Part 3 – Protecting NDES with Web Application Proxy (WAP) in the DMZ

As you might have learned from my previous blog post about certificate deployment to mobile devices via NDES it’s mandatory to open port 443 (TCP) from any IP on the internet inbound to your NDES server. At the same time the NDES server needs to be domain joined to the same domain as your Certificate Authority/ConfigMgr Server and Domain Controllers.

The NDES server could either be placed in your trusted zone next to your CA/ConfigMgr server/DC’s OR in the DMZ with a large amount of firewall exceptions required for a typical domain joined server.    
Some of our customers don’t prefer or allow such type of configuration and require a reverse proxy in front of the NDES server, preferably non-domain joined and in the DMZ.

Your reverse proxy is likely to block large GET requests

The interesting part is when a mobile device on the internet receives a certificate profile from Microsoft Intune, this profile includes an URL to the NDES server. From that point on the device will reach out to the NDES server with a massive GET request (including a challenge to secure any known SCEP vulnerabilities) – depending on your configured key length it can be up to 30kb or even 40kb. Many reverse proxy solutions do not allow such large URL’s to be accepted, including UAG or Web Application Proxy (WAP). In my experience the only working solution is TMG however that product is discontinued and no longer recommended.

The good news

The good news is that we have been working on a fix to address this issue. As of today there is an hotfix that mitigates the maximum GET request size restriction in our Web Application Proxy solution. This hotfix is private for now, this means it’s not tested extensively and therefore comes with limited support. Because of that it’s not publically available without contacting Microsoft support, more information will be published at a later timeframe. In the future a KB will be posted that describes this issue and fix (KB523052).

Update: the hotfix is now generally available and part of the December Windows Update. Read more details in this post.

Design Overview

From a design perspective this is what it could look like:

Intune Design Network Diagram With Certificate Management - NDES via WAP

Please do no note that Web Application Proxy is built on top of http.sys which has a similar restriction, however that restriction can be changed by altering the registry.

Open the registry editor on your Web Application Server and add the following two registry keys:

Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxFieldLength
Data: 65534 (decimal)

Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  
Value: MaxRequestBytes
Data: 65534 (decimal)       

Publishing the NDES server using the Remote Access Management Console on the WAP is fairly straight forward:


After changing the registry, applying the hotfix and rebooting your server, mobile devices should be able to request a certificate via the (workgroup) WAP from the NDES server. If the devices fails to receive a certificate, please refer to the troubleshooting section in my previous blog post regarding Windows Intune and NDES.

I hope this guide helps you secure NDES using Microsoft Technology (Web Application Proxy). If it helped, please consider leaving a reply.


Comments (13)

  1. Recep YUKSEL says:

    Thank you. very good document.

  2. Anonymous says:

    Fantastic info as always Pieter, Planning on implementing this in the very near future ..

  3. Miha Pecnik says:

    Great stuff, might as well implement this if I can get my hands on the hotfix. Could you go into some detail what kind of rules (pass-through) are needed on the WAP? Any additional configuration requirements?

  4. Pieter says:

    Hi Miha, i’ve added a screenshot from the Remote Access Management Console on the WAP. Hope that helps. Regards.

  5. Miha Pecnik says:

    Thank you helpful as always. This will definitely come in handy in the future.

  6. Hi Pieter! Your instructions are excellent and have helped me already extremely when setting up NDES in our environment …:-) but I still have an open question … Since we can not use a WAP … Is it possible to publish NDES on a UAG 2010 in the internet?
    Thanks and regards Carsten

  7. mike says:

    Peter, can you explain the reason for placing the publicly facing CRL distribution point on the WAP? I have a scenario where putting the CRL in the DMZ is not an easy conversation.

  8. Excellent post ! Was able to publish the NDES server using this method as we were publishing other services using WAP for a long time now.

  9. SBanga says:

    Pieter, Regarding the setup of the WAP server. Do you have to change settings on the NDES website for authentication. With the above settings for WAP (passthrough) i am getting 403 errors on the url: https:///certsrv/mscep/mscep.dll for “user: NTAuthority\IUSR” “Authentication: Anonymous”. When i try this from the internal network it works fine.

Skip to main content