've manually configured a record for a DFS which is pointing to my ad FS server so if you don't have this record created because the proxy server will not be able to connect to your ad FS and I'm going to use again my credentials to connect to the ID FS farm if I click Next I will be asked to specify a certificate for my proxy to connect to the ad FS and as I don't have one I'm going to just open another MMC console and request another certificate for my proxy of course what you can do is you can import a because I'm going to use my internal certificate services for the testing of this video but this is not recommended as I said your server the proxy server will not be connected to your domain and this will not be available for you so what you need to do is instead of requesting a new certificate you have to import one and most probably in most cases you will use a third-party SSL certificate not on internal one so I'm going to click Next and again I'm going to select the NLB web certificate to be issued ok web server and this time for common name I will add ad FS what will app calm and add this common name for the certificate and I will need to add another DNS name for alternative which is going to be ad FS dot ennoble addcom ok and click apply ok and enroll for the certificate so I'm just waiting for the certificate to be issued to this computer ok so now that we have the certificate I'm going to switch back again click previous and next to refresh and this time select the ad FS WAP so next and it's going to show me the power show comment that is going to use to connect the server to my ad FS and let's see if this will configure without any errors ok the web application proxy he was configured successfully now we have a web application proxy that we are going to use to publish a website and the website that I will choose to publish is currently located on my VPN server and if I go to Internet Information Services I will use the default website which if I click on explore you will see that I don't have any any specific website instead I have a custom image of my Internet Information Services background and this will be used for me to connect externally via the web application proxy the thing that you need to do in here because we are going to use a pass through authentication is go to authentication and enable windows authentication and disable an anonymous authentication if you do not see the windows authentication in here you will need to add this role within your is and let me show you if I expand web server ok and security there it is the windows authentication which I had to manually install in my case so as I already have this in place what I'm going to do is I'm going to switch to my our ad FS proxy and I'm going to publish a website another wizard will appear I'm going to click next and instead of using ad FS pre authentication I said as if you remember I said in the beginning of the of the video you have to are pre authentication methods using the ad FS or pass through I'm going to select pass through and we're going to use windows authentication so I'm going to name the authentication as NLB web app and I'm going to specify an external URL which is going to be HTTPS and then NLB VPN 0 1 and I'll be half calm ok and I'm going to choose the ad FS what certificate for this one the back end server URL needs to be the same as the external URL and you can see that while I was typing the external URL the back end filled in as well so I'm going to click publish and I have the web application are published successfully so I'm going to click close and now I have the web application successfully published as with the pass-through authentication now to testings I'm going to switch back to my client virtual machine and in here if I try to open a website called HTTPS NLB VPN a mobile app it's basically going to say that it's not able to reach it and that is because this client machine does not have any idea where this website is and what I'm going to do is I'm going to go ahead and open a command prompt as administrator and I'm going to go to my hosts file open the hosts file as administrator and specify where to look for this website because I don't have internet connectivity at the moment so you know be VPN 0 1 I know be lab calm I'm going to save the hosts file ok and now when I try to pink NLB VPN 0 1 bit lab comm it will respond with my ad FS proxy server so when I try to open the webpage once again or let me just close it completely and try to open another edge browser and LP but let's try with HTTPS ok I think I know what could be the problem with this one is because I did not include the NAB - VPN the 0 or 1 in the certificate so if I click continue it will ask me to authenticate ok and now I have a D website which is published through my web application proxy and I'm able to access it externally if I go to yeah if I try to see the certificate I'm not sure where I can see it from the edge browser but if you add the name of the actual web server or the actual website in the certificate this error would not appear so before I finish the video I just wanted to show you where exactly he needs you add the alternative name and I have the console right here so if I open the certificate that I've requested for my web application proxy and this is the certificate under the details and scroll down a bit you'll see the subject alternative name which is only a DFSA mobile app com I had to add another DNS name which is which had to be my enemy - VPN - zero one dot in availab com that way I won't be the error message when we browse the website externally won't be visible and the website would be open without any error messages so basically this is how you implement a DFS proxy and this is a broad overview of the remote access server in Windows Server 2016 if you liked the video you can always hit the like button subscribe to the channel so you receive notifications for all my latest videos while we troubleshoot and we learn about Windows Server 2016 and if you don't like the video hit the dislike button and tell me in the comment section what could be could be improved of course if you have any questions implementing this one you can always put them in the comment section and I'll try to answer them as soon as possible once again this was Nick from NLB solutions thank you very much for viewing and see you in the next module
Info
Channel: NLB Solutions
Views: 66,250
Rating: 4.8717947 out of 5
Keywords: ADFS proxy, Web Application Proxy Windows Server 2016, how to implement WAP, how to implement web application proxy, web application proxy explained, ADFS proxy explained, 70-741, 20-741
Id: RZLh8F-tWJc
Channel Id: undefined
Length: 18min 59sec (1139 seconds)
Published: Sun Sep 03 2017
Related Videos
ADFS 2016
Brian Faris
3.5K
Proxy Server on Server 2012 R2
Kundan Kumar
32K
Proxy vs reverse proxy vs load balancer (2020) | Explained with real life examples
IT k Funde
463K
Episode #341: Introduction to Using Squid Web Proxy Server
Eli the Computer Guy
241K
How a DNS Server (Domain Name System) works.
PowerCert Animated Videos
2.9M
AWS Federation using SAML, ADFS & AD
Lucent Learning
2.6K
Tableau Server Installation on AWS EC2 Linux Setup A Z
Education Center
2K
you need to learn Virtual Machines RIGHT NOW!! (Kali Linux VM, Ubuntu, Windows)
NetworkChuck
2.7M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.