Solved Web Application Proxy and Internal Authentication

---

Hello, interested in your thoughts on this question regarding Web Application Proxy and Server 2016.

You have a server named Server1 that runs Windows Server 2016. Server1 has the Windows Application Proxy role isntalled. You are publishing an application named App1 that will use intergrated Windows authentication as shown in the following graphic.

Based on my research I am pretty sure we need to select "Configure the Backend server SPN:". The certificate FQDN seems to match and I think the HTTP/HTTPS redirection is more of a preference than a requirement.

However on the part of "To ensure that users can access App1 externally, you must change the External URL to ______", I am a bit confused. Why wouldn't the external URL "https://server02.contoso.com/app1" work in this scenario?

Thanks for your help
Regards,
Adam Tyler

Adam,

I hope all is well. Seemingly a bad question, in the sense of how the answers provided are written, as the middle option for the second configuration element is HTTP... not HTTPS, which would not be technically correct given the information from the screen capture above.

The correct answer should be HTTPS... as you have identified in your question.

Having said that, just a little bit of real world info that may come in handy for questions like this going forward if you get any more, and have to wrangle the correct path/naming statements:

There is a quirky little issue with the web application proxy that you need to be aware of, which is as follows:

Web Application Proxy can translate host names in URLs, but cannot translate path names.

Therefore, you can enter different host names, but you must enter the same path name.

For example, you can enter an external URL of https://apps.itpro.tv/app1/ and a backend server URL of https://app-server/app1/.

However, you cannot enter an external URL of https://apps.itpro.tv/app1/ and a backend server URL of https://apps.itpro.tv/internal-app1/.

Hope that helps.

Cheers !!,

Adam ( the other Adam)

Adam G.! This path match detail has to be what the question is getting at. Great, thank you..

Quick follow up question.. Is it a requirement that the "back end" URL use TLS/Certificate? Or can the Web Application Proxy add TLS to a site that otherwise wouldn't support it?

Regards,
Adam Tyler

Adam,

Glad that the info was helpful. Traffic can be passed via HTTP or HTTPS between the WAP and the backend, so it would not be a requirement depending on how things are setup.

If you want to take a look at some different scenarios and a good overview of the process and supporting elements, take a look at the following (still appropriate even through it is for 2012R2):

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383650(v=ws.11)

Cheers,

Adam