Part 3 – Protecting NDES with Web Application Proxy (WAP) in the DMZ


As you might have learned from my previous blog post about certificate deployment to mobile devices via NDES it’s mandatory to open port 443 (TCP) from any IP on the internet inbound to your NDES server. At the same time the NDES server needs to be domain joined to the same domain as your Certificate Authority/ConfigMgr Server and Domain Controllers.

The NDES server could either be placed in your trusted zone next to your CA/ConfigMgr server/DC’s OR in the DMZ with a large amount of firewall exceptions required for a typical domain joined server.    
Some of our customers don’t prefer or allow such type of configuration and require a reverse proxy in front of the NDES server, preferably non-domain joined and in the DMZ.

Your reverse proxy is likely to block large GET requests

The interesting part is when a mobile device on the internet receives a certificate profile from Microsoft Intune, this profile includes an URL to the NDES server. From that point on the device will reach out to the NDES server with a massive GET request (including a challenge to secure any known SCEP vulnerabilities) – depending on your configured key length it can be up to 30kb or even 40kb. Many reverse proxy solutions do not allow such large URL’s to be accepted, including UAG or Web Application Proxy (WAP). In my experience the only working solution is TMG however that product is discontinued and no longer recommended.

The good news

The good news is that we have been working on a fix to address this issue. As of today there is an hotfix that mitigates the maximum GET request size restriction in our Web Application Proxy solution. This hotfix is private for now, this means it’s not tested extensively and therefore comes with limited support. Because of that it’s not publically available without contacting Microsoft support, more information will be published at a later timeframe. In the future a KB will be posted that describes this issue and fix (KB523052).

Update: the hotfix is now generally available and part of the December Windows Update. Read more details in this post.

Design Overview

From a design perspective this is what it could look like:

Intune Design Network Diagram With Certificate Management - NDES via WAP

Please do no note that Web Application Proxy is built on top of http.sys which has a similar restriction, however that restriction can be changed by altering the registry.

Open the registry editor on your Web Application Server and add the following two registry keys:

Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxFieldLength
Type DWORD
Data: 65534 (decimal)

Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  
Value: MaxRequestBytes
Type DWORD
Data: 65534 (decimal)       

Publishing the NDES server using the Remote Access Management Console on the WAP is fairly straight forward:

image

After changing the registry, applying the hotfix and rebooting your server, mobile devices should be able to request a certificate via the (workgroup) WAP from the NDES server. If the devices fails to receive a certificate, please refer to the troubleshooting section in my previous blog post regarding Windows Intune and NDES.

I hope this guide helps you secure NDES using Microsoft Technology (Web Application Proxy). If it helped, please consider leaving a reply.

Regards,
Pieter


Comments (25)

  1. Recep YUKSEL says:

    Thank you. very good document.

  2. Anonymous says:

    Fantastic info as always Pieter, Planning on implementing this in the very near future ..

  3. Miha Pecnik says:

    Great stuff, might as well implement this if I can get my hands on the hotfix. Could you go into some detail what kind of rules (pass-through) are needed on the WAP? Any additional configuration requirements?

  4. Pieter says:

    Hi Miha, i’ve added a screenshot from the Remote Access Management Console on the WAP. Hope that helps. Regards.

  5. Miha Pecnik says:

    Thank you helpful as always. This will definitely come in handy in the future.

  6. Hi Pieter! Your instructions are excellent and have helped me already extremely when setting up NDES in our environment …:-) but I still have an open question … Since we can not use a WAP … Is it possible to publish NDES on a UAG 2010 in the internet?
    Thanks and regards Carsten

  7. kepran says:

    nice article about http://kepran.com/web-application-development">web application developmentthanks for sharing

  8. Great post Pieter! 🙂

  9. Anonymous says:

    My role has previously primarily focused on Microsoft Intune, nowadays it’s more towards our whole Enterprise

  10. Anonymous says:

    After many feedback from customers and partners, I’ve decided to write another post with more detailed

  11. Anonymous says:

    In one of the last posts we discussed the option to put a Web Application Proxy in the DMZ as a reverse

  12. Anonymous says:

    In the past few months I published a series of posts on setting up certificate distribution to mobile

  13. mike says:

    Peter, can you explain the reason for placing the publicly facing CRL distribution point on the WAP? I have a scenario where putting the CRL in the DMZ is not an easy conversation.

  14. Anonymous says:

    In one of the last posts we discussed the option to put a Web Application Proxy in the DMZ as a reverse

  15. Anonymous says:

    In one of the last posts we discussed the option to put a Web Application Proxy in the DMZ as a reverse

  16. Anonymous says:

    In the past few months I published a series of posts on setting up certificate distribution to mobile

  17. Anonymous says:

    In the past few months I published a series of posts on setting up certificate distribution to mobile

  18. Excellent post ! Was able to publish the NDES server using this method as we were publishing other services using WAP for a long time now.

  19. tractorexport says:

    Why and Where to Buy John Deere Parts When in the market for purchasing tractors, as well as other farming equipment, John Deere is one of the best.http://ng.tractorexport.com/john-deere-parts

Skip to main content