Learn Exchange the Guru way !!!


Web Application Proxy with Azure MFA Part 2

After Part 1, we have Web Application Proxy installed and this is the configuration blog of WAP Deployment. We will also share the configuration required to publish RDWEB with WAP using the same server.

Web Application Proxy with Azure MFA Part 1

Make sure we have SSL certificate with the RDWeb URL. We should install it on RDweb proxy.

Configure Kerberos for WAP server.

  • Open Adsiedit.msc, Connect to the domain partition and Go to the properties of the WAP server computer object. We would assume the name of the computer is WAP and domain is
  • Select ServicePrincipalName and click edit.
  • Now add 2 entries for the server name and 2 for the application URLs here.





  • Click ok then ok. Close Adsiedit.msc now.

Configure Delegation

  • Open Active Directory Users and Computers.
  • Search for the WAP server
  • Go to the properties of the WAP server
  • Click on Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.
  • Click Add and in the add services windows click on to the users or computers.

  • Enter the name of the web server which is using Integrated Windows authentication.
  • Click ok. Now in the available services list, select Http service type then click ok. Then click ok.

    I have added my URL with Service type HTTP and my ADFS Service account with Service type  HTTP.

Configure ADFS Rely Trust

For all web applications that we are planning to publish using AD FS preauthentication, we need to configure one relying party trust for each application in the AD FS server.

In our case, RDWeb is not a claim aware application so we will add a non-claim aware relying Party Trust.

  • Login to the ADFS server
  • Open ADFS Management
  • Expand Trust Relationships
  • Right click on “Relying Party Trusts” and select “Add Non-Claims-Aware Replying Party Trust”

  • Click Start Then Give a Display name and click next here.

  • Now give your ADFS URL and click Add


We are going to use MFA so we will configure “Configure multi-forest Authentication settings for this relying party trust” then click next

Select MFA settings and click next

  • Accept the default and click next.

  • Click next here.

  • Uncheck the checkbox and click close.

  • Restart-Service adfssrv

Publishing the RDWeb in Web Application Proxy

Open “Remote Access Management console” and click on Publish.

Click next on the welcome Screen

Select ADFS and Click next

Now select non-claim-aware relying Trust which was created in the previous step and click next.

Now configure the following as mentioned below sample

Name – Golden Five RDWeb

External URL: RDWeb external URL

External Certificate: Select the certificate.

Backend Server URL:

Look at this I have added port 444 for the backend server URL.

Backend Servers SPN: HTTP/

I have used the URL in place of the server name and this is why I had added the URL in the ServicePrincipalName in step 1.

Review the cmdlet then click Publish.

Click close on the confirmation screen.

Now we can verify in the ADFS Management, on the claim properties à Proxy Endpoints will be updated.

Open the power shell and run the following cmdlets

Get-WebApplicationProxyApplication -Name “Published Application Name” | Set-WebApplicationProxyApplication -DisableHttpOnlyCookieProtection:$true -InactiveTransactionsTimeoutSec 28800

Import-Module remotedesktop

Set-RDSessionCollectionConfiguration -CollectionName “CollectionNAme” -CustomRdpProperty “pre-authentication server address:s: require pre-authentication:i:1”

Run IISreset

Add the following Public DNS records

                       Host Record              Public IP

                       CName Record

Important: Make sure to point ADFS URL to the WAP Server for the external Traffic because it has to go through web application proxy server.

Firewall Rule:

                       Public IP NAT to WAP+RDWeb Server Internal IP with Port 443



Open the RDWeb URL:

Now we will see URL has changed to….

Type the credentials and click login.

Now we should see the Multi-Factor Authentication

Select your choice and authenticate.

Now we will see the URL has changed to this.

Important: Microsoft has confirmed that this RDWeb login would be required even after ADFS SSO.

After the login, URL will change again to the following:


To stop the URL from showing the changed header run this command.

Get-WebApplicationProxyApplication -Name “RDWeb” | Set-WebApplicationProxyApplication -D
isableTranslateUrlInRequestHeaders:$True -DisableTranslateUrlInResponseHeaders:$True

After this command, URL will not show “:444”. When we will open any application then we will receive the following error.







To fix this error simply add the https://* in the Internet Explorer Trusted Sites.


RDWEB SSO Configuration:

We also configured SSO at the RDWeb Level with the help of this blog:

Add the fully qualified domain name (FQDN) of the RD Connection Broker server to the server list of the corresponding Credentials Delegation Group Policy setting. Configure the GPO in the DC and assign it to the WAP server OU.

WE have to add TERMSRV/Fqdnoftheserver

Navigate to Server Manager à Remote Desktop Services à Overview, and in the DEPLOYMENT OVERVIEW section, on the TASKS menu, click Edit Deployment Properties

In the Properties dialog box, select the RD Gateway tab on the left.

    Give the RD Gateway Server FQDN which should be the URL configured in the certificate.

Check the checkbox Use RD Gateway credentials for remote computers check box,

Set the Logon method to Password Authentication.

Click Apply and ok.

RDWeb Certificate Configuration

Click on RD Gateway

Move the server to right and click next

Give the URL then click next

Click Add to confirm

Click on the “Configure Certificate”

Select the Existing Certificate. Make sure to use the same certificate

Select the certificate and give the password then check the checkbox and click ok.

Click Apply and ok.

Now we have completed the RDWeb configuration where we can publish outlook and secure it under MFA.

So this is one way of securing On-Premise Exchange Outlook and adapted by many organizations.


Prabhat Nigam

Microsoft MVP | CTO @ Golden Five


Don’t forget to register December 2016 “New York Exchange User Group” meeting. This is the online session on “Upgrading or Migrating to Exchange 2016 CU3″

One Response to “Web Application Proxy with Azure MFA Part 2”

  1. Web Application Proxy with Azure MFA Part 1 « Says:

    […] « Unable to install Web Application Proxy Web Application Proxy with Azure MFA Part 2 […]

Leave a Reply




Do NOT follow this link or you will be banned from the site!