In the previous parts of this series, we created an environment you would normally deploy at a customer’s site with Active Directory Domain Services and Active Directory Certificate Services (all on DC1). We expanded this environment to the Internet with the implementation of Active Directory Federation Services (on server ADFS) and a claims-enabled web app (on server WebServer).

In this part, we’ll create the single point of access to our environment. We’ll configure server Edge and configure it as a Web Application Proxy.

Step 17: Configure the Edge server

We’ll start with performing the basic configuration of server Edge. Let’s make it part of our domain:

  1. Log on to server Edge.
  2. Press Win + X or right-click the Start button. In the context menu, select System.
  3. In the main pane, select Change settings in the Computer name, domain and workgroup settings section.
  4. On the system Properties window, click Change….
  5. On the Computer Name/Domain Changes window, select the Domain: radio option. Type the domain name, and then press OK.
  6. Restart server Edge.

Next, let’s get a certificate from the Certification Authority (CA):

  1. Log on to server ADFS with domain credentials.
  2. Click the Start button.
  3. Type mmc.exe and press Enter.
  4. This will start an empty Microsoft Management Console window.
    On the Console1window, from the File menu, select Add/Remove Snap-in…
    Add or Remove Snap-ins
  5. On the Add or Remove Snap-ins window, select Certificates from the list of available snap-ins and click Add >.
  6. Select Computer account and click Next >.
  7. Select Local Computer and click Finish.
  8. On the Add or Remove Snap-ins window, click OK.
  9. In the left pane, expand Certificates (Local Computer), then Personal, and then Certificates.
  10. In the Action pane (to the right), click More Actions, click All Tasks, and click Request New Certificate….
  11. On the Certificate Enrollment window, click Next twice.
  12. Select Web Server.
  13. Click the link More information is required to enroll for this certificate. Click here to configure settings..
  14. On the Certificate Properties window, in the Subject name: area, change the Type: to Common Name and then type * Click Add >.
  15. Click OK when done.
  16. Click Enroll.
  17. Click Finish.
  18. Close the Microsoft Management Console window. You don’t need to save it.

Step 18: Install and configure the Web Application Proxy

Now, let’s install the Web Application Proxy (WAP) Server Role:

  1. While still logged on as a Domain Administrator, go to Server Manager.
  2. In the grey top pane, click Manage and then select Add Roles and Features from the context menu.
  3. Click Next > on the Before You Begin page of the Add Roles and Features Wizard.
  4. Click Next > on the Select Installation Typepage to accept the Role-based or feature based installation option.
  5. Click Next > on the Select Destination Server page.
  6. On the Select Server Rolespage, select Remote Access. Click Next >.
  7. Click Next > on the Select Features page.
  8. From the available Role Features in the Remote Access Server Role, select the Web Application Proxy from the list. Then, click Next >.
  9. Verify the information on the Confirm Installation Selections page. Click Install.
  10. After installation, click Close on the Installation Progress page.

To configure Web Application Proxy on server Edge, perform these steps:

  1. In Server Manager, click the link to configure the Web Application Proxy.
  2. Click Next > on the Welcome Screen.
  3. Specify as the Federation service name:. Next, specify the credentials for a user account with administrative privileges and click Next > when done.
  4. Select the * certificate. Click Next >.
  5. Choose Configure. Click Next >.
  6. Click Close.
  7. After these configuration tasks, the Remote Access Management Console automatically opens. Close it.

Now, we want to restart server Edge. Open an elevated PowerShell window and type the following command:


The second part of the Web Application Proxy consists of publishing our ClaimApp:

  1. Log on to server Edge.
  2. On the grey ribbon of Server Manager, click Tools and then select Remote Access Management from the context list.
  3. In the right Tasks pane, select Publish.
    Welcome to the Publish New Application Wizard
  4. Click Next > on the Welcome screen.
  5. Click Next > to accept the default selected Active Directory Federation Services (AD FS) as the preauthentication method for the claim app.
  6. On the Relying Party window, select ClaimApp from the list with AD FS Relying parties for the AD FS Server. Click Next > when done.
  7. On the Publishing Settings window, choose ClaimApp as the name for the web application. Then, specify as the External URL:. This will also prepopulate the Backend server URL:, which is fine. For the External certificate:, select the * certificate:
    Publishing Settings
  8. Click Next > when done.
  9. Click Publish.

Step 19: Configure Azure endpoints

With the Web Application Proxy in place, we can now finally expose our test lab to the outside world. We’ll specify the Web Application Proxy server Edge as the default endpoint for all HTTPS traffic coming toward (and the cloud app it refers to), and we’ll specify the Certification Authority on server DC1 as the default endpoint for all (non-SSL) HTTP traffic to our Azure tenant.

Let’s start with DC1:

  1. Log on to the Microsoft Azure management portal via
  2. In the left pane, select Virtual Machines.
  3. Click DC1 in the list of virtual machines. Click its name to open its properties.
  4. Go to the Endpoints tab.
  5. Click the plus sign at the bottom of the Azure portal.
    Add an endpoint to a virtual machine
  6. Select Add a stand-alone endpoint. Then, click the icon consisting of a circle with a right arrow in it to continue to the next page.
  7. From the Name drop-down list, select HTTP. This will automatically fill in the values for Protocol (TCP), Public port (80), and Private port (80). Accept these by clicking the icon with a circle with a check mark at the bottom right of the modal screen.

The HTTP endpoint is now added to the two default endpoints available to the DC1 virtual machine (PowerShell and Remote Desktop, both on non-standard ports).

Repeat steps 1 through 7 for server Edge, but select HTTPS instead of HTTP at step 7.

Step 20 (optional): Publish CertEnroll

With the Online Responder of the Certification Authority (CA) on server DC1 available from the Internet, you might also choose to publish the CertEnroll folder. This enables you to request certificates from the CA through from the Internet. Perform these steps:

  1. Log on to DC1.
  2. In Server Manager, in the grey ribbon, click Tools and then select Internet Information Services (IIS) Manager from the menu.
  3. In the left pane, expand DC1, and then expand Sites. Select the Default Web Site.
  4. Right-click the Default Web Site, and then click Add Virtual Directory… from the context menu.
  5. Specify certenroll as the Alias: and C:\windows\system32\CertSrv\CertEnroll as the Physical Path:.
  6. Click OK when done.
  7. Close Internet Information Services (IIS) Manager.
  8. Log off.


This post consisted of several small tasks that enabled us to access our claims-aware web application from the Internet. Go ahead… Try it!

Subscribe to 4sysops newsletter!

In my next post, we will configure the file server and Work Folders.


Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account