Your network contains an Active Directory domain named contoso.com. The domain contains two servers
named Server1 and Server3. The network contains a standalone server named Server2.
All servers run Windows Server 2012 R2. The servers are configured as shown in the following table.
Server3 hosts an application named Appl. App1 is accessible internally by using the URL https://
appl.contoso.com. App1 only supports Integrated Windows authentication. You need to ensure that all users
from the Internet are pre-authenticated before they can access Appl.
What should you do?
To answer, drag the appropriate servers to the correct actions. Each server may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Answer: 
“publish new Application Wizard” is stated as to be run on the WAP in this article:
https://technet.microsoft.com/en-us/library/dn383640(v=ws.11).aspx
(which was btw also my first thought)
but I’m no expert with these topics 🙁
maybe somebody could explain…thanks!
I’m no expert either, but this link:
https://technet.microsoft.com/en-us/library/dn280943(v=ws.11)#BKMK_3
contained in your page, explains it further. The certificate would be needed to verify the app1 server.
The answer seems correct.
I’m a bit confused about this setup as well. According to the link provided by Den:
“You must join the Web Application Proxy server to the Active Directory® Domain Services domain before you can publish applications that use Integrated Windows authentication.”
Only if you use single signon you need the WAP domain joined, it says ‘App1 only supports Integrated Windows authentication’ so WAP can be standalone.
Answers are correct.