question

eg1995-5273 avatar image
0 Votes"
eg1995-5273 asked amanpreetsingh-msft answered

publish exchange sever through web app proxy

dears,
i have 2 2016 exchange servers configured in dag mode. external urls are not published. users can connect just internally.
the client recently asked to publish it externally using web app proxy.
i have seen that this needs an adfs server to be installed and maybe adcs server( not sure)
for the moment, we are not planning to have our root ca as for the exchange server we are using public certificates from go daddy.
my question is, as adfs and web app proxy needs certificates when installing and configuring can i use the same one of the exchange server??

second thing, the customer wants to deploy the wap in his dmz. does the wap needs to have a public ip?
can you advise on the procesure please
as i cant seen many details about these kind of deployments
maybe it is not the right forum, but on technet forums it is saying that the forum has migrated to here please help

regards,

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

@eg1995-5273 Web app proxy (WAP) can work with or without ADFS. ADFS is not a requirement for WAP. If you just want to configure WAP to translate external URL to internal URL, you do not need to have ADFS in place. While publishing the exchange URL, you can use the same Go Daddy certificate that you have. You do not need to deploy a CA server for this purpose.

It is always a best practice to have WAP server in DMZ. A secure network topology with WAP looks like this:

Internet > Coroprate firewall (external) > WAP Server > Corporate firewall (Internal) > Backend server (in your case, Exchange)

In the above scenario, you can assign public IP address to external firewall and map the traffic for specific ports such as HTTP/HTTPS (80/443) to be forwarded to the WAP server.

Although a public IP address can be assigned directly to WAP server, it is not a best practice from security perspective. In such scenarios, you would need to keep internal firewall as restrictive as possible.

Hope this includes answer to all your q uestions.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.