We all know that Microsoft is not investing in TMG and UAG the way it did before and those products are going out of support soon. On the other hand, information worker are now using Laptops and devices all the time and from everywhere.
The way i see it is that end users now have their BYOD devices, have a cool looking apps, and they want to use those cool apps to connect to corporate data without the need to RDP into the corporate network for example and use VDI or RDS Session Host experience.
On the other hand, while VPN and DirectAccess are great technologies for remote access, for IT administrators, those type of technologies will let the user IN or OUT. In other words, VPN solutions will either let you IN or OUT and it is hard to control where the user can go once he is IN.
Microsoft came with a new way for remote access called “Conditional Access”, and added flexible authentication methods to the solution. The solution is called “Web Application Proxy”.
Web Application Proxy (a.k.a WAP) is a new Windows Server 2012 R2 role service under RRAS server role, integrated into Windows Server Manager and RRAS admin experience.
Microsoft now announced another new category, which is conditional access reverse proxy called “Web Application Proxy”. This is not a new technology for Microsoft as they have TMG and UAG before. Whats new about this Web Application Proxy, is its unique interaction with Active Directory Federation Services and devices. Web Application Proxy is part of Windows Server and not a separate installation like TMG or UAG.
From Information worker perspective:
- Access corporate apps from anywhere, on any device, Windows and non-Windows
- SSO and native device/app experience
From IT Pro:
- Selectively publish apps
- control access per app, user, device, location
- Better protection with pre-authentication (optional)
- No change required in existing apps
- No change required on devices (client-less)
WAP: Fundamental Services
- Reverse Proxy Services:
- Network Isolation
- Basic DOS : Throttling, queuing, session establishing before routing to backend
- URL Translation
- Selective Publishing: Per internal application endpoint
- ADS Proxy Services
- Web Protocols Only: HTTP,HTTPS
- Pre-authentication services:
- Rich Policy : user + device identity, application identity, network location
- MFA Options (multi factor authentication)
Web Application Proxy is usually located in your corporate DMZ with one network card or two network cars.
You can choose not to join it to your domain if you like, but if you want to use Kerberos constrained delegation method, then you have to join it to the domain.
Web Application Proxy can authentication requests before forwarding them to the back end applications (this is called Pre-Authentication), or it can just pass the traffic to the back end application without authentication (this is called Pass Through)
Web Application Proxy cannot live without ADFS becuase ADFS provides the following for Web Application Proxy:
- Configuration Storage: WAP is a stateless firewall, and its configuration files are stored in the ADFS
- Pre-Authentication: WAP uses ADFS for authentication.