In Windows Server 2012 R2 a new service was made available under the Remote Access Role. The new service is called Web Application Proxy (WAP) and will function as both a reverse proxy for publishing applications to external users and also as the AD FS proxy service that some may be familiar with and was a part of Windows Server 2012.
Because WAP is pretty new there seems to be some confusion around what it is and what it is capable of doing. This article addresses some of the more common questions we are asked about WAP.
1.) What are the prerequisites required to deploy WAP in my environment?
The AD FS role on a Windows Server 2012 R2 server must be installed on a separate server before you attempt to roll out Web Application Proxy.
For more information on infrastructure and specific AD FS requirements please see this article.
2.) Are there any specific schema requirements?
Although there is no specific schema requirements, some functionality will require it. Specifically the Device Registration (Workplace Join) or Work folders discovery. The minimum domain functional level that this schema update can be applied to is a 2008 Domain.
For more on what Workplace Join is please see this article.
3.) Should I connect WAP directly to the Internet?
The simple answer is no. It is strongly recommend that you protect the Web Application Proxy server with an edge firewall and also a firewall between WAP and your internal ADFS and web servers.
For more information on planning your Infrastructure for WAP please see this article.
4.) Is WAP a replacement for TMG 2010 and/or UAG 2010?
No. The bottom line is that WAP offers a very small subset of what both TMG and UAG offered. WAP is pure and simple a reverse proxy solution for publishing your internal web applications to external clients.
5.) Is Web Application Proxy a Web Application Firewall?
No. WAP is purely a reverse proxy and that is why we recommend that you protect it with an Edge device and also a backend firewall.
6.) What kind of client devices can access websites published using WAP?
Given the current Bring Your Own Device trend, the goal of WAP is to work on all devices and to be device agnostic. The client needs to support HTTP redirects, use MSOFBA (Word, Excel, PowerPoint), or OAuth.
7.) Does WAP just blindly pass a request through to my backend web servers?
No. Web Application Proxy terminates the connection and then initiates a new one to the backend resource after it verifies that it is a valid HTTP request to an application that is being published.
8.) How does WAP determine if it is a valid HTTP request?
An HTTP filter with similar functionality of the one that ISA/TMG is used to make sure that the HTTP request is legal and complies with the RFC for HTTP 1.1 which can be viewed here.
9.) Does WAP use an ISAPI filter on top of IIS in a similar fashion as Forefront Unified Access Gateway (UAG) 2010?
No. Web Application Proxy uses the HTTP Protocol Stack driver (HTTP.SYS). For more information on HTTP.SYS please see this article.
10.) Can Web Application Proxy be used in a Single Adapter scenario?
Yes. Single NIC scenarios are supported.
11.) Can WAP be installed in a workgroup?
Yes. WAP can be deployed in a workgroup or as part of an Active Directory Domain.
I will be adding to this blog as time goes on with any new questions that may crop up and are commonly asked so check back often.