ADFS 2.0 Client Access Redirect iRule

Hello,

 

 

I'm setting up Microsoft ADFS 2.0 in our environment and one requirement is to 1) handle load balancing for federation servers (inside our network) as well as 2) handle load balancing for federation "proxy" servers (edge of our network). I'm pretty sure I can use 1 BIG-IP LTM v11.0 to accomplish this and continue to use 1 DNS server for the Federation Service name (ADFS.domain.com), but I've just started using the BIG-IP and haven't created any iRules before.

 

 

So far I've created the following configs, but 1) I'm unable to ping the Virtual Server and 2) I'm "unable to establish a trust between the federation server proxy and the Federation Service."

 

 

ADFS.domain.com & Public IP - Assigned a public IP address (reacheable from inside and outside our network) in DNS that matches a BIG-IP Virtual Server IP address.

 

 

Virtual Server - Enabled communication over port 443 using "http" HTTP Profile and SSL Certificate for Client and Server.

 

 

iRule:

 

when HTTP_REQUEST {

 

if { [string tolower [HTTP::host]] eq "adfs.domain.com" } {

 

if { [IP::remote_addr] starts_with "10." } { pool Internal_Pool }

 

elseif { [IP::remote_addr] starts_with "Public IP Range Matching Virtual Server IP." } { pool Internal_Pool }

 

elseif { [IP::remote_addr] starts_with "192.168." } { pool Internal_Pool }

 

elseif { [IP::addr [IP::remote_addr] equals 172.16.0.0/12] } { pool Internal_Pool }

 

else { pool External_Pool }

 

}

 

}

 

 

Note: Replace "Public IP Range Matching Virtual Server IP." with the beginning part of our public IP address.

 

 

Pools:

 

External_Pool - 2 pool members running federation "proxy" servers.

 

Internal_Pool - 2 pool members running federation servers.

 

 

I'd at least like to know if this all looks correct and if anyone has experience setting up ADFS 2.0 like this with a single DNS and single load balancer, I'd appreciate the feedback!

 

 

Thanks