How to Use Windows Application Proxy in a DMZ for IIS Hosted Web Apps with Hosts File Configuration

What is Windows Application Proxy?
Windows Application Proxy is a Windows Server feature used as a reverse proxy. It allows secure access to internal web applications from external networks.

This guide will walk you through the steps of setting up Windows Application Proxy as a reverse proxy in a DMZ for secure communication with IIS hosted web applications.

  1. DMZ Setup:
    The DMZ should be configured to allow communication on TCP port 443. Ensure that there are network routes from the DMZ to both the external and internal networks, where the IIS servers are located.
  2. Installing Windows Application Proxy:
    Install the Windows Application Proxy on a server within the DMZ. This server will relay requests from external users to the internal IIS web applications.
  3. Configuring Windows Application Proxy:
    Set up the proxy to listen on TCP port 443 and configure it to forward requests to the internal IIS servers.
  4. SSL Certificate Management:
    Obtain and install valid SSL certificates for the domain names of your web applications on the Windows Application Proxy server. Configure the proxy to use these certificates for securing communications.
  5. Hosts File Configuration:
    Due to the DMZ's restricted access to the internal DNS, configure the hosts file on the Windows Application Proxy server. Add entries for each IIS web application, mapping their domain names to the internal IP addresses. An example would be so that when the application proxy attempts to access the MFA server, it knows that the IP for the server is which is either the actual IP of the server which can be reached, or it is the NAT'ed IP that goes to the MFA server.
  6. IIS Web Application Integration:
    Ensure your IIS web applications are configured to accept connections from the Windows Application Proxy server. Consider using SSL certificates on IIS to match those on the proxy server for end-to-end encryption.
  7. Testing and Validation:
    Test the setup by accessing the web applications from an external network. Ensure the SSL certificates are properly recognized and trusted by browsers, and verify that there are no security warnings.
  8. Monitoring and Maintenance:
    Regularly monitor the performance and security of the Application Proxy and IIS servers. Keep the SSL certificates updated to prevent security issues.

    Setting up Windows Application Proxy in a DMZ with appropriate SSL and hosts file configurations ensures secure and efficient access to IIS web applications from external networks. This approach maintains high security standards while facilitating external access.

    Note: Always follow your organization's security policies and best practices when configuring network components, especially in a DMZ environment. Regular updates and security checks are crucial for maintaining the integrity and security of the system.