Publishing Remote Desktop Services With Web Application Gateway

KB ID 0001143 


Getting this article to completion has been a bit of a journey! This is the final post that will stitch together all the others I’ve posted over the last couple of weeks, that will enable you to publish your RemoteApps with  ‘Remote Desktop Web Access’, and have that service presented securely from your DMZ. I’ll be using Active Directory Federation Services, (you don’t have to, but it’s more secure than simply using ‘pass-though’ security).



Topology: Simply getting your ‘ducks in a row’ will take a lot longer than actually deploying the service. Here is the topology that I’m going to deploy;

Deploy Remote Desktop With Web Application Proxy

Firewall Rules: You will see I’ve labelled all the Certificate/CRL rules as optional, this is because you would only need them if you were using self signed certificates. In this example that’s what I am doing, this means that all my remote clients need the root certificate installing on them, so for production I suggest you purchase a publicly signed wildcard certificate for simplicity.

Firewall Ports for Publishing RDS with WAP

DNS Requirements: For your internal domain and the DMZ it’s simple enough but your external clients will need to be able to resolve your public URL (and the URL of your CRL is used).

DNS Settings RDWeb with Web Application Proxt

Certificate Services (Optional): If you want to deploy self signed wildcard certificates you will  need a PKI environment and a published CRL. See the following article;

Windows Certificate Services – Setting up a CRL

Once setup you will need to generate a self signed wildcard certificate. See the following article;

Certificate Services – Create a ‘Wildcard Certificate’

Active Directory Directory Services: You need to have your ADFS farm deployed and ready to add your relying trust to. See the following article;

Deploy Active Directory Federation Services

Web Application Proxy: The Role needs installing ready to have the publishing rule added for Remote Desktop Web Access. See the following article;

Deploying Windows ‘Web Application Proxy’

MAKE SURE: You have ran Windows updates on the WAP server, there are a number of bugs that have been fixed, ensure you have at least KB2975719, and in addition you need to have KB2983037 Hotfix installed.

Step 1: Add A Relying Trust To Active Directory Federation Services For Web Application Proxy

On your ADFS Server > Administrative Tools > AD FS Management > AD FS > Trust Relationships > Relying Party Trusts > Add Relying Party Trust.

Relying Trust Web Application Gateway


Configure Relying Trust

Enter data about relying party trust manually > Next.

Manual Relying Trust

Give the trust a name > Next.

Name ADFS Relying Trust

AD FS Profile  > Next.

ADFS Profile


Token Encryption Certificate



As an identifier, add in the UEL to access Remote Desktop Web Access > Next.

Relying Trust Identifier

I do not want to configure multi-factor authentication settings for this relying  party trust at this time > Next.

ADFS Multi-factor authentication

Permit all users to use this relying party > Next.

User Permissions ADFS


Create ADFS Trust

Untick “Open Edit Claim Rules dialog  for this relying party trust when the wizard closes’ > Close.

Claims Rules Dialog

You should see your relying part trust listed, take note of its name.

Find Relying Part Trust Name

Step 2: Configure Web Application Proxy To Publish Remote Desktop Web Access

On the WAP Server > Administrative Tools > Remote Access Management > Select the Server > Publish.

Publish WAP Application


Publish New Application Wizard

Select ‘Active Directory Federation Services (AD FS) > Next.

Note: As mentioned above, you can choose ‘pass-through’, then author authentication is done on the internal RD Web Access server (which is less secure).


Select the relying trust you created above > Next. (If it’s not there check https is open, and you can resolve the AD FS service name) > Next.

Application Proxy Relying Trust

Give the publishing rule a name, and enter the URL the service will be published on, (this is usually the same inside and outside but does not have to be) >  Select your wildcard certificate > Next.

Web Application Proxy Certificate


Publish WAP Application URL


Publish Remote Desktop with web application gateway

In PowerShell execute the following command;

Get-WebApplicationProxyApplication -Name “SmoggyNinja Remote Desktop Web Access” | Set-WebApplicationProxyApplication -DisableHttp

WAP disable http

Then the following command;

Get-WebApplicationProxyApplication -Name “SmoggyNinja Remote Desktop Web Access” | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$true

Note: You only actually need this command if you’re  using different URLs but let’s stick with a script that works.

Web Application Gateway PowerShell

Step 3: Additional Works.

On the Remote Desktop Session Host Server run the following commands;

Import-Module Remote Desktop

Set-RDSessionCollectionConfiguration -CollectionName SN-RDS-COLLECTION -CustomRdpProperty “pre-authentication server address:s:`nrequire pre-authentication:i:1″

RD Host add RDWeb Authentication

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Hiya, great article thanks. What about WAP not supporting UDP though? I read that 2012 R2 RDS needs UDP and without it, there is a significant performance hit.

    Post a Reply
    • It’s still not supported in 2016 either, and no word from M$ on the subject 🙁


      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *