Server 2016 WAP a possible TMG replacement? RRS feed

  • Question

  • I started reading up on Web Application Proxy Role on the New server 2016 TP. With a bunch of our servers still running on server 2008 R2, we want to think about moving up our servers. The biggest let down which seems to be discussed heavily on the internet is replacing the TMG.

    Funny part is we have the TMG in our DMZ zone behind our Edge firewall (being a couple Palo Alto Next Gen firewalls) we have almost everything we need..... except the sad sad news that PANs don't do reverse proxy... what a great UTM! (besides this they actually are amazing devices!)

    So I currently am doing heavy research into AD FS and WAP as a whole. So now I managed to get AD FS configured for the most part on a 2012 R2 DC in my test enviroment, I've got most of the certs figured out, and the DNS and network location figured out, and currently we will test external users via replicated DMZ zone (anything beyond is simply a NATed public IP for what would be this DMZ IP).

    Currently however our "Pre-Auth" is simply a http -> https redirected page pointing to a Forums Based Auth webpage where users enter a user name and password and are authenticated  via our other segregated domain (which has certain required trusts with our internal corporate domain). Which ones authenticated they get our external based sharepoint site. Also segregated FE server that all sit behind the TMG, and the PANs.

    Reading the Claims based and Windows based Auth for WAP... 

    I don't get how users are providing their creds in between Steps 1 and 2.

    " 1)The client attempts to access a claims-based application using a web browser; for example, https://appserver.contoso.com/claimapp/.

    2)The web browser sends an HTTPS request to the Web Application Proxy server which redirects the request to the AD FS server."

    Since we have no plans to create actual Partner Ship Trusts with these Users, as they all happen to work for their own companies and could be authenicated on their remote systems in multiple ways (Could be a domain based account, could be a lcoal windows account, could be a guest windows system, hecks it could be a user running Ubuntu accessing our webpage).

    So my question is exactly how are users authenticated when accessing our website, if I'm attempting to use the Server 2016 WAP's role?

    Is this even a possible replacement for my current setup, or am I going over my head attempting to implement AD FS with no plans for federation?

    Tuesday, May 31, 2016 9:23 PM

All replies

  • Hi,

    >>So my question is exactly how are users authenticated when accessing our website, if I'm attempting to use the Server 2016 WAP's role?

    Users should be asked for credentials and the credential will be authenticated by ADFS.

    For the question about how ADFS perform the authentication, here is a good article:


    Best Regards,

    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, June 2, 2016 10:14 AM
  • My colleague managed to provide a nice teched 2014 ppt. And sure enough I discovered that the AD FS Proxy is part of the WAP role installation, which is under the Remote Services Role.

    And yes, from this page, (although I won't be changing the local auth from IWM) it states..

    "By default AD FS 2.0 Federation Servers use IWA and AD FS 2.0 Federation Server Proxy servers use FBA. The reason for this is because we assume that you would prefer no credential prompt for your internal users who can directly contact your internal Federation Servers, and we also assume that users who are coming from the internet via the Federation Server Proxy servers would not be able to experience integrated Windows authentication, thus a customizable forms-based page is the best fit."

    So awesomely as I want it to be, my WAP in my DMZ will be the sever hosting the IIS webpage, forwarding the creds entered to the AD FS server, and also awesomely enough with the AD FS services going kernel layer and not using IIS I can consoldate my AD FS role on my 2012 R2 DC. :D At least from the research I've done so far... Thus I think this might work out.

    As I use the TMG for ACtive Sync (Which WAP supports) and FBA for our external Sharepoint (which as stated above is also supported) By requiring AD FS, I am making our AD enviroment more scalable then ever as well. :D

    I'll reply back if I succeed in this endeavour. Then we can confirm that in some system you can use the WAP role as a TMG replacement... fingers crossed!


    Thursday, June 2, 2016 3:53 PM
  • Just wanted to post here, that I'm still working on getting this to work.

    I don't think that the WAP feature will ever be a direct TMG replacement, also requires all applications to be Claims Aware. Which can be a daunting task to pull off if you've enver worked with AD FS before. The learning Curve is pretty steep.

    Wednesday, June 29, 2016 9:58 PM