Desktop Virtualization Conditional access DirectAccess & automatic VPN AD FS AuthN Web UI Web Application Proxy HTTP/S Claims, KCD, OAuth, MSOFBA, or pass-through Internet DMZ Load Balancer AD FS Proxy Firewall Load Balancer Firewall (browser, Office client or modern app) Config.

Download Report

Transcript Desktop Virtualization Conditional access DirectAccess & automatic VPN AD FS AuthN Web UI Web Application Proxy HTTP/S Claims, KCD, OAuth, MSOFBA, or pass-through Internet DMZ Load Balancer AD FS Proxy Firewall Load Balancer Firewall (browser, Office client or modern app) Config.

Desktop Virtualization
Conditional
access
DirectAccess &
automatic VPN
AD FS
AuthN
Web UI
Web Application
Proxy
HTTP/S
Claims, KCD,
OAuth, MSOFBA,
or pass-through
Internet
DMZ
Load Balancer
AD FS Proxy
Firewall
Load Balancer
Firewall
(browser,
Office client
or modern
app)
Config. API
over HTTPS
HTTP/S
Client
Config.
Store
AuthN
Active Directory
Domain
Controller
Obtain KCD
ticket for IWA
AuthN
Backend
Server
Backend
BackendServer
Server
Corporate Network
 Network Isolation
 Basic DOS
 Rich Policy
 MFA Options
 Multiple Authentication Methods
 URL Translation
 SSO
 Selective Publishing

 AD FS Proxy services
 Web Protocols Only
security token of AD FS
New Windows Server 2012 R2 role service
under RRAS server role, integrated into
Windows Server Manager and RRAS admin
experience (PSH + UI).
AD FS provides rich authentication
and authorization capabilities
including multi-factor and federation.
Published
applications
Users can register their devices to gain
access to corporate data and apps and single
sign-on through device authentication
Conditional access with multi-factor preauthentication is provided on a perapplication basis, leveraging user identity,
device registration & network location
Publish any standard Web/HTTP
server. Single Sign On using
Kerberos, claims, Office or OAuth
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
?
WAP LOB
https:/lob.fabrikam.com
302
http://lob
?
?
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
Edge
Policies
https:/lob.fabrikam.com
http://lob
Application
Policies
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
Query
String
https://sts.fabrikam.com
Query
String
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
Query
String
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
Query
String
WAP LOB
https:/lob.fabrikam.com
?
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
Query
String
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
Query
String
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
?
401
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
AP_REQ(tckt)
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
WAP LOB
https:/lob.fabrikam.com
http://lob
https://sts.fabrikam.com
https://enterpriseenrollment.
fabrikam.com
https://sts.fabrikam.com
https://enterpriseenrollment.
fabrikam.com
DRS
https:/lob.fabrikam.com
http://lob
WAP
LOB
Azure Active Directory
DMZ
Corporate
Network
Once started, the connectors open
HTTP requests to the WAP service.
The requests remain waiting until
user request arrives or timeout
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
User sends a request to the public
address of the service that is unique
per tenant and per application. E.g.
https://app1-contoso.cwap.net/
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
The WAP service selects one of
the pending connector requests
and send the user request as
payload.
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
The connector sends the user
request to the backend
application and once there is a
response, it sends it to the
server as a new request
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
The cloud service
returns the
response to the
client request
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
User sends a new
unauthenticated request to
applications that is
configured to require
preauthentication.
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
WAP redirects the user to the Azure
AD STS address with information on
the application that needs
preauthentication.
Nothing is sent to the backend.
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
User is authenticating to Azure
AD STS. This process may
involve other systems
depending on tenant
configuration. E.g. 2FA and
federation. Once done, user is
redirected back to the WAP
service with a token
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
The user request arrives again but
now with a valid authentication
token. Once the token is validated,
the request is sent to the backend
application
AAD-AP
Connector
AAD-AP
Cloud Service
AAD-AP
Connector
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn