Summary: Guest blogger and security expert, Yuri Diogenes, continues his series about enabling BYOD.
Microsoft Scripting Guy, Ed Wilson, is here. Today’s guest blogger is Yuri Diogenes, who continues his security series about enabling BYOD. Yuri is a senior knowledge engineer, and he is a coauthor of the book Windows Server 2012 Security from End to Edge and Beyond. You can follow him on Twitter at @YuriDiogenes.
In the first part of this series, Security Series: Using PowerShell to Enable BYOD–Part 1, I explained how to enable device registration to allow IT to have awareness of the user’s device and have the capability of performing second factor authentication. If you recall, Contoso IT wanted to enable device registration only for devices that are connected through the corporate network (on-premises). Now that they fully understand the footprint of their user’s devices, they are moving to their second phase—they want enable this capability for users coming from the Internet.
This post will continue the Contoso IT story to embrace the "bring your own device" (BYOD) model. If you want to know more about BYOD, read the General Considerations Regarding BYOD section in the Bring Your Own Device (BYOD) Survival Guide for Microsoft Technologies.
Small, medium, and large corporations nowadays rely a lot on the power of the Internet. Most of the time users will be connected to the web and during that same time they will also demand access to corporate resources. Companies should include on their BYOD strategy the capability to enable users to access corporate resources using their own devices from any location.
By using a new capability in Windows Server 2012 R2 called Web Application Proxy, you can publish apps and internal resources to users who are coming from the Internet. The recommended infrastructure for this scenario is shown in the following image:
Notice that Web Application Proxy should be behind an edge firewall, and although the image shows Active Directory Federation Services (AD FS), Web Application Proxy can also use NTLM or basic authentication.
Contoso IT is moving to the second phase of their deployment, and now they need to allow users who are coming from outside of their internal network to register their devices and access resources. Another requirement is to customize the sign-in page to provide more detailed explanation for users who are trying to perform device registration from devices that are not Windows based.
The steps to enable Web Application Proxy by using Windows PowerShell are quite simple; however, there are some prerequisites that must be in place before enabling this capability. Follow the instructions in Configure the Infrastructure for Web Application Proxy to review the requirements that must be in place before you deploy this role.
When the core infrastructure it is in place, you should also obtain a certificate with a private key to install on the server that will host this role. The certificate should include a subject that covers the name of AD FS. For Workplace Join, the certificate must also contain the following subject alternative names (SANs): <federation service name>.<domain> and enterpriseregistration.<domain>.
Note The Web Application Proxy deployment requires certificates for the published web app and for the AD FS proxy if your deployment provides AD FS proxy functionality.
Now you can install Web Application Proxy by using the following Windows PowerShell command:
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
After you install the role, you can configure Web Application Proxy. However, first you should open the certificate and find the thumbprint of the certificate. You will need this information during the installation process using Windows PowerShell. The following image shows an example of where this information resides:
Note You can also use the Get-ChildItem cmdlet to obtain the thumbprint.
After you record this number, type the following Windows PowerShell command to configure Web Application Proxy:
Install-WebApplicationProxy –CertificateThumprint <TypetheCertificateThumbprintHere> -FederationServiceName <TypeTheServerFQDNHere)
The following image shows an example of this operation:
Note After you type the command, a dialog box will open and ask to you type your credentials.
The installation and configuration process of Web Application Proxy is complete at this point. Now you need to publish a means for device registration. For that, use the following Windows PowerShell command:
Add-WebApplicationProxyApplication -BackendServerURL <TypeTheURLHere> -ExternalCertificateThumbprint <TypeTheThumbprintHere> -ExternalURL <TypeTheExternalURLHere> -Name <TypeTheNameHere> ADFS -ADFSRelyingPartyName <TypeTheRelyingPartyHere>
Following is an example of this operation:
At this point, if you open the Remote Access Management Console, you should see the following publication of the Web Application Proxy configuration:
The second requirement for Contoso is to customize the sign-in page, and for that you can read Customizing the AD FS Sign-in Pages. The customization is all done via Windows PowerShell, and this topic provides a great explanation of all the components of the page and how to change them.
At this point, you should be able to perform device registration from devices that are coming from the Internet so that they can connect to internal resources. Remember that the device registration experience will vary according to the platform. For Windows 8.1, this process is natively available in the UI as shown in the following image:
For other platforms, the process happens via the web after the publication is completed. This process uses Web Application Proxy, with AD FS as the authentication method. The following image shows the first page that users will see when they try to sign in:
Notice that this page has been fully customized, and the iPad user will have to authenticate. However, the policy is that he needs to be registered to access company resources, so he will see the following screen, which explains that he is authenticated, but he is not authorized to access resources until he registers:
You can set up your own environment to test this functionality by following the instructions in Walkthrough Guide: Connect to Applications and Services from Anywhere with Web Application Proxy.
See you next time!
Thank you, Yuri. We are looking forward to your final post!
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy