publish exchange sever through web app proxy

eg1995 1,131 Reputation points
2020-03-18T10:11:34.58+00:00

dears,
i have 2 2016 exchange servers configured in dag mode. external urls are not published. users can connect just internally.
the client recently asked to publish it externally using web app proxy.
i have seen that this needs an adfs server to be installed and maybe adcs server( not sure)
for the moment, we are not planning to have our root ca as for the exchange server we are using public certificates from go daddy.
my question is, as adfs and web app proxy needs certificates when installing and configuring can i use the same one of the exchange server??

second thing, the customer wants to deploy the wap in his dmz. does the wap needs to have a public ip?
can you advise on the procesure please
as i cant seen many details about these kind of deployments
maybe it is not the right forum, but on technet forums it is saying that the forum has migrated to here please help

regards,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,469 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-03-19T07:50:02.72+00:00

    @eg1995 Web app proxy (WAP) can work with or without ADFS. ADFS is not a requirement for WAP. If you just want to configure WAP to translate external URL to internal URL, you do not need to have ADFS in place. While publishing the exchange URL, you can use the same Go Daddy certificate that you have. You do not need to deploy a CA server for this purpose.

    It is always a best practice to have WAP server in DMZ. A secure network topology with WAP looks like this:

    Internet > Coroprate firewall (external) > WAP Server > Corporate firewall (Internal) > Backend server (in your case, Exchange)

    In the above scenario, you can assign public IP address to external firewall and map the traffic for specific ports such as HTTP/HTTPS (80/443) to be forwarded to the WAP server.

    Although a public IP address can be assigned directly to WAP server, it is not a best practice from security perspective. In such scenarios, you would need to keep internal firewall as restrictive as possible.

    Hope this includes answer to all your q uestions.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.