OT: WAP to replace ISA

  • Last Post 18 April 2016
jpe posted this 13 April 2016

This might be a bit OT so apologies in advance. Has anyone deployed WAP (Web Application Proxy) to replace an ISA or TMG installation? If so, how does this compare?

Currently we use ISA 2004 Enterprise with Windows NLB for publishing websites such as OWA with RSA authentication (which might change when we are fully 0365), but a majority of the websites published are just standard websites with authentication handled by the website vendors. (Such as access to the Pension, HR, Project management websites) and other hosted websites are pages required by our planning website, internet facing website (ourdomain.org) with no authentication. i.e publically accessible ones. 

Most of my reading appears to suggest the uses for WAP are for publishing the likes of Lync, OWA, Sharepoint, RDS etc which require authentication rather than standard websites that are unauthenticated access. On ISA we have around 40 publishing/Listening rules

Wildcard SSL certificates. (*.ourdomain.org)

HTTP > HTTPS redirection rules.

Rules to redirect traffic from port 443 to custom ports i.e 50600 for DMZ based web servers.

Rule to allow HTTPS traffic to pass thru for servers that have their own SSL certificates installed directly.

Forwarding of Host Headers – for multiple sites that are hosted on one server but accessed via a single IP addressPublishing of OWAPublishing of OMA The two ISA servers have two NICs, one in one DMZ and one on another network  

Just wondering from a real-world view how does WAP compare? 

Order By: Standard | Newest | Votes
Parzival posted this 15 April 2016


I tried to replace it with it, but WAP does about 20% of what ISA/TMG could do..

if you are just publishing unauthenticated or kerberos/saml integrated websites you are fine.. but as soon as you want specific rules you are out of luck..

publishing non-http/https traffic is also not really easy, if at all possible.

If you publish a lot of different stuff, you might want to take a look at a 3rd party as they often provide better capabilities (such as basic authentication passthrough, header replacements, non-http publishing, backend farms, real load balancing etc..)



jpe posted this 18 April 2016

Thanks R. We do have rules that forward say 443 to ports I.e 50000 for some apps and other servers have their own SSL certs so we just pass 443 straight through to those servers.Another bit I can’t see any reference to http/https scanning either which ISA performs now. Thanks for the reply and information. Cheers John