Application Proxy Blog

This blog provides additional information about the Application Proxy service of Windows Server and Azure Active Directory.

Web Application Proxy PowerShell Cheat Sheet

Web Application Proxy PowerShell Cheat Sheet

  • Comments 2
  • Likes


Web Application Proxy LOVES POWERSHELL

For us PowerShell is the fundamental API to our system. This is how the UI works. This is how our remote management work. This is how we test the product. This is how we deploy it in our own labs.

As you probably noticed, the UI wizards always end by showing you the PowerShell command it sends to apply the changes. This is a great way for you to learn the basics, how to start doing the regular stuff. But, we have more for you. Here are some advanced commands and how you can use them with the PowerShell goodies to better manage your Web Application Proxy deployments.

To start, here are the commands aliases that allow much shorter and more readable scripts:

cmdlet alias
Add-WebApplicationProxyApplication awpa
Get-WebApplicationProxyApplication gwpa
Set-WebApplicationProxyApplication swpa
Remove-WebApplicationProxyApplication rwpa
Get-WebApplicationProxyConfiguration gwpc
Set-WebApplicationProxyConfiguration swpc
Get-WebApplicationProxyAvailableADFSRelyingParty gwpr
Get-WebApplicationProxyHealth gwph


Now let’s see the most common PowerShell tricks using the standard cmdlets:

Show published applications that have ADFS as their preauthentication method Get-WebApplicationProxyApplication | ? {$_.ExternalPreauthentication -eq 'ADFS'}
Export all published applications to a file Get-WebApplicationProxyApplication | Export-Clixml "ExportedApps"
Import published applications from a file Import-Clixml "ExportedApps" | Add-WebApplicationProxyApplication
Getting full help on the set command Get-Help -Full Set-WebApplicationProxyApplication
List all the details on all the certificates that are used by published apps.
Note: the cert: provider does not support filter
$WAP_Certs = (gwpa).ExternalCertificateThumbprint | sort –Unique ;
dir Cert:\LocalMachine\my |? {$WAP_Certs -contains $_.Thumbprint} | fl -Property *
Add a machine to the Web Application Proxy connected servers list swpc -ConnectedServersName ((gwpc).ConnectedServersName + ‘ServerToAdd’)
Remove a machine from the Web Application Proxy connected servers list swpc –ConnectedServersName ((gwpc).ConnectedServersName -ne ‘ServerToRemove’)

As Web Application Proxy is a standard Windows Server role service, you can use many Windows Server PowerShell tools to control Web Application Proxy:

Shows Web Application Proxy Windows services status Get-Service 'appproxysvc','appproxyctrl','adfssrv' | fl -property *
Shows the configuration of Web Application Proxy Windows service Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='appproxysvc'"
Get Best Practices Analyzer (BPA) results for the Remote Access role Invoke-BpaModel Microsoft/Windows/RemoteAccessServer ;
Get-BpaResult Microsoft/Windows/RemoteAccessServer
List all the events that Web Application Proxy had in the last 24 hours with their ID, Level and Message. $yesterday = (Get-Date) - (New-TimeSpan -Day 1) ;
Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-WebApplicationProxy/Admin'; StartTime=$yesterday} | group -Property ID,LevelDisplayName,Message -NoElement | sort Count, Name -Descending | ft -AutoSize
Read Web Application Proxy registry keys Get-ItemProperty hklm:\software\microsoft\appproxy
Read Web Application Proxy performance counters at current point Get-Counter '\Web Application Proxy\*'
Return the number of currently active requests (Get-Counter '\Web Application Proxy\active requests').CounterSamples.CookedValue


And finally, here are some tricks for managing Web Application Proxy multi-machine deployments:

Show the status of Web Application Proxy related services on all the connected servers grouped by their status.
Note: Same syntax would work with any command that supports the ComputerName parameter. E.g. set-service, get-process
Get-Service 'appproxysvc','appproxyctrl','adfssrv' -ComputerName ((gwpc).ConnectedServersName) | sort Status,MachineName,Name | ft MachineName, Name -AutoSize -GroupBy Status
Restart the Web Application Proxy service on all the connected servers and print the name of the machines Invoke-Command -ScriptBlock {Restart-Service 'appproxysvc'; (Get-WmiObject -Class Win32_ComputerSystem).Name} -ComputerName ((gwpc).ConnectedServersName)
Show the names of all the connected servers that had event 12000 in the last 10 hours Foreach ($Server in (gwpc).ConnectedServersName){Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-WebApplicationProxy/Admin'; ID=12000; StartTime=(Get-Date) - (New-TimeSpan -hour 10)} -ComputerName $Server -ErrorAction SilentlyContinue | group MachineName -NoElement | ft Name -HideTableHeaders
Show all IP addresses of all servers in the cluster.
1. This will work only if remote management is enabled on all servers using Kerberos
2. Same syntax would work with any command that supports the CimSession parameter
3. New-CimSession can accept admin credentials.
Get-NetIPAddress -CimSession (New-CimSession -ComputerName ((gwpc).ConnectedServersName)) | ft IPAddress


$Author.Name = “Meir Mendelovich”

$Author.Role = Microsoft.ProductGroupTitles.SeniorProgramManager


Blog - Email Author
Contact - Application Proxy Blog
  • Send
  • Thanks for posting this!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment