top of page
calbacklasrabiho

WAP – Uninstalling a WAP Server from WAP clusters: Best Practices and Tips



The labiis server hosts a non-claims application which receives pre-authentication from labadfs using my AD DS account to log in. Requests pass through labwap and then to labadfs for authorization. The user receives the AD FS authentication page requesting their AD DS credentials which forwards them to the IIS server (labiis).


On the AD FS Proxy Certificate page, select a certificate, from the list of certificates installed on the WAP server, to be used for AD FS proxy functionality. The certificate selected here should be the one that whose subject match the Federation Service name, for example, fs.adatum.dk or *.adatum.dk.




WAP – How to remove a WAP Server from WAP clusters



During the upgrade process it is expected that there will be multiple versions of AD FS and WAP servers operating in a farm at a given time. This is actually a good option as it allows us to easily upgrade from AD FS 2012 R2 to a newer version such as 2016 or 2019. We can do this without having to build a brand new farm from scratch and then cutting over applications to the new farm with its new namespace and new certificate.


There are some caveats to running in a mixed farm, and the ability to edit published applications from an up-level WAP server is one of them. In the case below, the certificate for the published application has expired and we need to update the certificate. From the Internet, Edge shows a generic error message - ERR_CONNECTION_RESET.


Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELOn the proxy server DisableRenegoOnClient = 0 (or remove entry)On the ADFS server DisableRenegoOnClient = 0 (or remove) and DisableRenegoOnServer = 0 (or remove)


I only have two WAPs so at this point both nodes are still servicing requests but only one node is left in the settings. You can now shutdown the node you removed and bring up a new 2019 server with the same name/IP and bind into the already existing AD Object.


NOTE** If you are locking down firewall rules, before configuration can run verify that Port 80 can be accessed on the primary node from this server. If you receive DNS errors here it could be Port 80, and not actually DNS.


If you still see failing authentications going over your farm, make sure they get migrated to Azure before you remove your ADFS servers. Also have a look into the Application and Services Log/ADFS/Admin. If all is clear, you can start decommissioning your farm.


If you have removed all ADFS Servers from your forest, you are now save to remove the ADSI entries under for the Certificate Sharing Container within ADSI edit: CN=Microsoft,CN=Default naming context, your domain partition, CN=Program Data, CN=Microsoft, CN=ADFS


For longer-lived client-side user data, you program your application to create and set its own cookies on the browser via the HTTP servlet API. The application should not attempt to use the cookies associated with the HTTP session. Your application might use cookies to auto-login a user from a particular machine, in which case you would set a new cookie to last for a long time. Remember that the cookie can only be sent from that particular client machine. Your application should store data on the server if it must be accessed by the user from multiple locations.


For non read-only requests, the Web application container updates the database for the changes to session state after every HTTP request. This is done so that any server in the cluster can handle requests upon failovers and retrieve the latest session state from the database.


Unlike the CGI approach, the HTTP servlet specification defines a solution that allows the server to store user details on the server beyond a single session, and protects your code from the complexities of tracking sessions. Your servlets can use an HttpSession object to track a user's input over the span of a single session and to share session details among multiple servlets. Session data can be persisted using a variety of methods available with WebLogic Service.


An HttpSession object is created if one does not already exist for that client when the request.getSession(true)method is called with the argument true. The session object lives on WebLogic Server for the lifetime of the session, during which the session object accumulates information related to that client. Your servlet adds or removes information from the session object as necessary. A session is associated with a particular client. Each time the client visits your servlet, the same associated HttpSession object is retrieved when the getSession() method is called.


After you obtain a session using the getSession(true) method, you can tell whether the session has just been created by calling the HttpSession.isNew() method. If this method returns true, then the client does not already have a valid session, and at this point it is unaware of the new session. The client does not become aware of the new session until a reply is posted back from the server.


If the server or virtual host is targeted by many Web applications, another means is required to log out a user from all Web applications. Because the servlet specification does not provide an API for logging out a user from all Web applications, the following methods are provided.


With other words, there is a steady HTTPS session for 15 minutes between the EAS device and the Exchange backend which must be supported by all components taking part in the HTTPS session build, usually firewalls, load balancers and (in our case) the WAP servers which proxy the HTTPS session coming from the LBs to the Exchange backend. The long lasting session request is finally terminated by the Exchange server by posting an HTTP 200 message.


Therefore, we should utilize the complete debugging capabilities of ADFS as preferred option. As long as there is a communication between device and WAP/ADFS servers, we fortunately receive a lot of information from the Trace logs of the backend servers.


However, before we open the firewall, an internal test should be executed to validate the SSL hardening. You can run the sslscan tool (you can download from here sslscan) from another computer in the DMZ or the WAP server itself. DNS resolving of the federation or application name must resolve to the external Load Balancer or interface of the WAP server. Example for SSL Server Ciphers before SSL Hardening (left side) and after SSL Hardening (right side):


Another aspect of ADFS technology can be found in providing external access from Internet connections to internal resources. In that case the ADFS server can provide an additional layer of security by offering various pre-authentication methods, while the second part of the ADFS technology, the Web Application Proxy server (WAP) acts as a Reverse Proxy by terminating the incoming SSL connections.


When acting as reverse proxy for client access using IWA (Integrated Windows Authentication) or when serving non claims aware application access based on Kerberos, the WAP servers must be able to perform Kerberos Constrained Delegation. The WAP server presents a Kerberos token on behalf of the accessing client or user, which in consequence requires the WAP server to be a member of an Active Directory domain. Unfortunately the domain membership of the WAP server means to open a lot more ports from the DMZ to the internal network, which is a disadvantage from network security perspective.


After installation, you must run the WAProxy initial setup script located in /opt/waproxy/bin/setup. The setup will ask you the FQDN of the proxy: this should be the name that clients will use to connect to the proxy from the Internet. The setup script will create an HTTPs X.509 certificate based on this information. It will also ask for the IP or hostname of one of the back-end WebADM servers. The WebADM CA certificate file will be fetched from the back-end server and stored in /opt/waproxy/conf/ca.crt. The CA certificate will be used to authenticate users with client certificates for any WebADM application supporting this feature.


If you are deploying the WAP ADFS Quick Start into an existing VPC, ensure that your Active Directory environment includes at least one certificate authority (CA). If you are using AWS Managed Microsoft Active Directory this will require you to have at least one domain-joined server that can be configured as the CA, since AWS Managed Microsoft Active Directory does not act natively as a CA. To promote a domain-joined server to a CA, run the following PowerShell code from an elevated command prompt:


An AD FS federation server farm uses a database to hold configuration data. For farms with five or fewer servers, you can use a Windows Internal Database (WID). The primary AD FS server will have a read/write copy of this database. The secondary AD FS servers in the farm receive updates from the primary server to a read-only copy of the WID. If the primary AD FS server fails, the secondary server can still process authentication requests, but you cannot make configuration changes until either the primary server is brought back online or the secondary server is converted to primary.


To take advantage of header inspection, it is recommended that Application Load Balancers (rather than Network Load Balancers or Classic Load Balancers) be deployed. You should configure the internet-facing load balancer for the WAP layer to accept HTTPS requests on port 443 and to forward requests to the WAP servers. You must assign a certificate obtained from a trusted third-party CA to the listener for the internet-facing load balancer. For listener of the internal load balancer, also configured to accept HTTPS requests on port 443, you can assign an internally-signed certificate.


Initiate a Remote Desktop Protocol (RDP) connection to one of the deployed RD Gateway instances. You can retrieve the Elastic IP address (EIP) of the RD Gateway servers from the Amazon EC2 console. Use RDP to connect to the first Exchange server (exch1). 2ff7e9595c


1 view0 comments

Recent Posts

See All

Comments


bottom of page