MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Web Application Proxy with Azure MFA Part 2

After Part 1, we have Web Application Proxy installed and this is the configuration blog of WAP Deployment. We will also share the configuration required to publish RDWEB with WAP using the same server.

Web Application Proxy with Azure MFA Part 1 http://msexchangeguru.com/2016/12/09/wap-adfs-mfa-part-1/

Make sure we have SSL certificate with the RDWeb URL. We should install it on RDweb proxy.

Configure Kerberos for WAP server.

  • Open Adsiedit.msc, Connect to the domain partition and Go to the properties of the WAP server computer object. We would assume the name of the computer is WAP and domain is GoldenFive.net
  • Select ServicePrincipalName and click edit.
  • Now add 2 entries for the server name and 2 for the application URLs here.

        HTTP/WAP

        HTTP/WAP.GoldenFive.net

        HTTP/Portal

        HTTP/Portal.GoldenFive.net


  • Click ok then ok. Close Adsiedit.msc now.

Configure Delegation

  • Open Active Directory Users and Computers.
  • Search for the WAP server
  • Go to the properties of the WAP server
  • Click on Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.
  • Click Add and in the add services windows click on to the users or computers.


  • Enter the name of the web server which is using Integrated Windows authentication.
  • Click ok. Now in the available services list, select Http service type then click ok. Then click ok.

    I have added my URL with Service type HTTP and my ADFS Service account with Service type  HTTP.


For all web applications that we are planning to publish using AD FS preauthentication, we need to configure one relying party trust for each application in the AD FS server.

In our case, RDWeb is not a claim aware application so we will add a non-claim aware relying Party Trust.

  • Login to the ADFS server
  • Open ADFS Management
  • Expand Trust Relationships
  • Right click on “Relying Party Trusts” and select “Add Non-Claims-Aware Replying Party Trust”


  • Click Start Then Give a Display name and click next here.


  • Now give your ADFS URL and click Add

https://adfs.GoldenFive,net/adfs/services/trust


We are going to use MFA so we will configure “Configure multi-forest Authentication settings for this relying party trust” then click next


Select MFA settings and click next


  • Accept the default and click next.


  • Click next here.


  • Uncheck the checkbox and click close.


  • Restart-Service adfssrv


Publishing the RDWeb in Web Application Proxy

Open “Remote Access Management console” and click on Publish.


Click next on the welcome Screen


Select ADFS and Click next


Now select non-claim-aware relying Trust which was created in the previous step and click next.


Now configure the following as mentioned below sample

Name – Golden Five RDWeb

External URL: RDWeb external URL

https://portal.GoldenFive.net/RDWeb

External Certificate: Select the certificate.

Backend Server URL: https://portal.GoldenFive.net:444/RDWeb

Look at this I have added port 444 for the backend server URL.

Backend Servers SPN: HTTP/Portal.aclunc.org

I have used the URL in place of the server name and this is why I had added the URL in the ServicePrincipalName in step 1.


Review the cmdlet then click Publish.

Click close on the confirmation screen.


Now we can verify in the ADFS Management, on the claim properties à Proxy Endpoints will be updated.


Open the power shell and run the following cmdlets

Get-WebApplicationProxyApplication -Name “Published Application Name” | Set-WebApplicationProxyApplication -DisableHttpOnlyCookieProtection:$true -InactiveTransactionsTimeoutSec 28800

Import-Module remotedesktop

Set-RDSessionCollectionConfiguration -CollectionName “CollectionNAme” -CustomRdpProperty “pre-authentication server address:s: https://Portal.GoldenFive.net/rdweb/n require pre-authentication:i:1”

Run IISreset

Add the following Public DNS records

                       Host Record ADFS.domain.com              Public IP

                       CName Record Portal.domain.com          ADFS.Domain.com

Important: Make sure to point ADFS URL to the WAP Server for the external Traffic because it has to go through web application proxy server.

Firewall Rule:

                       Public IP NAT to WAP+RDWeb Server Internal IP with Port 443

 

Testing:

Open the RDWeb URL:

https://Portal.GoldenFive.net/RDWeb

Now we will see URL has changed to https://adfs.GoldenFive.net/adfs/ls….

Type the credentials and click login.

Now we should see the Multi-Factor Authentication


Select your choice and authenticate.

Now we will see the URL has changed to this.

https://portal.GoldenFive.net/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx


Important: Microsoft has confirmed that this RDWeb login would be required even after ADFS SSO.

After the login, URL will change again to the following:

https://portal.GoldenFive.net:444/RDWeb/Pages/en-US/Default.aspx


 

To stop the URL from showing the changed header run this command.

Get-WebApplicationProxyApplication -Name “RDWeb” | Set-WebApplicationProxyApplication -D
isableTranslateUrlInRequestHeaders:$True -DisableTranslateUrlInResponseHeaders:$True

After this command, URL will not show “:444”. When we will open any application then we will receive the following error.

rdweb-app-error

 

 

 

 

 

To fix this error simply add the https://*.Domain.com in the Internet Explorer Trusted Sites.

 

RDWEB SSO Configuration:

We also configured SSO at the RDWeb Level with the help of this blog:

https://blogs.technet.microsoft.com/enterprisemobility/2012/06/25/remote-desktop-web-access-single-sign-on-now-easier-to-enable-in-windows-server-2012/


Add the fully qualified domain name (FQDN) of the RD Connection Broker server to the server list of the corresponding Credentials Delegation Group Policy setting. Configure the GPO in the DC and assign it to the WAP server OU.

WE have to add TERMSRV/Fqdnoftheserver


Navigate to Server Manager à Remote Desktop Services à Overview, and in the DEPLOYMENT OVERVIEW section, on the TASKS menu, click Edit Deployment Properties

In the Properties dialog box, select the RD Gateway tab on the left.

    Give the RD Gateway Server FQDN which should be the URL configured in the certificate. Portal.GoldenFive.net

Check the checkbox Use RD Gateway credentials for remote computers check box,

Set the Logon method to Password Authentication.

Click Apply and ok.


Installing Certificate for RD Gateway

Click on RD Gateway


Move the server to right and click next


Give the URL Portal.GoldenFive.net then click next


Click Add to confirm


Click on the “Configure Certificate”


Select the Existing Certificate. Make sure to use the same certificate


Select the certificate and give the password then check the checkbox and click ok.


Click Apply and ok.

Now we have completed the RDWeb configuration where we can publish outlook and secure it under MFA.

So this is one way of securing On-Premise Exchange Outlook and adapted by many organizations.

 

Prabhat Nigam

Microsoft MVP | CTO @ Golden Five

Team@MSExchangeGuru

Don’t forget to register December 2016 “New York Exchange User Group” meeting. This is the online session on “Upgrading or Migrating to Exchange 2016 CU3″
http://www.meetup.com/nyexug/events/235096894/

One Response to “Web Application Proxy with Azure MFA Part 2”

  1. Web Application Proxy with Azure MFA Part 1 « MSExchangeGuru.com Says:

    […] « Unable to install Web Application Proxy Web Application Proxy with Azure MFA Part 2 […]

Leave a Reply

migrate exchange to office 365

Categories

Archives