Web Application Proxy: The external and backend server URLs are different and URL translation is disabled

 

Applies To: Windows Server 2012 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Web Application Proxy Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012 R2

Product/Feature

Web Application Proxy

Severity

Warning

Category

Configuration

Issue

The external and backend server URLs are different and URL translation is disabled.

Impact

The published application might reject requests from the client.

Resolution

Consider changing the application publishing settings.

By default, Web Application Proxy translates the host portion of requests to a backend server. For example, Web Application Proxy will translate the URLs successfully if the external URL is https://apps.contoso.com/ and the backend server URL is https://appsinternal.contoso.com/. However, URL translation is currently disabled, which might cause client requests to be rejected. You can manually enable the translation of host headers by using the DisableTranslateUrlInRequestHeaders parameter.

You may need to remove the published application and republish it to resolve this issue.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To remove a published application

  1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. In the Remote Access Management console, in the navigation pane, click Web Application Proxy.

  3. In the details pane, select the application identified in the BPA, and then in the Tasks pane, click Remove.

  4. On the Remove Applications dialog box, click Yes.

After removing the application, you can republish it.

To publish an application

  1. In the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

  2. On the Publish New Application Wizard, on the Welcome page, click Next.

  3. On the Preauthentication page, select the required preauthentication, and then click Next.

  4. If you selected Active Directory Federation Services (AD FS), on the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

  5. On the Publishing Settings page, do the following, and then click Next:

    • In the Name box, enter a friendly name for the application.

    • In the External URL box, enter the external URL for this application; for example, https://apps.contoso.com/.

    • In the External certificate list, select a certificate whose subject covers the external URL.

    • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://apps/.

      Note

      Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.contoso.com/app1/ and a backend server URL of https://app-server/app1/. However, you cannot enter an external URL of https://apps.contoso.com/app1/ and a backend server URL of https://apps.contoso.com/internal-app1/.

    • In the Backend server SPN box, enter the service principal name for the backend server; for example, HTTP/apps.contoso.com.

  6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command set up additional published applications.

  7. On the Results page, make sure that the application published successfully, and then click Close.

You can view the settings of a published application and enable URL translation, if required.

To enable URL translation using PowerShell

  1. To obtain the application ID of an application, use the following PowerShell command to show the ID, name, and external URL of all applications published by Web Application Proxy, and locate the application ID of the required application in the command output:

    Get-WebApplicationProxyApplication | Format-Table ID, Name, ExternalURL
    
  2. Use the following PowerShell command to enable URL translation for a specific published application:

    Set-WebApplicationProxyApplication –ID <application_ID> -DisableTranslateUrlInRequestHeaders:$false