What is Web Application Proxy (WAP) and How It Works and Used For

What is Web Application Proxy (WAP) and How It Works and Used For (Explained). The key user experience with Web Application Proxy (WAP) is an end user’s ability to access their organization’s apps from their own devices, allowing them to operate without being restricted to company computers.

Hence, they do not need to install any additional software on their device to access published applications. They can use a smartphone, tablet, or personal laptop to do their work. 

So let’s start this blog article What is Web Application Proxy (WAP) and How It Works and Used For (Explained).

What is Web Application Proxy?

The Web Application Proxy is a role service in Windows Server Remote Access. It provides reverse proxy functionality that allows users to access corporate resources outside the corporate network on any device.

It allows organizations to grant end users conditional access to applications operating inside the organization. It enforces multi factor authentication and applies access policies to verify the user’s identity and device before access is granted.

Web Application Proxy: How It Works

With the Web Application Proxy it uses ADFS (Active Directory Federation Services) to pre authenticate access to web applications. This process is similar to the way IT admins use Azure ADFS to authenticate access to Azure, Office 365, and other cloud applications. 

The process of making the application available to external users is known as publishing. When you publish applications through a Web Application Proxy, users can gain access only to applications that you publish. All this is achieved through ADFS, which provides authentication and enforces authorization for published applications.

Authentication of Users and Devices

Pre authentication is when users and devices are authenticated before they have access to the applications published through a Web Application Proxy. There are two types of pre-authentication that Web Application Proxy supports:

1. Pre authentication by ADFS

Active Directory Federation Services (ADFS) is a feature of the Windows Server operating system (OS) that extends end users’ single sign on (SSO) access to applications and systems outside the corporate firewall. 

When pre-authenticating with ADFS, the user must first log in to the ADFS server before Web Application Proxy may reroute them to the published web application. All traffic to your published web applications will be authorized through this.

2. Pass through Authentication

Users do not need to submit their credentials to access the corporate network when an application is configured with pass through authentication. Still, they may need to do so to view the application’s content. 

Accessing Applications

After all Web Application Proxy supports single sign on (SSO). Also with the use of ADFS, certain features come to play, like enabling users to log in only once and reuse their login information across numerous service providers without being required to enter their credentials.

Besides by using ADFS the service ensures that only users with authenticated and authorized devices can access corporate applications.

Publishing Applications

Basically when you publish an application, you make it available for use externally. Afterwards users can  access their organization’s applications from their devices so that they are not limited to corporate laptops to do their work. Moreover, end users are not required to install additional software on their devices to access published applications.

Concurrently any application that is made public with Web Application Proxy functions as a reverse proxy through it. The end user encounter is identical to that of a direct connection between the end user’s device and the program.

Furthermore, Web Application Proxy selects the appropriate request processing method based on the platforms used to access the application. End users, however, should use one of the following platforms to connect applications published through WAP instantly and to engage ADFS authentication:

  1. Platforms that use HTTP basic, e.g. EAS (Exchange ActiveSync). 
  2. REST API or web API and Windows Store applications that use the Web Authentication Broker for authentication. 
  3. Microsoft Office Forms Based Authentication (MS-OFBA), e.g. Excel, Word or PowerPoint.
API in web application proxy

Web Application Proxy: What is It Used For?

Providing Reverse Web Proxy

Indeed a reverse proxy forwards user or web browser requests to web servers while protecting the web server’s identity. To improve efficiency, security,and reliability, it also intelligently moves requests on behalf of web servers.

Moreover the reverse proxy server then serves as a middleman, engaging with users so that they never communicate directly with the origin servers. It also regulates user requests based on location and demand, and it provides extra security.

Federation Service Proxy

Furthermore the WAP functions as a Federation Service Proxy – a role service of ADFS ( Active Directory Federation Services).  Still a federation proxy server resides in the DMZ (demilitarized zone). A fraction of your network separated from the rest of your network. It is used to authenticate and issue claims to remote and mobile users. In accordance with the rules for authentication, it might or might not be a member of your user domain.

When signing in using Integrated Windows authentication, it is simple to distinguish between users connecting from the Internet and those connecting from your corporate network. To keep other clients from immediately connecting to your ADFS servers, you can use your network’s WAP server to isolate your ADFS servers efficiently. 

Benefits of Web Application Proxy

External Threat Protection for Applications

Also Web Application Proxy offers several security features to safeguard your corporate network from outside threats. It acts as a firewall between your corporate applications and the Internet.

When you deploy a Web Application Proxy and publish apps through it, external users will be able to use the applications on devices that are not linked to your domain. Because these devices are not domain-joined, they are classified as unmanaged and unauthorized within the corporate network. 

In addition organizations must consider the security risk of allowing users access to corporate resources from these unmanaged and untrusted devices. As a result, Web Application Proxy leverages ADFS for authentication and permission to ensure that only users on approved devices may access corporate organization applications.

Ability To Authenticate

By using ADFS to authenticate, certain benefits are enjoyed from its features, such as:

Single Sign On (SSO): It enables users to enter their login information just once and be authenticated to all supported published applications.

Access Control: The implementation of access control in ADFS uses authorization claim rules that issue permits or deny claims to decide whether users will be granted access to ADFS secured resources. 

Multi-factor Authentication: ADFS can be set up to require users to log in using several authentication methods, e.g. a unique password or credential.

Technical Overview

If you decide to utilize Web Application Proxy in your organization, you should place your WAP servers behind a frontend firewall to isolate them from the internet and a backend firewall to separate them from the corporate network. Alternatively, you can place the servers between two firewalls. 

Lastly Web Application Proxy is an extra layer of defence against fraudulent Internet users. The diagram below depicts a typical arrangement for operating a Web Application Proxy between two firewalls in a network segment. 

Thank you for reading What is Web Application Proxy (WAP) and How It Works and Used For (Explained). Time to summarize. 

What is Web Application Proxy (WAP) and How It Works and Used For Conclusion

To conclude Web Application Proxy offers application publishing capabilities and communicates with other servers and services to facilitate a more integrated service. In addition it makes it easier for you to focus on customizing only the essential components of your deployment.

More importantly, when you decide to use Web Application Proxy in your organization, it is recommended that you deploy your Web Application Proxy servers behind a frontend firewall. In order to separate it from the internet, or between two firewalls for safe operation. 

Thank you for your time. Please more on authentication and ADFS here

Avatar for Kamso Oguejiofor
Kamso Oguejiofor

Kamso is a mechanical engineer and writer with a strong interest in anything related to technology. He has over 2 years of experience writing on topics like cyber security, network security, and information security. When he’s not studying or writing, he likes to play basketball, work out, and binge watch anime and drama series.

5 3 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x