Deploy Work Folders with AD FS and Web Application Proxy: Overview
Applies To: Windows 10, Windows 7, Windows 8.1, Windows Server 2012 R2
The topics in this section provide instructions for deploying Work Folders with Active Directory Federation Services (AD FS) and Web Application Proxy (WAP), and also provide Windows PowerShell scripts that automate the deployment process. The instructions and scripts are designed to help you create a complete functioning Work Folders setup, with client machines that are ready to start using Work Folders either on-premises or over the Internet.
Work Folders is a component introduced in Windows Server 2012 R2 that allows information workers to sync work files between their devices. For more information about Work Folders, see Work Folders.
To enable users to sync their Work Folders across the Internet, you need to publish Work Folders through a reverse proxy, making Work Folders available externally on the Internet. Web Application Proxy, which is included in AD FS, is one option that you can use to provide reverse proxy functionality. Web Application Proxy pre-authenticates access to the Work Folders web application by using AD FS, so that users on any device can access Work Folders from outside the corporate network.
These topics provide both of the following:
Step-by-step instructions for setting up and deploying Work Folders with AD FS and Web Application Proxy via the Windows Server UI. The instructions describe how to set up a simple test environment with self-signed certificates. You can then use the test example as a guide to help you create a production environment that uses publicly trusted certificates.
Windows PowerShell scripts that enable you to set up and configure the same test environment in less than 15 minutes. Instructions for editing and using the scripts can be found in the topic Deploy Work Folders with AD FS and Web Application Proxy using Windows PowerShell.
Download the scripts included in the Deploying Work Folders with AD FS and Web Application Proxy blog post.
To follow the procedures and examples in these topics, you need to have the following components ready:
An Active Directory® Domain Services forest with schema extensions in Windows Server 2012 R2 to support automatic referral of PCs and devices to the correct file server when you are using multiple file servers. It is preferable that DNS be enabled in the forest, but this is not required.
A domain controller: A server that has the AD DS role enabled, and is configured with a domain (for the test example, contoso.com).
A domain controller running at least Windows Server 2012 R2 is needed in order to support device registration for Workplace Join. If you don't want to use Workplace Join, you can run Windows Windows Server 2012 on the domain controller.
Two servers that are joined to the domain (contoso.com) and that are running Windows Server 2012 R2. One server will be for used for AD FS, and the other will be used for Work Folders.
One server that is not domain joined and that is running Windows Server 2012 R2. This server will run Web Application Proxy, and it must have one network card for the network domain (contoso.com) and another network card for an external domain (fabrikam.com).
One domain-joined client computer that is running Windows 8.1.
One non-domain-joined client computer that is running Windows 8.1 on Fabrikam's virtual network.
You can download evaluation versions of Windows Server 2012 R2 and Windows 8.1 Enterprise from the TechNet Evaluation center:
The computers can be physical machines or virtual machines (VMs). If you run the provisioningEnvironment.ps1 from the scripts included in the Deploying Work Folders with AD FS and Web Application Proxy blog post, it will create all of the needed VMs, with the exception of the domain controller. Before you run the script, be sure to edit the vms.txt file to update the network information appropriately.
After you finish setting up the required computers, you should have the topology that is shown in the following diagram.
Configuration of computers for Work Folders test scenario
In the test example that is used in this group of topics, Web Application Proxy is not joined to the domain. There are some deployments in which you might want to have Web Application Proxy joined to a domain, such as when you are using Windows authentication. If you plan to use Integrated Windows authentication, the Web Application Proxy server must be joined to an Active Directory Domain Services domain, and you must also configure Kerberos Constraint Delegation (KCD).
In this group of topics, you’ll walk through a step-by-step example of setting up AD FS, Web Application Proxy, and Work Folders in a test environment. The components will be set up in this order:
Web Application Proxy
The domain-joined workstation and non-domain-joined workstation
You will also use one of the provided Windows PowerShell scripts to create self-signed certificates.
To perform the deployment by using the Windows Server UI, follow the steps in these topics:
To perform the deployment by using the provided Windows PowerShell scripts, follow the steps in this topic: