FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication ...

76

Transcript of FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication ...

Page 1: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.
Page 2: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Roop Sankar Bagepalli & Georg HinterhoferSenior PFE’sMicrosoft

WAP and ARR - TMG alternatives?

USX305

Page 3: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

A Pirates Choice!

Page 4: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP is the strategic product, both do the job

WAP and ARR, depending on your requirements, will get the gig done

Realize that the “strategic” (read: area of investment) product is Web Application Proxy

Strategics – ARR vs WAP

Features IIS Application Routing Request (ARR)

Web Application Proxy (WAP)

Pre- Authentication Prerequisites IIS 8.0, IIS 7.0, IIS 6.0 • Windows 2012 R2

Dependency None ADFS has to be set up

Load Balancing Inbuilt functionality Requires a Load Balancer

Page 5: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Application Request Routing – ARREach and every pirate’s favorite letter!)

Page 6: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Application Request Routing - ARRWhat is ARR?ARR is an IIS Extension – current version 3.0ARR allows IIS to act as a Load Balancer and Reverse Proxy – free of charge!

Prereq’s?Works on IIS 7.0 (Windows 2008) or newerNo other prereq’s!Does not need to be domain joined!Grab it here! http://www.iis.net/downloads/microsoft/application-request-routing

Page 7: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Application Request Routing - ARRFeatures of ARRReverse proxy / web publishingSupport multiple load balancing algorithmsHealth checkingCachingContent delivery network (CDN)SSL OffloadingLayer 4 and 7 routing decisionsUsage reportingCookie based affinityApplication affinity opt-outRich APIWebsocket support

Page 8: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ARR Functional Overview

URL Rewrite Module• URL Filtering• Allow/Deny URL

Web Farm Framework Module• Load Balancing• Health Check

URL Rewrite(Reverse Proxy)

Web Farm properties(Load Balancing)

IIS ARR

OWAOutlook ActiveSync ECP

Page 9: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

URL RewriteIt’s the actual reverse proxyGenerally used to provide users with simple URL’s, BUT we’ll use if for our cause as wellCan act as reverse proxy between the client – and – in our case, the Web Farm.

There’s more where that came from™: URL FilteringPowerful URL re-write capabilities Pattern matching (RegEx)

URL Rewrite(Reverse Proxy)

Page 10: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Web Farm FrameworkFree Load Balancing!Features include:

• Load Balancing – seven different algorithms

• Health Test – checks availability of server or service

• Server Affinity – cookie affinity (Exchange 2007/2010)

• Monitoring & Management

Web Farm properties(Load Balancing)

Page 11: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ARR – The Configuration (Option 1)Only a couple of simple steps!Create a Server Farm

Page 12: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ARR – The Configuration (Option 1)Only a couple of simple steps!Modify the Server Farm for Exchange’s needs (it’s a bit of a Diva, ya know)

Page 13: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ARR – The Configuration (Option 1)Only a couple of simple steps!Proper Healthchecking!

Page 14: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ARR – The Configuration (Option 1)Only a couple of simple steps!Configure the URL Rewrite rules

Done!

URL’s

https:// mail.sir8.at

/OWA

https:// mail.sir8.at

/ECP

https:// mail.sir8.at

/OAB

https:// mail.sir8.at

/EWS/Exchange.asmx

https:// mail.sir8.at

*

Page 15: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml

• URL Matched Access allowed• Request forwarded to AutoDiscover Web

Farm.

• CAS3 marked as unhealthy.• Forward request to CAS1 or CAS2.

IIS ARR

mail.contoso.com (Web Farm)

Health Check:https://mail.contoso.com/OWA/HealthCheck.htm

Load Balancing:Least Current Requests

Affinity: No

autodiscover.contoso.com (Web Farm)

Health Check:https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm

Load Balancing:Least Current Requests

Affinity: No

IIS ARR – Option 1 (how does it work..?)

URL Rewrite rule:

https://mail.contoso.com/*

https://autodiscover.contoso.com/*https://autodiscover.contoso.com/*

Page 16: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

https://mail.contoso.com/RPC/[email protected]:6001

• URL Matched Access allowed• Request forwarded to mail.contoso.com

Web Farm.

• CAS1 marked as unhealthy.• Forward request to CAS2 or CAS3.

IIS ARR

autodiscover.contoso.com (Web Farm)

Health Check:https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm

Load Balancing:Least Current Requests

Affinity: No

mail.contoso.com (Web Farm)

Health Check:https://mail.contoso.com/OWA/HealthCheck.htm

Load Balancing:Least Current Requests

Affinity: No

IIS ARR – Option 1 (how does it work..?)

URL Rewrite rule:

https://mail.contoso.com/*

https://autodiscover.contoso.com/*

https://mail.contoso.com/*

Page 17: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

https://mail.contoso.com/EWS/Exchange.asmx

• URL Matched Access allowed• Request forwarded to mail.contoso.com

Web Farm.

• CAS1 marked as unhealthy.• Forward request to CAS2 or CAS3.

IIS ARR

autodiscover.contoso.com (Web Farm)

Health Check:https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm

Load Balancing:Least Current Requests

Affinity: No

mail.contoso.com (Web Farm)

Health Check:https://mail.contoso.com/OWA/HealthCheck.htm

Load Balancing:Least Current Requests

Affinity: No

IIS ARR – Option 1 (how does it work..?)

URL Rewrite rule:

https://autodiscover.contoso.com/*

https://mail.contoso.com/*https://mail.contoso.com/*

Page 18: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

CAS 1

IIS ARR(Reverse Proxy & Load Balancer)

Health Check (P

ASS)

Server Health

y

https://

mail.contoso.com/OWA/Health

Check.htm

https://mail.contoso.com/OAB

https://mail.contoso.com/EWS/Exchange.asmx

Quirks of Option 1

Page 19: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

CAS 1

IIS ARR(Reverse Proxy & Load Balancer)

Health

Che

ck (F

AIL)

Serv

er U

nhea

lthy

http

s://m

ail.c

onto

so.com

/OW

A/Hea

lthChe

ck.h

tm

https://mail.contoso.com/OAB

https://mail.contoso.com/EWS/Exchange.asmxCAS 2

Quirks of Option 1

Page 20: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

IIS ARR – Option 2Per Protocol Health Check!!!

Page 21: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

IIS ARR – Option 2Per Protocol Health Check!!!

User

CAS

mail.contoso.com

ecp.contoso.com

ews.contoso.com

eas.contoso.com

oab.contoso.com

oa.contoso.com

https://autodicover.contoso.com/Autodiscover/Autodiscover.xml

https://mail.contoso.com/OWA/HealthCheck.htm

https://ecp.contoso.com/ECP/HealthCheck.htm

https://ews.contoso.com/EWS/HealthCheck.htm

https://oab.contoso.com/OAB/HealthCheck.htm

https://oa.contoso.com/RPC/HealthCheck.htm

https://autodicover.contoso.com/Autodiscover/HealthCheck.htm

Performing per-protocol Health Check

Exchange Virtual Directories:mail.contoso.com,ECP.contoso.com, EWS.contoso.com, EAS.contoso.com, OAB.contoso.com, OA.contoso.comAutoDiscover.contoso.com

mail.contoso.com

OWA Web FarmECP Web FarmEWS Web FarmEASWeb FarmOAB Web FarmOA Web Farm

AutoDiscover

Web Farm

IIS ARR

ecp.contoso.com

ews.contoso.com

eas.contoso.com

oab.contoso.com

oa.contoso.com

autodiscover.contoso.

com

URL Rewrite Server Farm

https://eas.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm

Page 22: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

SolutionTrue distribution of traffic destined for

multiple CAS servers

Load Balancing of traffic destined for

multiple CAS servers

Exchange Virtual Directories (OWA, ECP,

OAB etc)[except AutoDiscover]

Certificate & DNS

Option 1 No per-protocol Health Check

(Server Availability) 

Yes* Share a common namespace

mail.tailspintoys.com

Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)

 

Option 2 Per-protocol Health Check

(Service Availability)

Yes Namespace for each protocol

mail.tailspintoys.comEWS.tailspintoys.comEAS.tailspintoys.com

OAB.tailspintoys.com etc

Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)

Multiple additional DNS entries

Comparison between the available Options…

Page 23: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

SolutionHigh Availability of traffic destined for

multiple CAS servers

Load Balancing of traffic destined for

multiple CAS servers

Exchange Virtual Directories (OWA, ECP,

OAB etc)[except AutoDiscover]

Certificate & DNS

Option 1 No per-protocol Health Check

(Server Availability) 

Yes* Share a common namespace

mail.tailspintoys.com

Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)

 

Option 3 Per-protocol Health Check

(Service Availability) 

Yes Share a common namespace

mail.tailspintoys.com

Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)

 

Option 2 Per-protocol Health Check

(Service Availability)

Yes Namespace for each protocol

mail.tailspintoys.comEWS.tailspintoys.comEAS.tailspintoys.com

OAB.tailspintoys.com etc

Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)

Multiple additional DNS entries

Comparison between the available Options…

Page 24: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

SolutionHigh Availability of traffic destined for

multiple CAS servers

Load Balancing of traffic destined for

multiple CAS servers

Exchange Virtual Directories (OWA, ECP,

OAB etc)[except AutoDiscover]

Certificate & DNS

Option 1 No per-protocol Health Check

(Server Availability) 

Yes Share a common namespace

mail.tailspintoys.com

Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)

 

Option 3 Per-protocol Health Check

(Service Availability) 

Yes Share a common namespace

mail.tailspintoys.com

Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com)

 

Option 2 Per-protocol Health Check

(Service Availability)

Yes Namespace for each protocol

mail.tailspintoys.comEWS.tailspintoys.comEAS.tailspintoys.com

OAB.tailspintoys.com etc

Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)

Multiple additional DNS entries

Comparison between the available Options…

Page 25: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ARR – Option 32 Namespaces, but still per protocol health checks!

Performing per-protocol Health Check

CAS

https://mail.contoso.com/OWA

https://mail.contoso.com/OWA/HealthCheck.htm

https://mail.contoso.com/ECP/HealthCheck.htm

https://mail.contoso.com/EWS/HealthCheck.htm

https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm

https://mail.contoso.com/OAB/HealthCheck.htm

https://mail.contoso.com/RPC/HealthCheck.htm

https://autodicover.contoso.com/Autodiscover/HealthCheck.htm

/OWA*

mail.

conto

so.c

om

auto

dis

cover.

conto

so.c

om

/ECP*

/EWS*

/EAS*

/OAB*

/RPC*

/AutoDiscove

r*

OWA Web FarmECP Web Farm

EWS Web Farm

EASWeb FarmOAB Web Farm

OA Web Farm

AutoDiscover

Web Farm

IIS ARRURL Rewrite Server Farm

User

Exchange Virtual Directories:mail.contoso.comAutoDiscover.contoso.com

Page 26: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ARR – Option 32 Namespaces, but still per protocol health checks!

Performing per-protocol Health Check

User

CAS

https://mail.contoso.com/EWS/Exchange.asmx

https://mail.contoso.com/OWA/HealthCheck.htm

https://mail.contoso.com/ECP/HealthCheck.htm

https://mail.contoso.com/EWS/HealthCheck.htm

https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm

https://mail.contoso.com/OAB/HealthCheck.htm

https://mail.contoso.com/RPC/HealthCheck.htm

https://autodicover.contoso.com/Autodiscover/HealthCheck.htm

Exchange Virtual Directories:mail.contoso.comAutoDiscover.contoso.com

/OWA*

mail.

conto

so.c

om

auto

dis

cover.

conto

so.c

om

/ECP*

/EWS*

/EAS*

/OAB*

/RPC*

/AutoDiscover

*

OWA Web FarmECP Web Farm

EWS Web Farm

EASWeb FarmOAB Web Farm

OA Web Farm

AutoDiscover

Web Farm

IIS ARRServer FarmURL Rewrite

Page 27: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Bringing HA to ARR…for even more ARRrrrrrrARR itself is a single point of failure and doesn’t provide any HA to itself, it needs a little helpMitigate with NLB (WinNLB or 3rd Party)

Easy configuration……. Leverage IIS shared config!…. Either Active/Passive or Active/Active doable – failover or failover + load distribution!…. All the glory is here! - http://www.iis.net/learn/extensions/configuring-application-request-routing-(arr)/achieving-high-availability-and-scalability-arr-and-nlb

Page 28: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ARR + Exchange 2013/2010/2007?Yes, you can!ARR will work with Exchange 2007/2010/2013. If you have 2007 in the mix, make sure you also publish the legacy namespace. No need for 2013/2010 coex obviously.

Page 29: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

IIS ARR Implementation Scenarios…

RULES:

1. URL Rewrite and Web Farm are mutually dependant on each other.

2. You can control how the IIS ARR behaves depending on which component you configure.

• If you configure the properties of• URL Rewrite + Web Farm Reverse Proxy + Software Load Balancer• URL Rewrite only Reverse Proxy• Web Farm only* Software Load Balancer

Page 30: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

IIS ARR: Reverse Proxy

URL Rewrite(Reverse Proxy)

Web Farm properties(Load Balancing)

IIS ARR

OWA Outlook ActiveSync ECP

Page 31: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

URL Rewrite(Reverse Proxy)

Web Farm properties(Load Balancing)

IIS ARR

OWA Outlook ActiveSync ECP

IIS ARR: Load Balancer

Page 32: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

IIS ARRReverse Proxy + Load Balancer

External Firewall

Scenario A

Internal Firewall

External User

Internal User

Page 33: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

External Firewall

Scenario B

Internal Firewall

External User

Internal User

IIS ARRReverse Proxy

IIS ARRLoad Balancer

Page 34: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

External Firewall

Scenario C

Internal Firewall

External User

Internal User

IIS ARRReverse Proxy

IIS ARRInternal Load Balancer

IIS ARRExternal Load Balancer

Page 35: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

ADFS

INTR

ANET

DM

ZIN

TERN

ET

OnPremise Mailbox

OnPremise Mailbox O365 Mailbox

O365 Mailbox

O365 Exchange Online Hybrid Configuration

-

-

- -

ADFS Proxy

Scenario D

IIS ARR(Reverse Proxy + L7 Load Balancer)

Page 36: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Web Application Proxy - WAP

Page 37: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Web Application Proxy - WAPPart of the Remote Access Role in 2012 R2Requires an ADFS 2012 R2 installationCan be deployed domain joined or non-domain joinedDoes not require a 2012 R2 DC

Reverse proxy of Web applications and ADFS ProxyProvides reverse proxy Replaces the “old” ADFS ProxyProvides SSO for some scenariosDesigned to be deployed in the DMZHighly customizable login page – see http://technet.microsoft.com/en-us/library/dn280950.aspx

Page 38: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP – Network Topology

Backend ServerBackend Server

AD FS

Backend Server

Config. Store

Web Application

Proxy

DMZ

AD FS Proxy

Fire

wall

Load B

ala

nce

r

Load B

ala

nce

rFire

wall

Active Directory Domain

ControllerClient

(browser, Office

client or modern

app)

Corporate NetworkInternet

HTTP/S

HTTP

AuthN

Config. API over HTTPS

AuthN Web UI

Claims, IWA or pass-through AuthN

Obtain KCD ticket for IWA AuthN

Page 39: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP and ExchangeOffers reverse proxying for all Exchange-relevant protocolsOWA, ECP, EAS, OA, MAPIHTTP, AutoDiscover, EWS,OAB – we got you covered!

Preauthentication only for OWA/ECP!PreAuth is performed by redirecting the client to ADFS

Redirection is supported for the following protocols: Standard HTTP (browsers), MS-OFBA (Office clients), OAuth2 (Windows Store Apps)…. In our case for OWA/ECP.

Cannot redirect for preauthentication: Clients using HTTP Basic or NTLM authentication (ActiveSync, MAPIHTTP), RPC over HTTP (Outlook Anywhere) – those need to use passthrough.

Page 40: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP and Exchange – KCD Preauth Flow

Page 41: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Perimeter network Internal network

User

`OWA

(Auth: IWA)

AD

https://mail.fabrikam.com/owa

Internet

Page 42: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

https://sts.fabrikam.com

https://sts.fabrikam.com

Internet

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa

Page 43: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

https://sts.fabrikam.com

https://sts.fabrikam.com

Internet

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa

307

GET

Page 44: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

https://sts.fabrikam.com

https://sts.fabrikam.com

Internet

App Policies

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa

GET

Page 45: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

https://sts.fabrikam.com

https://sts.fabrikam.com

Internet

App Policies

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa

POST

Page 46: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

https://sts.fabrikam.com

https://sts.fabrikam.com

Internet

App Policies

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa

302 FOUND

MSISAuth

(session cookie)

Page 47: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

MSISAuth

(session cookie)

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

https://sts.fabrikam.com

https://sts.fabrikam.com

Internet

App Policies

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa

GET

MSISAuth

(session cookie)

307 Redirect

Page 48: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

MSISAuth

(session cookie)

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

https://sts.fabrikam.com

https://sts.fabrikam.com

Internet

App Policies

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa

GET /w AuthToken!

301 moved permanetly

EdgeAccessCookie

(session cookie)

KCD for Principal Name

Shows ticket

issued for SPN

Page 49: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Finally… we log on to OWA!

Page 50: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

MSISAuth

(session cookie)

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

https://sts.fabrikam.com

https://sts.fabrikam.com

Internet

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa

MSISLoopDetectionCookie

(session cookie)

MSISAuthenticated

(session cookie)

EdgeAccessCookie

(session cookie)

GET

Shows ticket

issued for SPN

Page 51: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP and Exchange – Passthrough Auth Flow

Page 52: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Perimeter network Internal network

User

`

Web Application

Proxy

OWA(Auth: IWA)

AD

AD FS

Internet

https://mail.fabrikam.com/owa

https://mail.fabrikam.com/owa401

Unauthorized

401 Unauthoriz

ed

Actual OWA logon!

Page 53: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Exchange 2013 SP1 and ADFS AuthFinally – a supported way of getting ADFS auth goin’!Exchange 2013 SP1 introduced ADFS authentication for OWA and ECP, based on SAML 2.0

It’s an either/or thing – you can not have any other form of authentication (FBA, NTLM, Basic, secret knock signs) mixed with ADFS authentication – no multiple Vdir support as of now.

No support for coexistence, e.g. running ADFS auth on Ex2013 SP1 and trying to open up mailboxes for 2013 non-SP1, 2010 or 2007 will not work and is not supported.

You can leverage either ADFS directly or WAP as the ADFS proxy for “claiming your claim”

Allows for pre-authentication on WAP without the need for WAP to be domain joined! (hold for applause)

Page 54: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Exchange 2013 SP1 and ADFS AuthImplementation overviewRequires manual Relying Party Trust configuration in ADFS – no automatic config

Requires UPN, PrimarySID and GroupSID issuance rules

Requires configuration of –AdfsIssuer, -AdfsAudienceUris and -AdfsSignCertificateThumbprint on Exchange’s Set-OrgConfig.

Enable ADFSAuth and disable all other forms of auth on the OWA/ECP virtual directories

Detailed implementation steps are available now at http://aka.ms/B9j5gq

Page 55: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Bringing HA to WAPIt’s easy – just install more boxes!WAP stores its config in ADFS 2012 R2As soon as you “subscribe” more WAP boxes to the same ADFS instance, they will get the same config

Web Application

Proxy

AD

AD FS

Config...Publishing Rules....

Web Application

Proxy

Config...Publishing Rules....

Page 56: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Bringing HA to WAPYou still need to think about NLBWAP does not provide any form of NLB… not for the published application… not for WAP itself… WinNLB or 3rd Party… no need for affinity!!

Web Application

Proxy

Config...Publishing Rules....

Web Application

Proxy

Config...Publishing Rules....

NLB (Windows or

3rd Party)

User

Page 57: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAP for KCDRequired ADFS config – Create Relying Party Trust

Page 58: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAP for KCDCreating an AD delegation for preauth

Single Server (delegation to Exchange directly)

Page 59: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAP for KCDCreating an AD delegation for preauth

Multiple Exchange Servers (delegation to the ASA)

This requires an Alternate Service Account configured on Exchange 2010 / Exchange 2013. The delegation needs to be made out to this account.

Page 60: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP and EX not in the same domain?Yep, it‘s possible!Historically, KCD required the that the server asking for a Kerb Ticket and the server that we delegated to to be in the same domain.

Fear not, Windows 2012 changed quite a bit. Read more here: http://technet.microsoft.com/en-us/library/hh831477.aspx

In a nutshell, WAP (the server asking for a ticket) can be in another domain (eg child.contoso.com) while the application server – lets say Exchange, is in the root domain or in another child (contoso.com or child2.contoso.com)

Delegation for these scenarios is set on the application server instead of the WAP server.

Page 61: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAPInstalling WAP

Page 62: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAPConfiguration for Preauth (OWA/ECP)

Page 63: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAPConfig for Pass trough (EAS/AutoD/OA/OAB/MAPIHttp)

Page 64: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAPDisable Headers translation in Request HeadersWAP should not translate HTTP host headers to internal host headers when forwarding requests.

Page 65: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAPSome older EAS devices and OS’s don’t support SNI

Http.sys listens and serves certs based on the SNI header sent (no IIS on WAP)Not all EAS devices support sending SNI, leading to a broken EAS experienceOlder OS‘s (Win XP) don‘t support sending SNI at all.

You need to assign a default SSL binding via netsh.

Page 66: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Configuring WAPSome older EAS devices don’t support SNI

XP is one happy peppy!

Page 67: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

`

WAP and Cross-Forest AuthWe know you want it!Leveraging ADFS/WAP and UPN rewrites, we can do, for example, this!

Internal networkWAP

OWA

AD FS

https://sts.fabrikam.com

https://mail.fabrikam.com/owa

https://sts.fabrikam.com

https://mail.fabrikam.com/owa

WAP

AD FShttps://sts.contoso.com

Internal network

User

UserMailbox

Page 68: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP and Cross-Forest AuthWe know you want it!

Works for OWA/ECP as those can be published with Pre-Authentication, and honor the redirection to ADFS.

Contoso, in this scenario, needs no Exchange and no special prep. Magic is done by rewriting the UPN claim.

You need to configure ADFS claims provider trust and ADFS relying party trust for the “trusting” forest.

Works in KCD or ADFS Authentication scenarios.

Page 69: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP + Exchange 2010/Exchange 2007?We got you covered!

Pure Exchange 2010: Same story as as for Exchange 2013, OWA + ECP /w Preauth, all others Pass-Through.

Pure Exchange 2007: All protocols only passthrough (EXCEPT if you are ok with proxying to a single server)

Exchange 2013/2010 coex: OWA + ECP /w preauth, all others Pass-Through

Echange 2013/2010/2007: OWA + ECP for 2013/2010 /w Pass-Through, all others pass through (same EXCEPT as above)

Page 70: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

So you have a WAP lab deployment…… and after a while of not using it, it stops working

WAP uses a short-lifed certificate (15 days) to authenticate to ADFS.

If you don’t use your WAP lab for 15 days, WAP will be essentially stranded as the expired certificate will be rejected by ADFS.

You can either re-install WAP (the config will remain as it is stored in ADFS), or rerun the configuration wizard via the Remote Access UI (preferred)

For the Remote Access UI, to let you run through the wizard again, change HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus to 1 (meaning “not configured”) instead of 2 (“configured”). Reopen the UI. No reboot required.

Page 71: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP External LockoutProhibit a DoS-Attack against your environment

ADFS/WAP offer a „soft-lockout“ for user accounts on WAP itself

The internal AD account remains unlocked while external access is blocked after multiple unsuccessfull auth attempts.

Needs to be set lower than the internal AD account lockout policy if you have one.

Can help mitigate a DoS in case a copy of your GAL/OAB/AD etc gets lost.

Page 72: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

WAP External LockoutConfiguring External Lockout

Config changes need to be made on the ADFS server. Changes and pushed out to WAP at next config refresh (every 60 seconds)

Use Get/Set-ADFSProperties to modify:

• ExtranetLockoutEnabled: $true or $false; determines whether Lockout is enabled, default $false

• ExtranetLockoutThreshold: Number of failed auth attempts before soft-locking a user

• ExtranetObservationWindow: Timespan for a user to be locked, eg 30 Minutes (00:30:00)

Page 73: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

DemoWAP in action!

Page 74: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

In Review: Session Objectives And TakeawaysSession ObjectivesDescribe how ARR and WAP are functioning, technical implementation and limitations.

Explain what ARR and WAP can do for publishing of Exchange 2007, Exchange 2010 and Exchange 2013, and compare them to what TMG could do.

Action Items:Go build yourself a WAP and ARR Lab and promote the use of these products with your customers!

Page 75: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.
Page 76: FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.