The next step of the configuration is to install WAP. This doesn't need to be a domain-joined server and should be placed on the perimeter network. Before the installation process, install the required SSL certificates. In my demo, it is for *.rebeladmin.com. We can verify this using this:

dir Cert:LocalMachineMy

Before proceeding, we also need to check whether a server can resolve to adfs.rebeladmin.com as WAP needs to connect to AD FS.

Once everything is confirmed, we can install the WAP role:

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

Once it's completed, we can proceed with configuration using the following:

$credentials = Get-Credential
Install-WebApplicationProxy
-FederationServiceName "adfs.rebeladmin.com"
-FederationServiceTrustCredential $credentials
-CertificateThumbprint "3E0ED21E43BEB1E44AD9C252A92AD5AFB8E5722E"

In the preceding commands, FederationServiceName is used to define the AD FS service name, and it needs to match the name provided on the AD FS setup. FederationServiceTrustCredential is used to provide an account, which is authorized to register a new proxy server with AD FS. The account which is used here should have permissions to manage AD FS. The CertificateThumbprint parameter is used to define the certificate for WAP. In our demo, it's the certificate, *.rebeladmin.com. At the end of the system, restart to apply the changes:

Once the reboot is completed, we can confirm the health of the configuration using the following event log in AD FS server:

Get-WinEvent "AD FS/Admin" | Where-Object {$_.ID -eq "396"} | fl