FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication ...
-
Upload
sullivan-croke -
Category
Documents
-
view
219 -
download
0
Transcript of FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication ...
Roop Sankar Bagepalli & Georg HinterhoferSenior PFE’sMicrosoft
WAP and ARR - TMG alternatives?
USX305
A Pirates Choice!
WAP is the strategic product, both do the job
WAP and ARR, depending on your requirements, will get the gig done
Realize that the “strategic” (read: area of investment) product is Web Application Proxy
Strategics – ARR vs WAP
Features IIS Application Routing Request (ARR)
Web Application Proxy (WAP)
Pre- Authentication Prerequisites IIS 8.0, IIS 7.0, IIS 6.0 • Windows 2012 R2
Dependency None ADFS has to be set up
Load Balancing Inbuilt functionality Requires a Load Balancer
Application Request Routing – ARREach and every pirate’s favorite letter!)
Application Request Routing - ARRWhat is ARR?ARR is an IIS Extension – current version 3.0ARR allows IIS to act as a Load Balancer and Reverse Proxy – free of charge!
Prereq’s?Works on IIS 7.0 (Windows 2008) or newerNo other prereq’s!Does not need to be domain joined!Grab it here! http://www.iis.net/downloads/microsoft/application-request-routing
Application Request Routing - ARRFeatures of ARRReverse proxy / web publishingSupport multiple load balancing algorithmsHealth checkingCachingContent delivery network (CDN)SSL OffloadingLayer 4 and 7 routing decisionsUsage reportingCookie based affinityApplication affinity opt-outRich APIWebsocket support
ARR Functional Overview
URL Rewrite Module• URL Filtering• Allow/Deny URL
Web Farm Framework Module• Load Balancing• Health Check
URL Rewrite(Reverse Proxy)
Web Farm properties(Load Balancing)
IIS ARR
OWAOutlook ActiveSync ECP
URL RewriteIt’s the actual reverse proxyGenerally used to provide users with simple URL’s, BUT we’ll use if for our cause as wellCan act as reverse proxy between the client – and – in our case, the Web Farm.
There’s more where that came from™: URL FilteringPowerful URL re-write capabilities Pattern matching (RegEx)
URL Rewrite(Reverse Proxy)
Web Farm FrameworkFree Load Balancing!Features include:
• Load Balancing – seven different algorithms
• Health Test – checks availability of server or service
• Server Affinity – cookie affinity (Exchange 2007/2010)
• Monitoring & Management
Web Farm properties(Load Balancing)
ARR – The Configuration (Option 1)Only a couple of simple steps!Create a Server Farm
ARR – The Configuration (Option 1)Only a couple of simple steps!Modify the Server Farm for Exchange’s needs (it’s a bit of a Diva, ya know)
ARR – The Configuration (Option 1)Only a couple of simple steps!Proper Healthchecking!
ARR – The Configuration (Option 1)Only a couple of simple steps!Configure the URL Rewrite rules
Done!
URL’s
https:// mail.sir8.at
/OWA
https:// mail.sir8.at
/ECP
https:// mail.sir8.at
/OAB
https:// mail.sir8.at
/EWS/Exchange.asmx
https:// mail.sir8.at
*
https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml
• URL Matched Access allowed• Request forwarded to AutoDiscover Web
Farm.
• CAS3 marked as unhealthy.• Forward request to CAS1 or CAS2.
IIS ARR
mail.contoso.com (Web Farm)
Health Check:https://mail.contoso.com/OWA/HealthCheck.htm
Load Balancing:Least Current Requests
Affinity: No
autodiscover.contoso.com (Web Farm)
Health Check:https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm
Load Balancing:Least Current Requests
Affinity: No
IIS ARR – Option 1 (how does it work..?)
URL Rewrite rule:
https://mail.contoso.com/*
https://autodiscover.contoso.com/*https://autodiscover.contoso.com/*
https://mail.contoso.com/RPC/[email protected]:6001
• URL Matched Access allowed• Request forwarded to mail.contoso.com
Web Farm.
• CAS1 marked as unhealthy.• Forward request to CAS2 or CAS3.
IIS ARR
autodiscover.contoso.com (Web Farm)
Health Check:https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm
Load Balancing:Least Current Requests
Affinity: No
mail.contoso.com (Web Farm)
Health Check:https://mail.contoso.com/OWA/HealthCheck.htm
Load Balancing:Least Current Requests
Affinity: No
IIS ARR – Option 1 (how does it work..?)
URL Rewrite rule:
https://mail.contoso.com/*
https://autodiscover.contoso.com/*
https://mail.contoso.com/*
https://mail.contoso.com/EWS/Exchange.asmx
• URL Matched Access allowed• Request forwarded to mail.contoso.com
Web Farm.
• CAS1 marked as unhealthy.• Forward request to CAS2 or CAS3.
IIS ARR
autodiscover.contoso.com (Web Farm)
Health Check:https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm
Load Balancing:Least Current Requests
Affinity: No
mail.contoso.com (Web Farm)
Health Check:https://mail.contoso.com/OWA/HealthCheck.htm
Load Balancing:Least Current Requests
Affinity: No
IIS ARR – Option 1 (how does it work..?)
URL Rewrite rule:
https://autodiscover.contoso.com/*
https://mail.contoso.com/*https://mail.contoso.com/*
CAS 1
IIS ARR(Reverse Proxy & Load Balancer)
Health Check (P
ASS)
Server Health
y
https://
mail.contoso.com/OWA/Health
Check.htm
https://mail.contoso.com/OAB
https://mail.contoso.com/EWS/Exchange.asmx
Quirks of Option 1
CAS 1
IIS ARR(Reverse Proxy & Load Balancer)
Health
Che
ck (F
AIL)
Serv
er U
nhea
lthy
http
s://m
ail.c
onto
so.com
/OW
A/Hea
lthChe
ck.h
tm
https://mail.contoso.com/OAB
https://mail.contoso.com/EWS/Exchange.asmxCAS 2
Quirks of Option 1
IIS ARR – Option 2Per Protocol Health Check!!!
IIS ARR – Option 2Per Protocol Health Check!!!
User
CAS
mail.contoso.com
ecp.contoso.com
ews.contoso.com
eas.contoso.com
oab.contoso.com
oa.contoso.com
https://autodicover.contoso.com/Autodiscover/Autodiscover.xml
https://mail.contoso.com/OWA/HealthCheck.htm
https://ecp.contoso.com/ECP/HealthCheck.htm
https://ews.contoso.com/EWS/HealthCheck.htm
https://oab.contoso.com/OAB/HealthCheck.htm
https://oa.contoso.com/RPC/HealthCheck.htm
https://autodicover.contoso.com/Autodiscover/HealthCheck.htm
Performing per-protocol Health Check
Exchange Virtual Directories:mail.contoso.com,ECP.contoso.com, EWS.contoso.com, EAS.contoso.com, OAB.contoso.com, OA.contoso.comAutoDiscover.contoso.com
mail.contoso.com
OWA Web FarmECP Web FarmEWS Web FarmEASWeb FarmOAB Web FarmOA Web Farm
AutoDiscover
Web Farm
IIS ARR
ecp.contoso.com
ews.contoso.com
eas.contoso.com
oab.contoso.com
oa.contoso.com
autodiscover.contoso.
com
URL Rewrite Server Farm
https://eas.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm
SolutionTrue distribution of traffic destined for
multiple CAS servers
Load Balancing of traffic destined for
multiple CAS servers
Exchange Virtual Directories (OWA, ECP,
OAB etc)[except AutoDiscover]
Certificate & DNS
Option 1 No per-protocol Health Check
(Server Availability)
Yes* Share a common namespace
mail.tailspintoys.com
Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)
Option 2 Per-protocol Health Check
(Service Availability)
Yes Namespace for each protocol
mail.tailspintoys.comEWS.tailspintoys.comEAS.tailspintoys.com
OAB.tailspintoys.com etc
Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)
Multiple additional DNS entries
Comparison between the available Options…
SolutionHigh Availability of traffic destined for
multiple CAS servers
Load Balancing of traffic destined for
multiple CAS servers
Exchange Virtual Directories (OWA, ECP,
OAB etc)[except AutoDiscover]
Certificate & DNS
Option 1 No per-protocol Health Check
(Server Availability)
Yes* Share a common namespace
mail.tailspintoys.com
Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)
Option 3 Per-protocol Health Check
(Service Availability)
Yes Share a common namespace
mail.tailspintoys.com
Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)
Option 2 Per-protocol Health Check
(Service Availability)
Yes Namespace for each protocol
mail.tailspintoys.comEWS.tailspintoys.comEAS.tailspintoys.com
OAB.tailspintoys.com etc
Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)
Multiple additional DNS entries
Comparison between the available Options…
SolutionHigh Availability of traffic destined for
multiple CAS servers
Load Balancing of traffic destined for
multiple CAS servers
Exchange Virtual Directories (OWA, ECP,
OAB etc)[except AutoDiscover]
Certificate & DNS
Option 1 No per-protocol Health Check
(Server Availability)
Yes Share a common namespace
mail.tailspintoys.com
Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)
Option 3 Per-protocol Health Check
(Service Availability)
Yes Share a common namespace
mail.tailspintoys.com
Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)
Option 2 Per-protocol Health Check
(Service Availability)
Yes Namespace for each protocol
mail.tailspintoys.comEWS.tailspintoys.comEAS.tailspintoys.com
OAB.tailspintoys.com etc
Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)
Multiple additional DNS entries
Comparison between the available Options…
ARR – Option 32 Namespaces, but still per protocol health checks!
Performing per-protocol Health Check
CAS
https://mail.contoso.com/OWA
https://mail.contoso.com/OWA/HealthCheck.htm
https://mail.contoso.com/ECP/HealthCheck.htm
https://mail.contoso.com/EWS/HealthCheck.htm
https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm
https://mail.contoso.com/OAB/HealthCheck.htm
https://mail.contoso.com/RPC/HealthCheck.htm
https://autodicover.contoso.com/Autodiscover/HealthCheck.htm
/OWA*
mail.
conto
so.c
om
auto
dis
cover.
conto
so.c
om
/ECP*
/EWS*
/EAS*
/OAB*
/RPC*
/AutoDiscove
r*
OWA Web FarmECP Web Farm
EWS Web Farm
EASWeb FarmOAB Web Farm
OA Web Farm
AutoDiscover
Web Farm
IIS ARRURL Rewrite Server Farm
User
Exchange Virtual Directories:mail.contoso.comAutoDiscover.contoso.com
ARR – Option 32 Namespaces, but still per protocol health checks!
Performing per-protocol Health Check
User
CAS
https://mail.contoso.com/EWS/Exchange.asmx
https://mail.contoso.com/OWA/HealthCheck.htm
https://mail.contoso.com/ECP/HealthCheck.htm
https://mail.contoso.com/EWS/HealthCheck.htm
https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm
https://mail.contoso.com/OAB/HealthCheck.htm
https://mail.contoso.com/RPC/HealthCheck.htm
https://autodicover.contoso.com/Autodiscover/HealthCheck.htm
Exchange Virtual Directories:mail.contoso.comAutoDiscover.contoso.com
/OWA*
mail.
conto
so.c
om
auto
dis
cover.
conto
so.c
om
/ECP*
/EWS*
/EAS*
/OAB*
/RPC*
/AutoDiscover
*
OWA Web FarmECP Web Farm
EWS Web Farm
EASWeb FarmOAB Web Farm
OA Web Farm
AutoDiscover
Web Farm
IIS ARRServer FarmURL Rewrite
Bringing HA to ARR…for even more ARRrrrrrrARR itself is a single point of failure and doesn’t provide any HA to itself, it needs a little helpMitigate with NLB (WinNLB or 3rd Party)
Easy configuration……. Leverage IIS shared config!…. Either Active/Passive or Active/Active doable – failover or failover + load distribution!…. All the glory is here! - http://www.iis.net/learn/extensions/configuring-application-request-routing-(arr)/achieving-high-availability-and-scalability-arr-and-nlb
ARR + Exchange 2013/2010/2007?Yes, you can!ARR will work with Exchange 2007/2010/2013. If you have 2007 in the mix, make sure you also publish the legacy namespace. No need for 2013/2010 coex obviously.
IIS ARR Implementation Scenarios…
RULES:
1. URL Rewrite and Web Farm are mutually dependant on each other.
2. You can control how the IIS ARR behaves depending on which component you configure.
• If you configure the properties of• URL Rewrite + Web Farm Reverse Proxy + Software Load Balancer• URL Rewrite only Reverse Proxy• Web Farm only* Software Load Balancer
IIS ARR: Reverse Proxy
URL Rewrite(Reverse Proxy)
Web Farm properties(Load Balancing)
IIS ARR
OWA Outlook ActiveSync ECP
URL Rewrite(Reverse Proxy)
Web Farm properties(Load Balancing)
IIS ARR
OWA Outlook ActiveSync ECP
IIS ARR: Load Balancer
IIS ARRReverse Proxy + Load Balancer
External Firewall
Scenario A
Internal Firewall
External User
Internal User
External Firewall
Scenario B
Internal Firewall
External User
Internal User
IIS ARRReverse Proxy
IIS ARRLoad Balancer
External Firewall
Scenario C
Internal Firewall
External User
Internal User
IIS ARRReverse Proxy
IIS ARRInternal Load Balancer
IIS ARRExternal Load Balancer
ADFS
INTR
ANET
DM
ZIN
TERN
ET
OnPremise Mailbox
OnPremise Mailbox O365 Mailbox
O365 Mailbox
O365 Exchange Online Hybrid Configuration
-
-
- -
ADFS Proxy
Scenario D
IIS ARR(Reverse Proxy + L7 Load Balancer)
Web Application Proxy - WAP
Web Application Proxy - WAPPart of the Remote Access Role in 2012 R2Requires an ADFS 2012 R2 installationCan be deployed domain joined or non-domain joinedDoes not require a 2012 R2 DC
Reverse proxy of Web applications and ADFS ProxyProvides reverse proxy Replaces the “old” ADFS ProxyProvides SSO for some scenariosDesigned to be deployed in the DMZHighly customizable login page – see http://technet.microsoft.com/en-us/library/dn280950.aspx
WAP – Network Topology
Backend ServerBackend Server
AD FS
Backend Server
Config. Store
Web Application
Proxy
DMZ
AD FS Proxy
Fire
wall
Load B
ala
nce
r
Load B
ala
nce
rFire
wall
Active Directory Domain
ControllerClient
(browser, Office
client or modern
app)
Corporate NetworkInternet
HTTP/S
HTTP
AuthN
Config. API over HTTPS
AuthN Web UI
Claims, IWA or pass-through AuthN
Obtain KCD ticket for IWA AuthN
WAP and ExchangeOffers reverse proxying for all Exchange-relevant protocolsOWA, ECP, EAS, OA, MAPIHTTP, AutoDiscover, EWS,OAB – we got you covered!
Preauthentication only for OWA/ECP!PreAuth is performed by redirecting the client to ADFS
Redirection is supported for the following protocols: Standard HTTP (browsers), MS-OFBA (Office clients), OAuth2 (Windows Store Apps)…. In our case for OWA/ECP.
Cannot redirect for preauthentication: Clients using HTTP Basic or NTLM authentication (ActiveSync, MAPIHTTP), RPC over HTTP (Outlook Anywhere) – those need to use passthrough.
WAP and Exchange – KCD Preauth Flow
Perimeter network Internal network
User
`OWA
(Auth: IWA)
AD
https://mail.fabrikam.com/owa
Internet
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
307
GET
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
App Policies
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
GET
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
App Policies
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
POST
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
App Policies
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
302 FOUND
MSISAuth
(session cookie)
MSISAuth
(session cookie)
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
App Policies
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
GET
MSISAuth
(session cookie)
307 Redirect
MSISAuth
(session cookie)
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
App Policies
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
GET /w AuthToken!
301 moved permanetly
EdgeAccessCookie
(session cookie)
KCD for Principal Name
Shows ticket
issued for SPN
Finally… we log on to OWA!
MSISAuth
(session cookie)
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa
MSISLoopDetectionCookie
(session cookie)
MSISAuthenticated
(session cookie)
EdgeAccessCookie
(session cookie)
GET
Shows ticket
issued for SPN
WAP and Exchange – Passthrough Auth Flow
Perimeter network Internal network
User
`
Web Application
Proxy
OWA(Auth: IWA)
AD
AD FS
Internet
https://mail.fabrikam.com/owa
https://mail.fabrikam.com/owa401
Unauthorized
401 Unauthoriz
ed
Actual OWA logon!
Exchange 2013 SP1 and ADFS AuthFinally – a supported way of getting ADFS auth goin’!Exchange 2013 SP1 introduced ADFS authentication for OWA and ECP, based on SAML 2.0
It’s an either/or thing – you can not have any other form of authentication (FBA, NTLM, Basic, secret knock signs) mixed with ADFS authentication – no multiple Vdir support as of now.
No support for coexistence, e.g. running ADFS auth on Ex2013 SP1 and trying to open up mailboxes for 2013 non-SP1, 2010 or 2007 will not work and is not supported.
You can leverage either ADFS directly or WAP as the ADFS proxy for “claiming your claim”
Allows for pre-authentication on WAP without the need for WAP to be domain joined! (hold for applause)
Exchange 2013 SP1 and ADFS AuthImplementation overviewRequires manual Relying Party Trust configuration in ADFS – no automatic config
Requires UPN, PrimarySID and GroupSID issuance rules
Requires configuration of –AdfsIssuer, -AdfsAudienceUris and -AdfsSignCertificateThumbprint on Exchange’s Set-OrgConfig.
Enable ADFSAuth and disable all other forms of auth on the OWA/ECP virtual directories
Detailed implementation steps are available now at http://aka.ms/B9j5gq
Bringing HA to WAPIt’s easy – just install more boxes!WAP stores its config in ADFS 2012 R2As soon as you “subscribe” more WAP boxes to the same ADFS instance, they will get the same config
Web Application
Proxy
AD
AD FS
Config...Publishing Rules....
Web Application
Proxy
Config...Publishing Rules....
Bringing HA to WAPYou still need to think about NLBWAP does not provide any form of NLB… not for the published application… not for WAP itself… WinNLB or 3rd Party… no need for affinity!!
Web Application
Proxy
Config...Publishing Rules....
Web Application
Proxy
Config...Publishing Rules....
NLB (Windows or
3rd Party)
User
Configuring WAP for KCDRequired ADFS config – Create Relying Party Trust
Configuring WAP for KCDCreating an AD delegation for preauth
Single Server (delegation to Exchange directly)
Configuring WAP for KCDCreating an AD delegation for preauth
Multiple Exchange Servers (delegation to the ASA)
This requires an Alternate Service Account configured on Exchange 2010 / Exchange 2013. The delegation needs to be made out to this account.
WAP and EX not in the same domain?Yep, it‘s possible!Historically, KCD required the that the server asking for a Kerb Ticket and the server that we delegated to to be in the same domain.
Fear not, Windows 2012 changed quite a bit. Read more here: http://technet.microsoft.com/en-us/library/hh831477.aspx
In a nutshell, WAP (the server asking for a ticket) can be in another domain (eg child.contoso.com) while the application server – lets say Exchange, is in the root domain or in another child (contoso.com or child2.contoso.com)
Delegation for these scenarios is set on the application server instead of the WAP server.
Configuring WAPInstalling WAP
Configuring WAPConfiguration for Preauth (OWA/ECP)
Configuring WAPConfig for Pass trough (EAS/AutoD/OA/OAB/MAPIHttp)
Configuring WAPDisable Headers translation in Request HeadersWAP should not translate HTTP host headers to internal host headers when forwarding requests.
Configuring WAPSome older EAS devices and OS’s don’t support SNI
Http.sys listens and serves certs based on the SNI header sent (no IIS on WAP)Not all EAS devices support sending SNI, leading to a broken EAS experienceOlder OS‘s (Win XP) don‘t support sending SNI at all.
You need to assign a default SSL binding via netsh.
Configuring WAPSome older EAS devices don’t support SNI
XP is one happy peppy!
`
WAP and Cross-Forest AuthWe know you want it!Leveraging ADFS/WAP and UPN rewrites, we can do, for example, this!
Internal networkWAP
OWA
AD FS
https://sts.fabrikam.com
https://mail.fabrikam.com/owa
https://sts.fabrikam.com
https://mail.fabrikam.com/owa
WAP
AD FShttps://sts.contoso.com
Internal network
User
UserMailbox
WAP and Cross-Forest AuthWe know you want it!
Works for OWA/ECP as those can be published with Pre-Authentication, and honor the redirection to ADFS.
Contoso, in this scenario, needs no Exchange and no special prep. Magic is done by rewriting the UPN claim.
You need to configure ADFS claims provider trust and ADFS relying party trust for the “trusting” forest.
Works in KCD or ADFS Authentication scenarios.
WAP + Exchange 2010/Exchange 2007?We got you covered!
Pure Exchange 2010: Same story as as for Exchange 2013, OWA + ECP /w Preauth, all others Pass-Through.
Pure Exchange 2007: All protocols only passthrough (EXCEPT if you are ok with proxying to a single server)
Exchange 2013/2010 coex: OWA + ECP /w preauth, all others Pass-Through
Echange 2013/2010/2007: OWA + ECP for 2013/2010 /w Pass-Through, all others pass through (same EXCEPT as above)
So you have a WAP lab deployment…… and after a while of not using it, it stops working
WAP uses a short-lifed certificate (15 days) to authenticate to ADFS.
If you don’t use your WAP lab for 15 days, WAP will be essentially stranded as the expired certificate will be rejected by ADFS.
You can either re-install WAP (the config will remain as it is stored in ADFS), or rerun the configuration wizard via the Remote Access UI (preferred)
For the Remote Access UI, to let you run through the wizard again, change HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus to 1 (meaning “not configured”) instead of 2 (“configured”). Reopen the UI. No reboot required.
WAP External LockoutProhibit a DoS-Attack against your environment
ADFS/WAP offer a „soft-lockout“ for user accounts on WAP itself
The internal AD account remains unlocked while external access is blocked after multiple unsuccessfull auth attempts.
Needs to be set lower than the internal AD account lockout policy if you have one.
Can help mitigate a DoS in case a copy of your GAL/OAB/AD etc gets lost.
WAP External LockoutConfiguring External Lockout
Config changes need to be made on the ADFS server. Changes and pushed out to WAP at next config refresh (every 60 seconds)
Use Get/Set-ADFSProperties to modify:
• ExtranetLockoutEnabled: $true or $false; determines whether Lockout is enabled, default $false
• ExtranetLockoutThreshold: Number of failed auth attempts before soft-locking a user
• ExtranetObservationWindow: Timespan for a user to be locked, eg 30 Minutes (00:30:00)
DemoWAP in action!
In Review: Session Objectives And TakeawaysSession ObjectivesDescribe how ARR and WAP are functioning, technical implementation and limitations.
Explain what ARR and WAP can do for publishing of Exchange 2007, Exchange 2010 and Exchange 2013, and compare them to what TMG could do.
Action Items:Go build yourself a WAP and ARR Lab and promote the use of these products with your customers!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.