Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
In this part, we’ll create the single point of access to our environment. We’ll configure server Edge and configure it as a Web Application Proxy.
Step 17: Configure the Edge server ^
We’ll start with performing the basic configuration of server Edge. Let’s make it part of our domain:
- Log on to server Edge.
- Press Win + X or right-click the Start button. In the context menu, select System.
- In the main pane, select Change settings in the Computer name, domain and workgroup settings section.
- On the system Properties window, click Change….
- On the Computer Name/Domain Changes window, select the Domain: radio option. Type the domain name, and then press OK.
- Restart server Edge.
Next, let’s get a certificate from the Certification Authority (CA):
- Log on to server ADFS with domain credentials.
- Click the Start button.
- Type mmc.exe and press Enter.
- This will start an empty Microsoft Management Console window.
On the Console1window, from the File menu, select Add/Remove Snap-in…
- On the Add or Remove Snap-ins window, select Certificates from the list of available snap-ins and click Add >.
- Select Computer account and click Next >.
- Select Local Computer and click Finish.
- On the Add or Remove Snap-ins window, click OK.
- In the left pane, expand Certificates (Local Computer), then Personal, and then Certificates.
- In the Action pane (to the right), click More Actions, click All Tasks, and click Request New Certificate….
- On the Certificate Enrollment window, click Next twice.
- Select Web Server.
- Click the link More information is required to enroll for this certificate. Click here to configure settings..
- On the Certificate Properties window, in the Subject name: area, change the Type: to Common Name and then type *.demo.4sysops.com. Click Add >.
- Click OK when done.
- Click Enroll.
- Click Finish.
- Close the Microsoft Management Console window. You don’t need to save it.
Step 18: Install and configure the Web Application Proxy ^
Now, let’s install the Web Application Proxy (WAP) Server Role:
- While still logged on as a Domain Administrator, go to Server Manager.
- In the grey top pane, click Manage and then select Add Roles and Features from the context menu.
- Click Next > on the Before You Begin page of the Add Roles and Features Wizard.
- Click Next > on the Select Installation Typepage to accept the Role-based or feature based installation option.
- Click Next > on the Select Destination Server page.
- On the Select Server Rolespage, select Remote Access. Click Next >.
- Click Next > on the Select Features page.
- From the available Role Features in the Remote Access Server Role, select the Web Application Proxy from the list. Then, click Next >.
- Verify the information on the Confirm Installation Selections page. Click Install.
- After installation, click Close on the Installation Progress page.
To configure Web Application Proxy on server Edge, perform these steps:
- In Server Manager, click the link to configure the Web Application Proxy.
- Click Next > on the Welcome Screen.
- Specify adfs.demo.4sysops.com as the Federation service name:. Next, specify the credentials for a user account with administrative privileges and click Next > when done.
- Select the *.demo.4sysops.com certificate. Click Next >.
- Choose Configure. Click Next >.
- Click Close.
- After these configuration tasks, the Remote Access Management Console automatically opens. Close it.
Now, we want to restart server Edge. Open an elevated PowerShell window and type the following command:
The second part of the Web Application Proxy consists of publishing our ClaimApp:
- Log on to server Edge.
- On the grey ribbon of Server Manager, click Tools and then select Remote Access Management from the context list.
- In the right Tasks pane, select Publish.
- Click Next > on the Welcome screen.
- Click Next > to accept the default selected Active Directory Federation Services (AD FS) as the preauthentication method for the claim app.
- On the Relying Party window, select ClaimApp from the list with AD FS Relying parties for the AD FS Server. Click Next > when done.
- On the Publishing Settings window, choose ClaimApp as the name for the web application. Then, specify https://www.demo.4sysops.com/claimapp as the External URL:. This will also prepopulate the Backend server URL:, which is fine. For the External certificate:, select the *.demo.4sysops.com certificate:
- Click Next > when done.
- Click Publish.
Step 19: Configure Azure endpoints ^
With the Web Application Proxy in place, we can now finally expose our test lab to the outside world. We’ll specify the Web Application Proxy server Edge as the default endpoint for all HTTPS traffic coming toward www.demo.4sysops.com (and the cloud app it refers to), and we’ll specify the Certification Authority on server DC1 as the default endpoint for all (non-SSL) HTTP traffic to our Azure tenant.
Let’s start with DC1:
- Log on to the Microsoft Azure management portal via https://manage.windowsazure.com.
- In the left pane, select Virtual Machines.
- Click DC1 in the list of virtual machines. Click its name to open its properties.
- Go to the Endpoints tab.
- Click the plus sign at the bottom of the Azure portal.
- Select Add a stand-alone endpoint. Then, click the icon consisting of a circle with a right arrow in it to continue to the next page.
- From the Name drop-down list, select HTTP. This will automatically fill in the values for Protocol (TCP), Public port (80), and Private port (80). Accept these by clicking the icon with a circle with a check mark at the bottom right of the modal screen.
The HTTP endpoint is now added to the two default endpoints available to the DC1 virtual machine (PowerShell and Remote Desktop, both on non-standard ports).
Repeat steps 1 through 7 for server Edge, but select HTTPS instead of HTTP at step 7.
Step 20 (optional): Publish CertEnroll ^
With the Online Responder of the Certification Authority (CA) on server DC1 available from the Internet, you might also choose to publish the CertEnroll folder. This enables you to request certificates from the CA through http://www.demo.4sysops.com/certenroll from the Internet. Perform these steps:
- Log on to DC1.
- In Server Manager, in the grey ribbon, click Tools and then select Internet Information Services (IIS) Manager from the menu.
- In the left pane, expand DC1, and then expand Sites. Select the Default Web Site.
- Right-click the Default Web Site, and then click Add Virtual Directory… from the context menu.
- Specify certenroll as the Alias: and C:\windows\system32\CertSrv\CertEnroll as the Physical Path:.
- Click OK when done.
- Close Internet Information Services (IIS) Manager.
- Log off.
This post consisted of several small tasks that enabled us to access our claims-aware web application from the Internet. Go ahead… Try it!
In my next post, we will configure the file server and Work Folders.