Web Application Proxy PowerShell Cheat Sheet


Web Application Proxy LOVES POWERSHELL

For us PowerShell is the fundamental API to our system. This is how the UI works. This is how our remote management work. This is how we test the product. This is how we deploy it in our own labs.

As you probably noticed, the UI wizards always end by showing you the PowerShell command it sends to apply the changes. This is a great way for you to learn the basics, how to start doing the regular stuff. But, we have more for you. Here are some advanced commands and how you can use them with the PowerShell goodies to better manage your Web Application Proxy deployments.

To start, here are the commands aliases that allow much shorter and more readable scripts:

cmdlet alias
Add-WebApplicationProxyApplication awpa
Get-WebApplicationProxyApplication gwpa
Set-WebApplicationProxyApplication swpa
Remove-WebApplicationProxyApplication rwpa
Get-WebApplicationProxyConfiguration gwpc
Set-WebApplicationProxyConfiguration swpc
Get-WebApplicationProxyAvailableADFSRelyingParty gwpr
Get-WebApplicationProxyHealth gwph


Now let’s see the most common PowerShell tricks using the standard cmdlets:

Show published applications that have ADFS as their preauthentication method Get-WebApplicationProxyApplication | ? {$_.ExternalPreauthentication -eq 'ADFS'}
Export all published applications to a file Get-WebApplicationProxyApplication | Export-Clixml "ExportedApps"
Import published applications from a file Import-Clixml "ExportedApps" | Add-WebApplicationProxyApplication
Getting full help on the set command Get-Help -Full Set-WebApplicationProxyApplication
List all the details on all the certificates that are used by published apps.
Note: the cert: provider does not support filter
$WAP_Certs = (gwpa).ExternalCertificateThumbprint | sort –Unique ;
dir Cert:\LocalMachine\my |? {$WAP_Certs -contains $_.Thumbprint} | fl -Property *
Add a machine to the Web Application Proxy connected servers list swpc -ConnectedServersName ((gwpc).ConnectedServersName + ‘ServerToAdd’)
Remove a machine from the Web Application Proxy connected servers list swpc –ConnectedServersName ((gwpc).ConnectedServersName -ne ‘ServerToRemove’)

As Web Application Proxy is a standard Windows Server role service, you can use many Windows Server PowerShell tools to control Web Application Proxy:

Shows Web Application Proxy Windows services status Get-Service 'appproxysvc','appproxyctrl','adfssrv' | fl -property *
Shows the configuration of Web Application Proxy Windows service Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='appproxysvc'"
Get Best Practices Analyzer (BPA) results for the Remote Access role Invoke-BpaModel Microsoft/Windows/RemoteAccessServer ;
Get-BpaResult Microsoft/Windows/RemoteAccessServer
List all the events that Web Application Proxy had in the last 24 hours with their ID, Level and Message. $yesterday = (Get-Date) - (New-TimeSpan -Day 1) ;
Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-WebApplicationProxy/Admin'; StartTime=$yesterday} | group -Property ID,LevelDisplayName,Message -NoElement | sort Count, Name -Descending | ft -AutoSize
Read Web Application Proxy registry keys Get-ItemProperty hklm:\software\microsoft\appproxy
Read Web Application Proxy performance counters at current point Get-Counter '\Web Application Proxy\*'
Return the number of currently active requests (Get-Counter '\Web Application Proxy\active requests').CounterSamples.CookedValue


And finally, here are some tricks for managing Web Application Proxy multi-machine deployments:

Show the status of Web Application Proxy related services on all the connected servers grouped by their status.
Note: Same syntax would work with any command that supports the ComputerName parameter. E.g. set-service, get-process
Get-Service 'appproxysvc','appproxyctrl','adfssrv' -ComputerName ((gwpc).ConnectedServersName) | sort Status,MachineName,Name | ft MachineName, Name -AutoSize -GroupBy Status
Restart the Web Application Proxy service on all the connected servers and print the name of the machines Invoke-Command -ScriptBlock {Restart-Service 'appproxysvc'; (Get-WmiObject -Class Win32_ComputerSystem).Name} -ComputerName ((gwpc).ConnectedServersName)
Show the names of all the connected servers that had event 12000 in the last 10 hours Foreach ($Server in (gwpc).ConnectedServersName){Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-WebApplicationProxy/Admin'; ID=12000; StartTime=(Get-Date) - (New-TimeSpan -hour 10)} -ComputerName $Server -ErrorAction SilentlyContinue | group MachineName -NoElement | ft Name -HideTableHeaders
Show all IP addresses of all servers in the cluster.
1. This will work only if remote management is enabled on all servers using Kerberos
2. Same syntax would work with any command that supports the CimSession parameter
3. New-CimSession can accept admin credentials.
Get-NetIPAddress -CimSession (New-CimSession -ComputerName ((gwpc).ConnectedServersName)) | ft IPAddress


$Author.Name = “Meir Mendelovich”

$Author.Role = Microsoft.ProductGroupTitles.SeniorProgramManager


Comments (7)

  1. Rob Bolbotowski [MSFT] says:

    Thanks for posting this!

  2. Anonymous says:

    We’re have another post from guest blogger Mark Grimes with Microsoft Consultancy Services. Mark

  3. Jack says:

    Hi Meir,

    Nice Article

    I have successfully deployed ADFS and Web Application Proxy

    However, now I want to use the same ADFS Server for another application

    I added another Relying Party using metadata file, however, am facing some confusion regarding Publishing it via Web Application Proxy

    I would like to know the exact meaning and difference between the External URL and the Backend URL

    The first Relying Party I setup was published to the same Public URL to which the ADFS Server was setup, example :

    It used a SSL certificate issued to "https://abc01.contoso.com"

    My ADFS Federation Service name is also "abc01.contoso.com"

    Hence, the Public Certificate I used while publishing is the same as the SSL/Service Communication Certificate setup in my ADFS

    Since, Web Application Proxy does not support nesting of URLs, I am unable to Publish my second Relying Party to another path of the same Public URL, example :
    https://abc01.contoso.com/second/ is not accepted

    Will creating a new sub domain for the second Relying Party and publishing it to the new sub domain work ? example :

    In this case is my Backend URL supposed to be set as the ADFS Service Name URL "https://abc01.contoso.com" OR can it also be set as the new sub domain I create "https://second.contoso.com"

    Will using "https://second.contoso.com" and a different certificate(issued to
    https://second.contoso.com) during publishing still let users authenticate via ADFS even though ADFS is configured for the first URL "abc01.contoso.com"

    Thanks and Regards,


  4. Rishi says:

    What is this ConnectedServersName exactly when we run "Get-WebApplicationProxyConfiguration" ? What is its role ? What happens in the background when I use the command to remove a server using your command "swpc –ConnectedServersName ((gwpc).ConnectedServersName
    -ne ‘ServerToRemove’)" What is the implication of removing a server from the "ConnectedServersName" ? I know that it causes the MMC to stop showing that server in the Remote Access Manager console under Cluster Servers …is that all it does or does it have
    any other implication too? sorry too many questions. I like your blog but have not been able to find a detailed answer to the meaning of the "ConnectedServersName" entry.

  5. alfred says:

    Is there anyway to run a command to see the current client sessions that will display IP, login ID etc? We are using this in place of our retired UAG server and when you had UAG you could see sessions that were nailed up for active sync users. thanks!

  6. Joe says:

    Hi. I’m having an issue with Non-Claims Aware applications.
    I tried to set the session timeout to 10 hours but cannot go beyond 1 hour.
    I installed KB https://support.microsoft.com/en-us/kb/3020813 and used the parameter:

    $webapp= Get-WebApplicationProxyApplication -ID 5BF2F565-3DBA-CCE9-1B5E-E6D94549FCFA
    Set-WebApplicationProxyApplication $webapp.ID -PersistentAccessCookieExpirationTimeSec 36000

    But No luck. The edge access cookie is not being modified.
    And I cannot set a tokenlifetime on the adfs server sinice this property is not available for non-claimsaware apps.
    Any help would be appreciated

Skip to main content