Главная » Linux

Windows server 2012 web applications

Содержание
  1. Web Application Proxy must be configured before it is used
  2. Issue
  3. Impact
  4. Resolution
  5. To configure Web Application Proxy
  6. Install and Configure the Web Application Proxy Server
  7. Configure CAs and certificates
  8. Configure certificate templates
  9. To configure a certificate template
  10. Configure web application certificates
  11. Install the Remote Access role
  12. To install the Web Application Proxy role service
  13. Configure Web Application Proxy
  14. To configure Web Application Proxy
  15. MS-Direction
  16. четверг, 17 декабря 2015 г.
  17. Web Application Proxy (часть 1)
  18. Содержание
  19. Немного теории

Web Application Proxy must be configured before it is used

Applies To: Windows Server 2012 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Web Application Proxy Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012 R2

Product/Feature

Web Application Proxy

Severity

Category

Issue

Web Application Proxy was installed but not configured for initial use.

Impact

If Web Application Proxy is not configured it cannot be used to publish applications.

Resolution

Use ‘Remote Access Management’ in Server Manager to start the configuration wizard or use the Install-WebApplicationProxy PowerShell command.В

After installing the Web Application Proxy role service on a server, you must also configure Web Application Proxy on the server. If you do not configure Web Application Proxy, you will be unable to publish applications and the Web Application Proxy server will not provide AD FS proxy functionality.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To configure Web Application Proxy

On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, typeВ RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

In the navigation pane, click Web Application Proxy.

In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

On the Federation Server dialog, do the following, and then click Next:

In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.contoso.com.

In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.

On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

On the Results dialog, verify that the configuration was successful, and then click Close.

Install and Configure the Web Application Proxy Server

Applies To: Windows Server 2012 R2

This content is relevant for the on-premises version of Web Application Proxy. To enable secure access to on-premises applications over the cloud, see the Azure AD Application Proxy content.

Читайте также:  Как обновить интерпретатор python linux

This topic describes how to install the Remote Access role with the Web Application Proxy role service and how to configure the Web Application Proxy server to connect to an ActiveВ Directory Federation Services (ADВ FS) server. Before beginning the deployment steps, ensure that you have completed the planning steps described in Plan the Web Application Proxy Server.

This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.

Configure CAs and certificates

Web Application Proxy servers require the following certificates in the certificate store on each Web Application Proxy server:

A certificate whose subject covers the federation service name. If you want to use Workplace Join, the certificate must also contain the following subject alternative names (SANs): . and enterpriseregistration. .

A wildcard certificate, a subject alternative name (SAN) certificate, several SAN certificates, or several certificates whose subjects cover each web application.

A copy of the certificate issued to external servers when using client certificate preauthentication.

Configure certificate templates

Depending on your deployment and authentication requirements, you might require additional certificate templates on your internal certification authority (CA).

To configure a certificate template

On the internal CA, create a certificate template as described in Creating Certificate Templates.

Deploy the certificate template as described in Deploying Certificate Templates.

Configure web application certificates

In an Web Application Proxy deployment you require certificates for the published web applications, and for the AD FS proxy if your deployment provides AD FS proxy functionality. For these required certificates, there are two options for the issuing CA:

Public—Supplied by a 3rd party.

A website certificate used for server authentication. If the certificate subject is not a wildcard, it must be the externally resolvable fully qualified domain name (FQDN) URL that you configure on the Web Application Proxy server for the application.

Private—The following are required, if they do not already exist:

A website certificate used for server authentication. The certificate subject should be an externally resolvable FQDN that is reachable from the Internet. The certificate can be based on the certificate template created in Configure certificate templates.

A certificate revocation list (CRL) distribution point that is reachable from a publicly resolvable FQDN.

Make sure that the website certificate used for server authentication meets the following requirements:

The common name of the certificate should match the name that you configure for the external URL of the published web application, or the federation service name.

For the Enhanced Key Usage field, use the Server Authentication object identifier (OID).

For the CRL Distribution Points field, specify a CRL distribution point that is accessible by client devices that are connected to the Internet.

The certificate must have a private key.

The certificate must be imported directly into the personal store.

Certificates can have wildcards in the name. A wildcard certificate with the subject name *.contoso.com can be used for web applications in the domain contoso.com, for example, sharepoint.contoso.com and owa.contoso.com. This wildcard certificate cannot be used for the website sharepoint.internal.contoso.com.

Certificates can be subject alternative name (SAN) certificates. For example, a SAN certificate with the names owa.contoso.com and crm.contoso.com can be used for only those two websites. It cannot be used for sharepoint.contoso.com.

For Workplace Join, a SAN certificate is required with the following SANs: . For example, adfs1.contoso.com. enterpriseregistration. For example, enterpriseregistration.contoso.com.

Читайте также:  Directx control panel windows 10 64 bit

Install the Remote Access role

To deploy Web Application Proxy, you must install the Remote Access role with the Web Application Proxy role service on a server that will act as the Web Application Proxy server.

Repeat this procedure for all of the servers that you want to deploy as Web Application Proxy servers.

To install the Web Application Proxy role service

On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.

In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

On the Select server roles dialog, select Remote Access, and then click Next.

Click Next twice.

On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.

On the Confirm installation selections dialog, click Install.

On the Installation progress dialog, verify that the installation was successful, and then click Close.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

See the instructional video for help Installing the Web Application Proxy

Configure Web Application Proxy

You must configure Web Application Proxy to connect to an AD FS server.

Repeat this procedure for all of the servers that you want to deploy as Web Application Proxy servers.

To configure Web Application Proxy

On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, typeВ RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

In the navigation pane, click Web Application Proxy.

In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

On the Federation Server dialog, do the following, and then click Next:

In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.contoso.com.

In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.

On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.contoso.com. If you plan on using Workplace Join, this must be a SAN certificate with the SANs described in Configure CAs and certificates.

On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

On the Results dialog, verify that the configuration was successful, and then click Close.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Читайте также:  Вертикальная синхронизация как отключить windows 10

The following command will prompt you to enter credentials of a local administrator account on the AD FS servers.

MS-Direction

Рассмотрение тем относительно основных продуктов Microsoft

четверг, 17 декабря 2015 г.

Web Application Proxy (часть 1)

Web Application Proxy в Server 2012 R2, функционал и использование на примере публикации приложений Exchange 2013 (часть 1)

Операционная система Windows Server 2012 R2 предоставила в руки системных администраторов интересные изменения и дополнения к существовавшим ранее возможностям. Этим сообщением в своем блоге я открываю цикл из 5 статьей, которые ознакомят читателей с некоторыми из нововведений. Сегодняшняя речь пойдет о Web Application Proxy.

Web Application Proxy (далее просто WAP) используется как средство публикации внутрикорпоративных приложений, таких как Exchange, Lync и др. для внешних клиентов. Технология основывается на «реверс-проксировании» краткие сведения о котором будут изложены далее.

Для иллюстрации описываемого будет использован демо-стенд, на котором произойдет публикация Exchange 2013 с последующей настройкой его служб для аутентификации средствами, собственно, самого WAP. Данный инструмент позволяет гибко настраивать критерии доступа к конкретному приложению, например, по наличию нужных групп.

В результате тестирования на лабораторном стенде была успешно проделана публикация приложений OWA, ECP, PowerShell, OAB, RPC, EWS, Autodiscover, ActiveSync Отображение всего процесса будет показано в последующих статьях.

Содержание

  • Немного теории
  • Обзор Web Application Proxy
  • Требования к развертыванию Web Application Proxy
  • Описание лабораторного стенда

Немного теории

Приложение публикуется на этом специально выделенном сервере-посреднике и внешний клиент сначала устанавливает соединение с посредником, а тот, в свою очередь, инициализирует подключение к публикуемому приложению от своего имени.

Такой подход позволяет решить проблемы:

  • Предварительная аутентификация клиентов для подключения к приложению;
  • Фильтрация подключений и проверка трафика;
  • Публикации нескольких приложений под одним доменным именем;
  • Гибких сценариев балансировки нагрузки и отказоустойчивости.

Обзор Web Application Proxy

На прикладном уровне, Web Application Proxy (WAP) является дополнительной службой роли Remote Access в Server 2012 R2. Для реализации WAP за основу была взята служба роли ADFS Federation Service Proxy в Windows Server 2012, решавшая задачу Front-end сервера при развертывании служб федерации Active Directory.

WAP расширил возможности публикации. Теперь помимо публикации самих служб ADFSстало возможным публиковать другие HTTPS приложения такие как Exchange, Lync и др.

В Windows Server 2012 R2 существует два типа предварительной аутентификации клиентов посредством WAP:

  1. Active Directory Federation Services (ADFS) – В этом случае используются либо ADFS Claim, либо встроенная проверка подлинности Windows по протоколу Kerberos.
  2. Pass-through, сквозная аутентификация. В данном варианте WAP не будет самостоятельно производить аутентификация клиентов, а пропускать через себя запросы далее, в том виде в каком они есть.

В практических демонстрация будут использоваться оба типа, так как пока не все публикуемые приложения Exchange поддерживают ADFS аутентификацию.

Требования к развертыванию Web Application Proxy

  • Для развертывания WAP необходимо иметь минимум 2 сервера с ОС Windows Server 2012 R2, включенные в домен Active Directory. На первом сервере должна быть установлена роль ADFS, на втором – служба роли Remote Access, Web Application Proxy.
  • Схема леса Active Directory должна быть расширена до уровня Sevrer 2012 R2. В тоже время, можно использовать домен-контроллеры, работающие под управлением предыдущей версий операционной системы Windows Server 2012.

Описание лабораторного стенда

Исследование WAP будет выполнено на лабораторном стенде, работающем под управлением Windows Server 2012 R2 Datacenter с установленной ролью Hyper-V. На сервере создано 3 виртуальных коммутатора: WAN, LAN и DMZ.

Ниже представлена упрощенная топология стенда – WAP Network

Оцените статью
© 2024 Советы по настройке компьютера