Microsoft Web Application Proxy - WAP on Windows Server 2025

Microsoft Web Application Proxy (WAP) is a service in Windows Server 2025 that allows you to securely publish web applications from inside your corporate network to external users. WAP functions as a reverse proxy and an Active Directory Federation Services (AD FS) proxy to pre-authenticate user access before they reach your internal applications.

Quickly deploy a new Microsoft Web Application Proxy (WAP) server preloaded with the WAP role and PowerShell modules alongside all the prerequisites ready for you to build a new ADFS farm or to add to an existing ADFS farm.

WAP Core Capabilities

• Reverse Proxy - Publishes internal web applications to external users without requiring VPN access
• Pre-authentication - Integrates with ADFS to authenticate users before they access backend applications
• SSL/TLS Termination - Handles SSL certificates and encryption for secure external access
• Pass-through Authentication - Supports Kerberos constrained delegation for seamless backend authentication
• HTTP to HTTPS Redirection - Automatically redirects insecure traffic to secure connections
• Backend Server Pool Support - Load balances across multiple backend servers for high availability

WAP Common Use Cases

• Publish SharePoint sites for external collaboration and remote access
• Provide secure remote access to Outlook Web Access (OWA) and Exchange services
• Enable external access to internal line-of-business web applications
• Publish custom web applications without exposing internal network infrastructure
• Create secure DMZ for web application access without traditional VPN
• Support remote workers accessing corporate applications with MFA protection

WAP Security Features

• Pre-authentication with ADFS for claims-based access control
• Integration with Azure Multi-factor Authentication for enhanced security
• Support for client certificate authentication
• HTTP header inspection and manipulation for security policies
• Protection against common web attacks by isolating backend servers
• Conditional access based on device compliance and user identity

WAP Published Application Support

• Microsoft SharePoint Server (on-premises and hybrid)
• Microsoft Exchange Server (Outlook Web Access, ActiveSync)
• Remote Desktop Gateway services
• Custom web applications using HTTP/HTTPS protocols
• REST APIs and web services
• Claims-aware and non-claims-aware applications

WAP Authentication Methods

• ADFS Pre-authentication - Users authenticate through ADFS before accessing applications
• Pass-through Authentication - Direct authentication to backend application (no ADFS)
• Client Certificate Authentication - Certificate-based authentication for enhanced security
• OAuth 2.0 Support - Modern authentication for mobile and web applications
• Windows Integrated Authentication - Seamless authentication for domain-joined devices

WAP Management and Configuration

• Web Application Proxy Management Console for GUI-based administration
• PowerShell cmdlets for automation and scripting
• Centralized configuration management across multiple WAP servers
• Real-time monitoring and health status reporting
• Detailed event logging for troubleshooting and auditing
• Integration with Windows Admin Center for modern management experience

WAP Deployment Architecture

• DMZ Placement - Typically deployed in perimeter network for security isolation
• High Availability - Supports multiple WAP servers behind load balancer
• ADFS Integration - Requires functional ADFS infrastructure for pre-authentication
• Certificate Requirements - Requires SSL certificates for published applications
• Firewall Configuration - Requires port 443 (HTTPS) inbound and outbound connectivity to ADFS

WAP Support and Resources

Follow our getting started guide on setting up Web Application Proxy in Azure - Setting up WAP in Azure