In one of my previous posts, I briefly spoke about load balancers to be the front facing option instead of having your Exchange servers exposed to the internet. In this article I will discuss another option you can use: a Web Application Proxy. I have used the Web Application Proxy (WAP) in Server 2012 R2, Server 2016 and Server 2019 and I see it is applicable to Server 2022. (Disclaimer: I have not tested it yet on this version with Exchange 2016 or Exchange 2019).
What is a Web Application Proxy (WAP)? It gives you reverse proxy functionality for web applications such as Outlook on the web (OWA). A Web Application proxy works with Active Directory Federation Services (ADFS). I will not go into detail on how to set up Active Directory Federation Services (ADFS) as that is outside the scope of this discussion. Instead, I will talk about placement for your Web Application Proxy and provide a walk through. You can read more about Active Directory Federation Services (ADFS) by following this link.
Each environment is different. If your environment has a Demilitarized Zone (DMZ) where servers are located, or have a set of firewalls, please read the second “Plan Network Location” from this link. This applies to Server 2012 R2 — for those still running the older versions — and should apply to newer versions as well for placement.
Once the configuration of DNS, Certificates and Active Directory Federation Services (ADFS) has been completed — and you are now ready to publish your application — in this case it will be Outlook on the web.
When you open up WAP (web application proxy), you can use the “Publish New Application Wizard” to get OWA published. On the wizard page called “Publish New Application Wizard” you will see a welcome screen. Click on the Next > button. On the next page, you will have the following two options under Preauthentication:
- Active Directory Federation Services (ADFS)
- Pass-through
With option one, Active Directory Federation Services (ADFS), you will be taken to the ADFS sign in page. Once you have successfully logged in, your request will be passed to the backend Exchange Server. You will then be able to login to OWA. I had a customer that wanted to use this option and they advised that ADFS was set up a while ago and should be working. In this instance, there was an expired certificate which caused issues with access to Exchange. This was resolved once the certificate was renewed.
With option two, Pass-through, click Next and you will be asked for the following information:
- Name (use anything you want, for example “OWA rule”)
- External URL
- External Certificate
- Backend server URL
Once you have filled in everything, you can then click the Next button. On the confirmation page, double check that you are happy with everything and then click Publish. Once complete, you can now launch a web browser and enter in the External URL you specified in the previous step. You should be presented with the Exchange OWA page and it should be using the correct certificate as well.
This is a high level overview of using a Web Proxy with Exchange OWA. WAP can be in the internal network or DMZ. There has been a lot of discussion about where it should be placed. It depends on your specific needs in the business.
If the complexity of getting Active Directory Federation Services (ADFS) and WAP is just too much and you would rather look at something else, consider a load balancer. Keep in mind that configuring them can also seem complex if you have never done it before.
I have used both scenarios, setting up Active Directory Federation (ADFS) and a Web application proxy (WAP). It was a fun exercise that took a some time getting certificates purchased. But at the end of the day, the customer was happy with the setup as budgets were tight and load balancers can be expensive — depending on what modules you want.
Here are some links for either setting up an F5 or configuring Active Directory Federation Services and a Web Application Proxy (WAP):
- https://devcentral.f5.com/s/articles/ad-fs-proxy-replacement-on-f5-big-ip-30191
- https://www.vcloudnine.de/publishing-outlook-web-access-with-microsoft-web-application-proxy-wap/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn584107(v=ws.11)
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn383644(v=ws.11)
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn280944(v=ws.11)
- https://docs.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/web-application-proxy-windows-server
- https://www.techsupportpk.com/2016/12/deploy-web-application-proxy-windows-server-2016.html
The second to last link has quite a bit of information regarding new features in Windows Server 2016 and Web Application Proxy (WAP).
The last link gives you a step-by-step guide on how to set up a Web Application Proxy on Windows Server 2016.
