Web Application Proxy

Ralph Dejesus

Had this question on Transcender practice exam
"Your company has an Active Directory domain named verigon.com. All of your servers run Windows Server 2012 R2. You plan to configure a Web Application Proxy on server named 2012R2-A and publish an application named VerigonApp that will forward all preauthentication requests to a backend server.
You run the following Add-WebApplicationProxyApplication cmdlet:"

Correct answer is
Add-WebApplicationProxyApplication
-Name 'VerigonApp'
-BackendServerUrl http://VerigonApp/app1
-ExternalUrl https://VerigonApp.verigon.com/app1
-ExternalPreauthentication 'PassThrough'
-ExternalCertificateThumbprint '1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b'

My Question is how do I know if I need -ExternalPreauthentication 'PassThrough' or -ExternalPreauthentication 'ADFS'
Does preauthentication request in the ? tell me "PassThrough" or is it because it will forward the request to a backend server?
If so could a backend server not be a ADFS server or is ADFS usually a front end thing?

Mike Rodrick

Hey Ralph,

The 'forward the request to a backend server' in the question is what leads us to the correct answer,...sort of. I think one of the more difficult tasks, when taking a Microsoft certification exam, is not reading too much into the question.

If there was an ADFS server in the backend, they would have stated that in the question. Since they didn't, we cannot assume that there is one there, and therefor it would not be the correct answer. This is why I said the question does tell you...just not directly ;)

From the question, we are just told to pass the preauthentication requests to a backend server. The '-BackendServerUrl http://VerigonApp/app1' is where the app is being hosted, and where we need to send the authentication request. So we need the web app proxy server to forward, or pass the requests through, to the app server, where the app itself is most likely, doing the authentication. We can accomplish this by using the "-ExternalPreauthentication 'PassThrough'" parameter. While using ADFS might make for a more robust, secure authentication solution, that is not what the question is asking.

If there was an ADFS server, it would most definitely be behind the corporate firewall, in the backend. You might have a ADFS proxy in the DMZ, but not the ADFS server itself.

Hope this helps,
Mike