Upgrade Web Application Proxy (WAP) for ADFS to 2016/2019

During the migration to ADFS 2016/2019, also the Web Application Proxy (WAP) must be upgraded accordingly in order to align all components to same version.

In an Office 365 environment, the WAP component is used to perform SSO outside the LAN.

Although the following procedure uses Windows Server 2016, the WAP upgrade procedure is the same also for Windows Server 2019.

 

Install WAP to the new server

First step of the procedure is the installation of the Web Application Proxy (WAP) service to the new Windows Server 2016. From Server Manager click Manage in the top-right side of the screen and select Add Roles and Features.

Click Next to start the wizard.

Select Roles-based or feature-based installation then click Next.

Select the server to install and click Next.

Select Remote Access role and click Next.

No additional features are required here. Click Next.

Click Next.

Select Web Application Proxy role and click Add Features to include required features.

Make sure Web Application Proxy is selected then click Next.

Select Restart the destination server automatically if required and click Yes to confirm.

Click Install to proceed with WAP installation.

The selected role is being installed.

When the installation completes, click Close to exit the wizard.

Click the exclamation mark in the menu and click on the Open the Web Application Proxy Wizard link.

Click Next to continue.

Specify the Federation service name to use and the credentials of the local admin account on the federation servers.

Select from the drop-down menu the SSL certificate to be used by the ADFS Proxy.

Once the correct SSL certificate has been selected, click Next.

Click Configure to proceed with WAP configuration.

The AD FS proxy is being configured.

When the WAP role has been configured successfully, click Close to exit the wizard.

 

Check servers connection

From the new Windows Server 2016, run the following cmdlet to check current connected servers that are part of the cluster. You should see the old (2012R2) and the new (2016) WAP servers connected. Note the ConfigurationVersion is reported as Windows Server 2012 R2.

PS: C:\> Get-WebApplicationProxyConfiguration

Run the same command also from the old WAP Server:

PS: C:\> Get-WebApplicationProxyConfiguration

 

Remove old server

To remove the old server from the cluster, run the following cmdlet from the old (2012R2) server:

PS: C:\> Set-WebApplicationProxyConfiguration -ConnectedServersName <new-server>

Check once again current connected servers that are part of the cluster. This time the ConnectServersName reports only the new configured Windows Server 2016.

PS: C:\> Get-WebApplicationProxyConfiguration

Perform same check also in the new Windows Server 2016 to get additional details.

PS: C:\> Get-WebApplicationProxyConfiguration

 

Decommission old server

If you don't need to keep the old server, you can safely remove it. From Server Manager select Manage > Remove Roles and Features.

Go through the wizard and remove the Remote Access role.

Click Remove to confirm role removal.

 

Upgrade the ConfigurationVersion

Because the current version is still configured as Windows Server 2012 R2, we need to upgrade to 2016 to complete the upgrade procedure. From the Windows Server 2016 run the following cmdlet:

PS: C:\> Set-WebApplicationProxyConfiguration -UpgradeConfigurationVersion

Check the configured version with the following cmdlet:

PS: C:\> Get-WebApplicationProxyConfiguration

The current ConfigurationVersion is now reported as Windows Server 2016.

The upgrade procedure of the WAP Server has been completed successfully. If you don't have any, you can now publish your Web Applications.