Web Application Proxy - Preauth using ADFS, access to ADFS has to be public?

Ionix 1 Reputation point

I am trying to use WAP for public internet access to a intranet application.

The intranet application uses ADFS SAML for SSO and authentication.

Referring to this article https://learn.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication

In the general flow, step 2:


Web Application Proxy redirects the HTTPS request to the AD FS server with URL encoded parameters, including the resource URL and the appRealm (a relying party identifier).

The user authenticates using the authentication method required by the AD FS server; for example, user name and password, two-factor authentication with a one-time password, and so on.


In my testing, wap application external url is https://myapp1.example.com/, with configured WAP to use ADFS preauthentication.

When i try to access https://myapp1.example.com/, i will get redirected to https://myadfs.localdomain.local/ for authentication.

Does the ADFS server need to be publicly accessible?

Do i need to enable ADFS proxy using a WAP passthrough? as shared in http://www.mistercloudtech.com/2015/11/25/how-to-install-and-configure-web-application-proxy-for-adfs/

Shouldn't WAP internally help to resolve and response the content of https://myadfs.localdomain.local/ at the external url of https://myapp1.example.com/, like how other reverse proxy works?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
993 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,066 Reputation points Microsoft Employee

    The ADFS farm is also published through the WAP . The WAP is also an ADFS Proxy. If you want to use WAP with external client, the FQDN of your farm needs a public name. It requires a split-brain DNS (aka split-horizon). The name of your ADFS farm needs to be resolved to the public IP of your WAP for external clients, and the same name has to point to the local IP of your ADFS for internal clients.