• File tested:Avast Viruses notfound
  
• This file You searched for: web application proxy server 2012 r2 step by step
  
• checked by moderators: Yes
  
• Rank: 8912
  
• Downloads: 2202
  

Watch a demo on how to install, deploy, and configure the Web Application Proxy. The Web Application Proxy (WAP) acts as the AD FS Proxy on Windows Server 2012 R2. Part of the AD FS How-To Video Series. One of the challenges of enabling work from anywhere is being able to make on-premises corporate IT resources accessible from the Internet while making sure that associated risk is controlled effectively.

The Web Application Proxy, a new role service in Windows Server 2012 R2, in conjunction with Active Directory Federation Services (AD FS), allows IT admins to enable secure access to web applications and services that sit on-premises from devices and clients outside the boundaries of the corporate network, which sometimes are not controlled by�or even belong to�corporate IT, and are not domain joined.

Learn about the Web Application Proxy including how internal web resources are made available to the Internet, how it relies on AD FS for edge pre-authentication and authorization and how different types of resources and clients (e.g., browser-based, rich clients-based, Office) operate with the Web Application Proxy for access control.

After this session you will know how it addresses your concerns of enabling productivity from anywhere in an easy and secure way. Setup of Web Application Proxy Server in Windows 2012 R2 When Microsoft discontinued ThreatManagement Gateway�(which once was Proxyand then ISA�server)I must admit I was disappointed; it was a relatively inexpensive authenticated�reverseproxy that worked with Exchange Server as well as many other complicatedproducts.

In the interim we were told that UnifiedAccess Gateway would be the replacement, but that product isn't aswell suited to the task.Several alternatives are out there, including: Kemp, F5, Nginx, and Squidbut either the price or the relative difficulty of setup isn't in line withTMG.

Fortunately starting in Windows 2012R2 Microsoft introduced WebApplication Proxy which largely fills the gap. Web Application Proxy/Server 2012r2 releaseparty.Trust me, I paid big bucks for this insider photo.What is Web Application Proxy?

Web Application Proxy(WAP from henceforth) is based on and replaces ActiveDirectory Federation Services Proxy 2.0. In addition to the ADFS Proxyfunctionality it also introduces the ability to expose internal resources toexternal users. These users can be pre-authenticated (and then impersonatedfor SSO) againstyour Active Directory infrastructure using ADFS prior to being allowedaccess to resources.Wait, This is ADFS Proxy 3.0?Yup!

That and more. Here's what you can do with it:� Authorize external users for access to other claims-aware external orinternal resources (Generally SaaS).� Allow access (by "reverse" proxy) to multiple internal applications onthe same port.� Pre-Authenticate users against Active Directory via Kerberosor NTLMto facilitate SSO and access to internal applications (if desired)� Expose multiple internal resources on a single IP address/port(generally 443) differentiated by hostname� Loadbalance using a session affinity based solution in front of WAP Let's Go!This article will cover the following:� WAP requirements� Set up� Forwarding a couple of sample applications� TroubleshootingSoftware RequirementsWeb application proxy is available on Windows Server 2012 R2 and higher,and it requiresADFS 3.0 to be available on the back end.

For assistance in settingup ADFS 3.0, see my article here.If you would like to proxy authentication for non-claims awareapplications, I.E. Exchange OWA pre-2013 SP1 ( SP1Claims) or Kerberos/NTLM apps, you will need to have the WAP serverjoined to your domain.Additionally, you'll need the certificate (private and public key) fromyour ADFS server and one certificate (again, private and public) for eachapplication you intend to proxy.

These certificates must be trusted byyour clients, so generally external globally trusted (Digicert forexample) certificate authorities are preferred.

The certificates need tobe installed under the "Personal" portion of the "Local Machine" store onthe machine you intend to use as your WAP proxy.

If you only intend tohost internal resources to domain-joined computers connecting remotely youcan use an internal PKI provided your clients trust your issuing CA(s).For information on how to setup an internal CA, see my article here.If you need help exporting your public and private key from your ADFSserver and other services, see thisarticle. Note that if these certificates are marked as non-exportable youwill need new certificates for those services, so make sure you planaccordingly. Connectivity and Hardware/VM RequirementsPreferably, your WAP server should be placed in a De- MilitarizedZone with a firewall on either side of it.

The machinecan operate with either one or two Network InterfaceCards, but for proper security I recommend two NICs; oneinternal and one external. Other connectivity options will work, includingbranching into your internal network on the inside interface, but I won'tbe covering those scenarios in detail. For all connectivity options seethe following diagram: As for the hardware you can use either real hardware or a VM assuming youhave a proper DMZ NIC setup on web application proxy server 2012 r2 step by step Hyper-V/ESX/Xen/whatever host(s).

WAPis not a particularly demanding application and uses very little I/O. Itis also horizontally scalable with a network level load balancer (f5) so Iwon't give direct guidance on specifications since it would likely havelittle relevance to your configuration. As in most cases, performanceevaluation and configuration change is the way to go.After deciding on your hardware and installing the OS, you'll need toconfigure the NICs. We'll cover that in the next section.

InstallationNow that the hardware and OS are ready to go, let's configure the NICs: Network Configuration� First open the "Network and Sharing Center" and click "Change AdapterSettings". Re-name the NICs "External" and "Internal" according to howthey are connected to avoid confusion during set up and troubleshooting. � Give each NIC appropriate IP address settings. The subnet for eachwill depend on your firewall/switch configuration.

Some firewallconfigurations may require communication stay on a single subnet but ifgiven a choice it iThis post is a companion to the earlier published part 2 of this hybrid configuration and deployment series.

In this post we will replace the reverse proxy from Threat Management Gateway (TMG) as used in the previous post for Microsoft Web Application Proxy (WAP). Windows Server 2012 R2 includes WAP as a component of its Remote Access feature set and is recommended as a reverse proxy solution for SharePoint 2013 Server and for inbound hybrid scenarios.At this point it is already assumed that the organization has completed a number of steps as defined in Part 1 of this hybrid series i.e.1.> Subscribe to an Office 365 Tenant2.> Configure Server to Server Trust with Windows Azure ACS3.> Completed the Directory Synchronization stepsAdditionally the organization should have deployed a SharePoint 2013 Server farm on premises and created a web application configured for Secure Sockets Layer (ssl) traffic using a Public Certificate Authority signed ssl certificate.

Information on configuring SharePoint 2013 Server web application using ssl can be found here https://technet.microsoft.com/en-us/Library/ee806885.aspx .Before we can configure SharePoint Online to display results from SharePoint Server 2013 on premises we must Install and Configure Microsoft Web Application Proxy server to accept incoming requests from SharePoint Online.Once WAP is ready we can configure SharePoint Online to display results from SharePoint 2013 Server on premises.

To do this we need to:1> Configure a Secure Store Target Application2> Create a Remote SharePoint Result Source3> Create a Query RuleIn this post we will be focusing on the WAP Configuration and Deployment steps.Microsoft Web Application Proxy Infrastructure DeploymentMicrosoft Web Application Proxy (WAP) is available as a new Remote Access Role of Windows Server 2012 R2. Before we can install WAP we need to deploy an Active Directory Federation Services (ADFS) 3.0 Service which will serve as the Configuration Store and could optionally be used to support end user federated authentication if desired by the organization.Deploy Active Directory Federation Services 3.0Active Directory Federation Services 3.0 like WAP is a role that can be deployed on a Windows Server 2012 R2 server.

ADFS requires a public ssl certificate to secure the Federation Services Public endpoint. In this case we have a certificate obtained from Digicert for the adfs.nellymo.com common name and have already loaded that into the local Computer Account Personal certificate store on the server where we will install ADFS.

We will need this certificate later when we configure the ADFS service.Install ADFSCarry out the following steps to deploy ADFS for use with WAP1> Add Windows Server 2012 R2 to the on premises domain.Complete this task using your standard Corporate Policy.2> Use server manager Add Roles and Features Wizard to install Active Directory Federation Services on the choose server roles selection page.3> Accept defaults on the Add Features page.4> On the ADFS install summary page review the provided information, specifically the information provided in the �things to note� section.

We need to be domain joined which we are but also that Web Application Proxy cannot be installed on the same machine as the ADFS role for use as a federation proxy. We want to use WAP as a server publishing proxy but will still follow this guidance and install WAP on a separate server.5> Click Next6> Select Auto Restart and acknowledge the popup then click Install7> Wait until installation is complete and machine reboots.8> After installation there are some post install setup tasks to complete.

Reload Server Manager and review the items presented on the notification flag.9> Select �Configure the federation services on this server�Default setting is to create the first federation server in a federation server farm. For the purpose of this installation this is going to be the first and only federation server but for production deployments we would recommend a minimum of two servers in the federation farm to support high availability.10> Click next11> Specify alternate credentials if necessary.

In this case NELLYMOspadmin is a domain admin and therefore has permission to perform federation services configuration.

Click Next12> Here we choose the SSL certificate uploaded earlier and provide a federation service display name. At this point you should also have the federation service name configured in your on premises DNS to provide name resolution to this federation server. If you are intending using this ADFS service as a federation service endpoint for federated authentication in Office 365 you should also ensure this endpoint is publically accessible and has a public DNS registration. Click Next13> Provide a domain user account credential or managed service account to act as the ADFS Service Account.

Click Next.14> Provide a location to store the ASDF configuration database. When creating the ADFS database we can either uTraining� Expert-led, virtual classes� Web application proxy server 2012 r2 step by step Catalog� Class Locator� Microsoft Virtual Academy� Free Windows Server 2012 courses� Free Windows 8 courses� SQL Server training� Microsoft Official Courses On-Demand This topic describes how to configure the infrastructure required for an Web Application Proxy deployment.

Before beginning the deployment steps, ensure that you have completed the planning steps described in Plan the Web Application Proxy Infrastructure [WAP].TaskDescriptionConfigure server network settingsConfigure the server network settings on the Web Application Proxy server.Configure firewallsConfigure additional firewalls, if required.Configure DNSConfigure DNS settings for the Web Application Proxy deployment.Configure Active DirectoryJoin the Web Application Proxy server to the Active Directory domain, if required.Configure Active Directory Federation ServicesConfigure Active�Directory Federation Services (AD�FS) servers for authentication and authorization. Network interface settings on the Web Application Proxy server are configured by using Change adapter settings in the Windows Networking and Sharing Center.

Specific IP address requirements depend on the topology and any other organizational requirements. When the Web Application Proxy is separated from client devices or from the internal network by a firewall, you must configure the firewalls to allow traffic for the protocol and port number used by the published web applications.

You must also configure the firewall to allow HTTPS traffic on port 443 for clients to communicate with the AD FS server.Configure the backend firewall to enable connectivity to backend servers, including:�A rule to allow connectivity to the AD FS on port 443�Open the port on which you are running your apps�Connectivity to Active DirectoryFor more information on backend server configuration, see Active Directory and Active Directory Domain Services Port Requirements. Configure DNS servers internally and externally as required by your published web applications.�Web Application Proxy requires internal name resolution to resolve the names of backend servers, and infrastructure servers such as the AD FS servers.�When publishing web applications via Web Application Proxy, every web application you publish requires an external URL.

For clients to reach these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the same IP address as the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server. If your deployment uses Integrated Windows authentication, the Web Application Proxy server must be joined to an AD�DS domain.

For information about domain and forest trusts when deploying Web Application Proxy, see 1.4. Plan Active Directory. In Computer Name, type the name of the computer if you are also changing the computer name when joining the server to the domain. Under Member of, click Domain, and then type the name of the domain to which you want to join the server; for example, corp.contoso.com, and then click OK.� When you are prompted to restart the computer, click Restart Now.Windows PowerShell equivalent commandsThe following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure.

Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.Note that you must supply domain credentials after entering the Add-Computer command below. On the Multi-valued String Editor dialog box, in Value to add, enter HTTP/EDGE1.contoso.com and click Add.

Then enter HTTP/EDGE1 and click Add.The Values list now contains two new entries; for example, HTTP/EDGE1.contoso.com and HTTP/EDGE1.� On the Select Users or Computers dialog box, in Enter the object names to select, enter the name of the web servers that use Integrated Windows authentication; for example, WebServ1, and then click OK.� Configuring AD FS is described in detail in the Windows Server 2012 AD FS Deployment Guide.For all web applications that you intend to publish using AD FS preauthentication, you must configure a relying party trust for each application on the AD FS server.

See Create a Relying Party Trust Using Federation Metadata.For all AD FS endpoints that you require to be published by Web Application Proxy, in the AD FS Management console, you must set the endpoint to be Proxy Enabled. �Install and Configure the Web Application Proxy Server�Publish Applications through Web Application Proxy�Planning to Publish Applications Using Web Application Proxy�Web Application Proxy Walkthrough Guide Training� Expert-led, virtual classes� Training Catalog� Class Locator� Microsoft Virtual Academy� Free Windows Server 2012 courses� Free Windows 8 courses� SQL Server training� Microsoft Official Courses On-Demand The first step of planning for a Web Application Proxy deployment is to perform planning for the infrastructure required for the deployment.

This topic describes the infrastructure planning steps.TaskDescription1.1. Plan Network LocationDecide where to place the Web Application Proxy server and prepare your firewalls for an Web Application Proxy deployment.1.2. Plan DNSPlan DNS settings for the Web Application Proxy server, infrastructure servers, and application servers.1.3.

Plan Load BalancingDecide what type of load-balancing you require for the Web Application Proxy servers and the web application servers.1.4. Plan Active DirectoryPlan your Active Directory requirements, in particular the requirements if you plan to publish applications that use Integrated Windows authentication.1.5. Plan Active Directory Federation ServicesPlan your Active�Directory Federation Services (AD�FS) requirements.1.6. Plan PreauthenticationDecide what type of preauthentication you will use when publishing applications through Web Application Proxy. Web Application Proxy can be deployed in several topologies.

For example, you can deploy Web Application Proxy behind a frontend firewall to separate it from the Internet, or between two firewalls; a frontend firewall to separate it from the Internet, a backend firewall to separate it from the corporate network. In both topologies, Web Application Proxy provides a protection layer against malicious HTTP requests that originate from the Internet through the following features:�Preauthentication�Make sure that only authenticated traffic can get into the corporate network.�Network Isolation�Incoming web traffic cannot directly access backend servers.�Selective Publishing�Only specific applications and paths within these applications are accessible.�DDoS Protection�Incoming traffic arrives at Web Application Proxy before entering the corporate network.

Because Web Application Proxy acts as a buffer, many DDoS attacks can be prevented from reaching the backend servers. Deploying Web Application Proxy behind a firewall adds network level protection and reduces the attack surface of the Web Application Proxy servers. If the Web Application Proxy server is located in front of a firewall that separates it from the corporate network, you must make sure that the firewall does not block traffic to URLs configured for the backend servers.

This could be over HTTP or HTTPS and on any specified port. Note that if you deploy Web Application Proxy on a domain-joined server, it must have connectivity to the domain controller, see 1.4. Plan Active Directory.All firewall servers must be configured to allow HTTPS traffic because the firewall servers must publish Web Application Proxy using port�443 so that Web Application Proxy in the perimeter network can access the federation server in the corporate network.

Port�443 is also required for device registration using Workplace Join. NoteAll federation server communications to and from client devices also occur over HTTPS.In the federated world of AD FS, client requests are typically made to a specific URL, for example, a federation server identifier URL such as https://fs.fabrikam.com.

Because these client requests originate from the Internet, the Internet-facing firewall server must be configured to publish the federation server identifier URL for each Web Application Proxy server that is deployed in the perimeter network.If you want to use client certificate authentication, you must also configure the firewall to allow traffic on port 49443. DNS planning requirements include the following:�Web Application Proxy requires internal name resolution to resolve the names of backend servers, and of infrastructure servers such as the AD FS server.�When publishing web applications via Web Application Proxy, every web application you publish requires an external URL.

For clients to reach these web applications, a public DNS server must be able to resolve each external URL that you configure. Note that the external URL must resolve to the external IP address of the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server. Web Application Proxy does not include integrated load-balancing functionality.

If you plan to deploy multiple Web Application Proxy servers, you should consider deploying a load-balancer to ensure that the external traffic is distributed evenly between Web Application Proxy servers.

You can use any hardware or software load-balancer that supports HTTP and HTTPS, including Windows Network Load Balancing.You can also configure a load-balancer for published web applications.

That is, you can deploy a load-balancer between the Web Application Proxy servers Training� Expert-led, virtual classes� Training Catalog� Class Locator� Microsoft Virtual Academy� Free Windows Server 2012 courses� Free Windows 8 courses� SQL Server training� Microsoft Official Courses On-Demand This topic describes how to install the Remote Access role with the Web Application Proxy role service and how to configure the Web Application Proxy server to connect to an Active�Directory Federation Services (AD�FS) server.

Before beginning the deployment steps, ensure that you have completed the planning steps described in Plan the Web Web application proxy server 2012 r2 step by step Proxy Server. Web Application Proxy servers require the following certificates in the certificate store on each Web Application Proxy server:�A certificate whose subject covers the federation service name.

If you want to use Workplace Join, the certificate must also contain the following subject alternative names (SANs): . and enterpriseregistration..�A wildcard certificate, a subject alternative name (SAN) certificate, several SAN certificates, or several certificates whose subjects cover each web application.�A copy of the certificate issued to external servers when using client certificate preauthentication. In an Web Application Proxy deployment you require certificates for the published web applications, and for the AD FS proxy if your deployment provides AD FS proxy functionality.

For these required certificates, there are two options for the issuing CA:�Public�Supplied by a 3rd party.A website certificate used for server authentication. If the certificate subject is not a wildcard, it must be the externally resolvable fully qualified domain name (FQDN) URL that you configure on the Web Application Proxy web application proxy server 2012 r2 step by step for the application.�Private�The following are required, if they do not already exist:�A website certificate used for server authentication.

The certificate subject should be an externally resolvable FQDN that is reachable from the Internet. The certificate can be based on the certificate template created in Configure certificate templates.�A certificate revocation list (CRL) distribution point that is reachable from a publicly resolvable FQDN.Make sure that the website certificate used for server authentication meets the following requirements:�The common name of the certificate should match the name that you configure for the external URL of the published web application, or the federation service name.�For the Enhanced Key Usage field, use the Server Authentication object identifier (OID).�For the CRL Distribution Points field, specify a CRL distribution point that is accessible by client devices that are connected to the Internet.�The certificate must have a private key.�The certificate must be imported directly into the personal store.�Certificates can have wildcards in the name.

A wildcard certificate with the subject name *.contoso.com can be used for web applications in the domain contoso.com, for example, sharepoint.contoso.com and owa.contoso.com.

This wildcard certificate cannot be used for the website sharepoint.internal.contoso.com.�Certificates can be subject alternative name (SAN) certificates. For example, a SAN certificate with the names owa.contoso.com and crm.contoso.com can be used for only those two websites. It cannot be used for sharepoint.contoso.com. NoteFor Workplace Join, a SAN certificate is required with the following SANs:�.For example, adfs1.contoso.com.�enterpriseregistration.For example, enterpriseregistration.contoso.com. To deploy Web Application Proxy, you must install the Remote Access role with the Web Application Proxy role service on a server that will act as the Web Application Proxy server.Repeat this procedure for all of the servers that you want to deploy as Web Application Proxy servers. On the Installation progress dialog, verify that the installation was successful, and then click Close.Windows PowerShell equivalent commandsThe following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure.

Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow.

On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.� On the Federation Server dialog, do the following, and then click Next:�In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.contoso.com.�In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.� On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a cert� Home� VMware� vSphere 6� Upgrading Windows based vCenter 5.x to 6� VCSA 6.0 � Upgrade from 5.x� VCSA 6 � A Fresh Install� Updating vCenter Server Appliance 6.0 to Update 2� Deploying VMware Update Manager 6.0 Update 2� VSAN� VSAN 6 � Requirements [Part 1]� VSAN 6 � Setup and Configuration [Part 2]� vRealize� Deploying VMware vRealize Log Insight� Deployment of Operations Manager� vSphere 5.x� Installing vSphere 5.5� Microsoft� Server 2016� Server 2012� Setup Remote Desktop Services in Windows Server 2012 R2� How to setup Microsoft Active Directory Certificate Services [AD CS]� How to setup Microsoft Active Directory Federation Services [AD FS]� How to setup Microsoft Web Application Proxy� Deploy and Configure WSUS on Server 2012 R2� Deploying Microsoft SQL 2014 Standalone Server� Site Archives� About��� Search Microsoft Web Application Proxy [WAP] is a new service added in Windows Server 2012 R2 that allows you to�access�web applications from outside your network.�WAP functions�as a reverse proxy and an Active Directory Federation Services [AD FS] proxy to pre-authenticate user access.vBoring Blog Series:� How to setup�Microsoft Active Directory Federation Services [AD FS]� How to setup�Microsoft Web Application ProxyRequirements:� The only hard requirement of WAP is having an AD FS server.

Refer to step 1 for setting that up.� WAP cannot be installed on a server that AD FS is installed on. They must be separate servers.Installing the Web Application Proxy�Server Role:Open Server Manager and click Manage -> Add Roles and Features:Click Next:Role-based or feature-based installation should be selected then click Next:Select the server you want to install this role on to and then click Next:Note: Web Application Proxy role and AD FS cannot be installed on the same computer.Select Remote Access�then click Next:No additional Features are needed.

Click Next:Click Next:Select Web Application Proxy:On the pop up click Add Features:The Web Application Proxy�role does not required a reboot. Click Install:Once complete click Close:Web Application Proxy is now installed but you need the AD FS certificate to continue.

Export & Import the AD FS Certificate:You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:Go to File -> Add/Remove Snap-ins -> select Certificates then click Add:When you click OK you will get the following pop up.

Select Computer account then click Next:On AD FS Server: Drill down to Personal web application proxy server 2012 r2 step by step Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks -> Export. Save to a location that your Web Application Proxy can access. Ensure you export the Private Key and certificate as a .PFX file.On Web Application Proxy: Right click on Personal -> Certificates then go to All Tasks -> Import:This will bring up the Certificate Import Wizard.

Click Next:Browse to the certificate that you exported from your AD FS server and select it. Click Next:Enter the password for the private key and check the box to make the key exportable.

Click Next:Leave the default certificate store as Personal. Click Next:Click Finish:You should now see the certificate from your AD FS servers on your Web Application Proxy server.Now we are ready to perform the Post Configuration. Post-Deployment Configuration:Back on your Web Application Server open Server Manager�then click Notifications�then the message Open the Web Application Proxy Wizard:Click Next:Enter the FQDN of your AD FS name and the Service Account you created during AD FS setup.

Click Next:On the drop down menu select the certificate you imported from your AD FS server. Click Next:Click Configure:Once finished click Close:Remote Access Management Console�should open when you clicked Close. On Operations Status you should see all the objects as green.Publish Web Applications:Now we are finally ready for web application proxy server 2012 r2 step by step magic.

In the Remote Access Management Console click Web Application Proxy then Publish:Click Next:Pass-through will let WAP act like a reverse proxy. I will�have documentation on setting up AD FS link soon!Select Pass-through�and click Next:Name: Enter a display nameExternal URL: Enter the URL that will be coming in your the WAP server externallyExternal Certificate: The drop down menu will show certificates that are added on the WAP server.

Select the same certificate that you used while setting up�your application. In my case I used my wildcard certificate.Backend server URL: Enter the web URL of the server you want the external URL forwardedClick Next:Copy the�PowerShell command down and with some minor edits you can easily add additional PassThrough applications with ease.Click Publish:Click Close to finish:You will now see the published web application and ready for testing.You are ready to test the application!

Configure Firewall for 443�Port Forwarding:Before you can test you need to ensure you have port 443 (HTTPS) being sent to your WAP ser