Azure AD Connect is Microsoft's free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

However, you can also use it to set up and manage your organization’s Active Directory Federation Services (AD FS) implementation. This works fine with domain-joined Web Application Proxies. For non-domain-joined Web Application Proxies, however, you need to perform a couple of additional actions.

Note:
On non-domain-joined Web Application Proxy servers, only the Passthrough pre-authentication method is available for publishing applications. Domain-joined Web Application Proxy servers offer both ADFS and Passthrough as pre-authentication method for publishing applications.

The situation

As an organization, you use Active Directory, Azure Active Directory (Azure AD), Azure AD Connect and Active Directory Federation Services (AD FS).

You have one or more Web Application Proxy servers that are not domain-joined.

Note:
These servers may be on a perimeter network.

You use Azure AD Connect to manage AD FS. You want to update the TLS certificate. This action requires actions on all AD FS servers and Web Application Proxy servers in the AD FS farm.

You start Azure AD Connect and start the workflow for updating the TLS certificate.

You successfully add the AD FS servers to the scope on the AD FS servers page of the wizard and then proceed to the Proxy servers page.

The issue

You want to add the Web Application Proxy server(s), but the wizard returns an error for one or more of the Web Application Proxy server(s) you try to add to the scope.

The cause

The error is caused by a failure to communicate to the Web Application Proxy server. This may be caused by the inability to:

• Find the Web Application Proxy server;
• Connect to the Web Application Proxy server, or;
• Authenticate to the Web Application Proxy server.

The solution

To be able to manage non-domain-joined Web Application Proxy servers with Azure AD Connect, add the following configuration:

Add the Web Application Proxy Server(s) to DNS

When Azure AD Connect is unable to locate the Web Application Proxy server, add it to DNS. Add an A record for each Web Application Proxy server to the applicable DNS zone that Azure AD Connect uses.

Allow Windows Remote Management traffic on the WAP(s)

When a firewall appliance is between the Web Application Proxy server(s) and the Azure AD Connect server(s), configure it to allow TCP 5985. Azure AD Connect uses this network traffic to communicate with the AD FS server(s) and Web Application Proxy server(s) in your AD FS farm.

Configure Windows Remote Management on the WAP(s)

Windows Remote Management may not (yet) be enabled on the Web Application Proxy server.

On each Web Application Proxy server, perform the following command line of  on an elevated Command Prompt (cmd.exe):

winrm.exe quickconfig

Check the Windows Remote Management Service runs on the Web Application Proxy server(s)

Now, check that the Windows Remote Management Service is running on the Web Application Proxy server(s).

On each Web Application Proxy server, perform the following line of Windows PowerShell in an elevated Windows PowerShell window:

Get-Service -name WinRM

Allow Windows Remote Management (HTTP-In) on the WAP(s)

The built-in Windows Firewall on the Web Application Proxy server(s) may additionally block Windows Remote Management. Allow this traffic by enabling the associated Windows Firewall inbound rule.

On each Web Application Proxy server, perform the following line of Windows PowerShell in an elevated Windows PowerShell window:

Enable-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"

Add the Web Application Proxy Server(s) to TrustedHosts on the Azure AD Connect server(s)

To allow your Azure AD Connect installation(s) to perform authentication towards your Web Application Proxy server(s),you need to add each Web Application Proxy server to the TrustedHosts on each Windows Server running Azure AD Connect.

On each Windows Server running Azure AD Connect, replace WAPServerName with the hostname of the Web Application Proxy server to add in the following lines of Windows PowerShell and perform them in an elevated Windows PowerShell window:

$WappToAdd = "WAPServerName"

$WAPs = (Get-Item WSMan:localhost\Client\TrustedHosts).Value

if(-not [string]::IsNullOrEmpty($WAPs)) {

$WAPs = (Get-Item WSMan:localhost\Client\TrustedHosts).Value -split ","
$NewWAPs = $WAPs += $WappToAdd
$NewWAPs = $NewWAps -join ","
}
else {
$NewWAPs = $WappToAdd
}

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$NewWAPs"

Concluding

Domain-joining Web Application Proxy servers makes for a more streamlined management experience from Azure AD Connect. However, in situations where Web Application Proxy servers are placed on a perimeter network, it doesn’t make sense, and you can configure the hosts to be manageable still using the above steps.