Presentation is loading. Please wait.

Presentation is loading. Please wait.

FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012.

Similar presentations


Presentation on theme: "FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012."— Presentation transcript:

1

2

3

4 FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012 R2 DependencyNoneADFS has to be set up Load BalancingInbuilt functionalityRequires a Load Balancer

5

6

7

8 URL Rewrite Module URL Filtering Allow/Deny URL Web Farm Framework Module Load Balancing Health Check OWA Outlook ActiveSync ECP

9

10

11

12

13

14 URL’s https://mail.sir8.at/OWA https://mail.sir8.at/ECP https://mail.sir8.at/OAB https://mail.sir8.at/EWS/Exchange.asmx https://mail.sir8.at*

15 URL Rewrite rule: https://mail.contoso.com/* https://autodiscover.contoso.com/*

16 URL Rewrite rule: https://mail.contoso.com/* https://autodiscover.contoso.com/* https://mail.contoso.com/*

17 URL Rewrite rule: https://autodiscover.contoso.com/* https://mail.contoso.com/*

18 Health Check (PASS) Server Healthy https://mail.contoso.com/OWA/HealthCheck.htm https://mail.contoso.com/OAB https://mail.contoso.com/EWS/Exchange.asmx

19 Health Check (FAIL) Server Unhealthy https://mail.contoso.com/OWA/HealthCheck.htm https://mail.contoso.com/OAB https://mail.contoso.com/EWS/Exchange.asmx

20

21 mail.contoso.com ecp.contoso.com ews.contoso.com eas.contoso.com oab.contoso.com oa.contoso.com https://autodicover.contoso.com/Autodiscover/ Autodiscover.xml https://mail.contoso.com/OWA/HealthCheck.htm https://ecp.contoso.com/ECP/HealthCheck.htm https://ews.contoso.com/EWS/HealthCheck.htm https://oab.contoso.com/OAB/HealthCheck.htm https://oa.contoso.com/RPC/HealthCheck.htm https://autodicover.contoso.com/Autodiscover/HealthCheck.htm Exchange Virtual Directories: mail.contoso.com,ECP.contoso.com, EWS.contoso.com, EAS.contoso.com, OAB.contoso.com, OA.contoso.com AutoDiscover.contoso.com mail.contoso.com OWA Web Farm ECP Web Farm EWS Web Farm EAS Web Farm OAB Web Farm OA Web Farm AutoDiscover Web Farm ecp.contoso.com ews.contoso.com eas.contoso.com oab.contoso.com oa.contoso.com autodiscover.contoso. com URL Rewrite Server Farm https://eas.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm

22 Solution True distribution of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] Certificate & DNS Option 1 No per-protocol Health Check (Server Availability) Yes* Share a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 2 Per-protocol Health Check (Service Availability) Yes Namespace for each protocol mail.tailspintoys.com EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc  Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)  Multiple additional DNS entries

23 Solution High Availability of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] Certificate & DNS Option 1 No per-protocol Health Check (Server Availability) Yes*Share a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 3 Per-protocol Health Check (Service Availability) YesShare a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 2 Per-protocol Health Check (Service Availability) YesNamespace for each protocol mail.tailspintoys.com EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc  Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)  Multiple additional DNS entries

24 Solution High Availability of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] Certificate & DNS Option 1 No per-protocol Health Check (Server Availability) YesShare a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 3 Per-protocol Health Check (Service Availability) YesShare a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 2 Per-protocol Health Check (Service Availability) YesNamespace for each protocol mail.tailspintoys.com EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc  Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com)  Multiple additional DNS entries

25 https://mail.contoso.com/OWA https://mail.contoso.com/OWA/HealthCheck.htm https://mail.contoso.com/ECP/HealthCheck.htm https://mail.contoso.com/EWS/HealthCheck.htm https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm https://mail.contoso.com/OAB/HealthCheck.htm https://mail.contoso.com/RPC/HealthCheck.htm https://autodicover.contoso.com/Autodiscover/HealthCheck.htm /OWA* mail.contoso.com autodiscover.contoso.com /ECP* /EWS* /EAS* /OAB* /RPC* /AutoDiscover* OWA Web Farm ECP Web Farm EWS Web Farm EAS Web Farm OAB Web Farm OA Web Farm AutoDiscover Web Farm URL Rewrite Server Farm Exchange Virtual Directories: mail.contoso.com AutoDiscover.contoso.com

26 https://mail.contoso.com/EWS/Exchange.asmx https://mail.contoso.com/OWA/HealthCheck.htm https://mail.contoso.com/ECP/HealthCheck.htm https://mail.contoso.com/EWS/HealthCheck.htm https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm https://mail.contoso.com/OAB/HealthCheck.htm https://mail.contoso.com/RPC/HealthCheck.htm https://autodicover.contoso.com/Autodiscover/HealthCheck.htm Exchange Virtual Directories: mail.contoso.com AutoDiscover.contoso.com /OWA* mail.contoso.com autodiscover.contoso.com /ECP* /EWS* /EAS* /OAB* /RPC* /AutoDiscover* OWA Web Farm ECP Web Farm EWS Web Farm EAS Web Farm OAB Web Farm OA Web Farm AutoDiscover Web Farm Server Farm URL Rewrite

27

28

29

30 OWA Outlook ActiveSync ECP

31 OWA Outlook ActiveSync ECP

32 External User Internal User

33 External User Internal User

34 External User Internal User

35

36

37

38 Backend Server AD FS Backend Server Config. Store Web Application Proxy DMZ AD FS Proxy FirewallLoad Balancer Firewall Active Directory Domain Controller Client (browser, Office client or modern app) Corporate NetworkInternet HTTP/S HTTP AuthN Config. API over HTTPS AuthN Web UI Claims, IWA or pass-through AuthN Obtain KCD ticket for IWA AuthN

39

40

41 https://mail.fabrikam.com/owa

42 https://sts.fabrikam.com https://mail.fabrikam.com/owa

43 https://sts.fabrikam.com https://mail.fabrikam.com/owa 307 GET

44 https://sts.fabrikam.com https://mail.fabrikam.com/owa GET

45 https://sts.fabrikam.com https://mail.fabrikam.com/owa POST

46 https://sts.fabrikam.com https://mail.fabrikam.com/owa 302 FOUND MSISAuth (session cookie)

47 MSISAuth https://sts.fabrikam.com https://mail.fabrikam.com/owa GET 307 Redirect

48 https://sts.fabrikam.com https://mail.fabrikam.com/owa GET /w AuthToken! 301 moved permanetly EdgeAccessCookie (session cookie) KCD for Principal Name Shows ticket issued for SPN

49

50 https://sts.fabrikam.com https://mail.fabrikam.com/owa GET Shows ticket issued for SPN

51

52 https://mail.fabrikam.com/owa 401 Unauthorized Actual OWA logon!

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67 https://sts.fabrikam.com https://mail.fabrikam.com/owa https://sts.fabrikam.com https://mail.fabrikam.com/owa https://sts.contoso.com

68

69

70 … and after a while of not using it, it stops working WAP uses a short-lifed certificate (15 days) to authenticate to ADFS. If you don’t use your WAP lab for 15 days, WAP will be essentially stranded as the expired certificate will be rejected by ADFS. You can either re-install WAP (the config will remain as it is stored in ADFS), or rerun the configuration wizard via the Remote Access UI (preferred) For the Remote Access UI, to let you run through the wizard again, change HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus to 1 (meaning “not configured”) instead of 2 (“configured”). Reopen the UI. No reboot required.

71

72

73

74

75

76


Download ppt "FeaturesIIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication  PrerequisitesIIS 8.0, IIS 7.0, IIS 6.0 Windows 2012."

Similar presentations


Ads by Google