Publish Applications using Pass-through Preauthentication


Applies To: Windows Server 2012 R2

This content is relevant for the on-premises version of Web Application Proxy. To enable secure access to on-premises applications over the cloud, see the Azure AD Application Proxy content.

This topic describes how to publish applications through Web Application Proxy using pass-through preauthentication. Before beginning the deployment steps, ensure that you have completed the planning steps described in Plan to Publish Applications using Pass-through Preauthentication [WAP].


When configuring the external URL and the backend server URL, you must enter a URL including the fully qualified domain name (FQDN), and not an IP address.


Applications that use pass-through preauthentication cannot leverage the additional features that AD FS provides; such as, Workplace Join, multifactor authentication (MFA), and multifactor access control.


This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.

Publish an Application using Pass-Through Preauthentication

The general pass-through preauthentication flow is as follows:

  1. The client device attempts to access a published web application on a particular resource URL.

    The resource URL is a public address on which Web Application Proxy listens for incoming HTTPS requests.

  2. Web Application Proxy forwards the HTTPS request directly to the backend server using either HTTP or HTTPS.

  3. If required by the backend server, the user authenticates directly to the backend server.

  4. After successfully authenticating, the client now has access to the published web application.

This procedure describes how to publish an application that uses pass-through preauthentication. Before you begin, make sure that you have done the following:

  • Import the website certificate from the backend server, or verify that a certificate on the Web Application Proxy server is suitable for the application you want to publish.

To publish an application using pass-through preauthentication

  1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

  2. On the Publish New Application Wizard, on the Welcome page, click Next.

  3. On the Preauthentication page, click Pass-through, and then click Next.

  4. On the Publishing Settings page, do the following, and then click Next:

    • In the Name box, enter a friendly name for the application.

      This name is used only in the list of published applications in the Remote Access Management console.

    • In the External URL box, enter the external URL for this application; for example,

    • In the External certificate list, select a certificate whose subject covers the external URL.

    • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, https://maps/.


      Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of and a backend server URL of https://app-server/app1/. However, you cannot enter an external URL of and a backend server URL of

  5. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

  6. On the Results page, make sure that the application published successfully, and then click Close.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

    -BackendServerURL ''
    -ExternalCertificateThumbprint '1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b'
    -ExternalURL ''
    -Name 'Maps (no preauthentication)'
    -ExternalPreAuthentication PassThrough

See also