I LOVE POWERSHELL
Web Application Proxy LOVES POWERSHELL
For us PowerShell is the fundamental API to our system. This is how the UI works. This is how our remote management work. This is how we test the product. This is how we deploy it in our own labs.
As you probably noticed, the UI wizards always end by showing you the PowerShell command it sends to apply the changes. This is a great way for you to learn the basics, how to start doing the regular stuff. But, we have more for you. Here are some advanced commands and how you can use them with the PowerShell goodies to better manage your Web Application Proxy deployments.
To start, here are the commands aliases that allow much shorter and more readable scripts:
| cmdlet | alias |
| Add-WebApplicationProxyApplication | awpa |
| Get-WebApplicationProxyApplication | gwpa |
| Set-WebApplicationProxyApplication | swpa |
| Remove-WebApplicationProxyApplication | rwpa |
| Get-WebApplicationProxyConfiguration | gwpc |
| Set-WebApplicationProxyConfiguration | swpc |
| Get-WebApplicationProxyAvailableADFSRelyingParty | gwpr |
| Get-WebApplicationProxyHealth | gwph |
Now let’s see the most common PowerShell tricks using the standard cmdlets:
| Show published applications that have ADFS as their preauthentication method | Get-WebApplicationProxyApplication | ? {$_.ExternalPreauthentication -eq'ADFS'} |
| Export all published applications to a file | Get-WebApplicationProxyApplication | Export-Clixml "ExportedApps" |
| Import published applications from a file | Import-Clixml "ExportedApps" | Add-WebApplicationProxyApplication |
| Getting full help on the set command | Get-Help -Full Set-WebApplicationProxyApplication |
| List all the details on all the certificates that are used by published apps. Note: the cert: provider does not support filter | $WAP_Certs = (gwpa).ExternalCertificateThumbprint | sort–Unique ; dirCert:\LocalMachine\my|? {$WAP_Certs-contains$_.Thumbprint} |fl-Property* |
| Add a machine to the Web Application Proxy connected servers list | swpc-ConnectedServersName ((gwpc).ConnectedServersName +‘ServerToAdd’) |
| Remove a machine from the Web Application Proxy connected servers list | swpc–ConnectedServersName ((gwpc).ConnectedServersName -ne‘ServerToRemove’) |
As Web Application Proxy is a standard Windows Server role service, you can use many Windows Server PowerShell tools to control Web Application Proxy:
| Shows Web Application Proxy Windows services status | Get-Service'appproxysvc','appproxyctrl','adfssrv'|fl-property* |
| Shows the configuration of Web Application Proxy Windows service | Get-WmiObject-ClassWin32_Service-PropertyStartMode-Filter"Name='appproxysvc'" |
| Get Best Practices Analyzer (BPA) results for the Remote Access role | Invoke-BpaModelMicrosoft/Windows/RemoteAccessServer ; Get-BpaResultMicrosoft/Windows/RemoteAccessServer |
| List all the events that Web Application Proxy had in the last 24 hours with their ID, Level and Message. | $yesterday= (Get-Date) - (New-TimeSpan-Day1) ; Get-WinEvent-FilterHashTable @{LogName='Microsoft-Windows-WebApplicationProxy/Admin'; StartTime=$yesterday} |group-PropertyID,LevelDisplayName,Message-NoElement|sortCount,Name-Descending|ft-AutoSize |
| Read Web Application Proxy registry keys | Get-ItemPropertyhklm:\software\microsoft\appproxy |
| Read Web Application Proxy performance counters at current point | Get-Counter'\Web Application Proxy\*' |
| Return the number of currently active requests | (Get-Counter'\Web Application Proxy\active requests').CounterSamples.CookedValue |
And finally, here are some tricks for managing Web Application Proxy multi-machine deployments:
| Show the status of Web Application Proxy related services on all the connected servers grouped by their status. Note: Same syntax would work with any command that supports the ComputerName parameter. E.g. set-service, get-process | Get-Service'appproxysvc','appproxyctrl','adfssrv'-ComputerName ((gwpc).ConnectedServersName) |sortStatus,MachineName,Name|ftMachineName,Name-AutoSize-GroupByStatus |
| Restart the Web Application Proxy service on all the connected servers and print the name of the machines | Invoke-Command-ScriptBlock {Restart-Service'appproxysvc'; (Get-WmiObject-ClassWin32_ComputerSystem).Name} -ComputerName ((gwpc).ConnectedServersName) |
| Show the names of all the connected servers that had event 12000 in the last 10 hours | Foreach ($Serverin (gwpc).ConnectedServersName){Get-WinEvent-FilterHashTable @{LogName='Microsoft-Windows-WebApplicationProxy/Admin'; ID=12000; StartTime=(Get-Date) - (New-TimeSpan-hour10)} -ComputerName$Server-ErrorActionSilentlyContinue|groupMachineName-NoElement|ftName-HideTableHeaders } |
| Show all IP addresses of all servers in the cluster. Note: 1. This will work only if remote management is enabled on all servers using Kerberos 2. Same syntax would work with any command that supports the CimSession parameter 3. New-CimSession can accept admin credentials. | Get-NetIPAddress-CimSession (New-CimSession-ComputerName ((gwpc).ConnectedServersName)) |ftIPAddress |
$Author.Name =“Meir Mendelovich”
$Author.Role =Microsoft.ProductGroupTitles.SeniorProgramManager
CLS