For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AlanMoen's avatar
AlanMoen
Icon for Cirrus rankCirrus
Mar 10, 2015

ADFS iApp SSL Question

I've got the latest version of the iApp (f5.microsoft_adfs.v1.0.0rc3.zip) but I have a question about the SSL section. I've terminated SSL connections on the F5 before but have never done a pass through so forgive me if it's a dumb question but I'm confused..

 

As I mention above, our intent is to use the SSL pass through instead of decrypting and then re-encrypting the traffic. My understanding for this is that we wouldn't use an SSL profile (client or server) on the LTM at all, but that doesn't seem to be an option in the iApp.

 

I'm setting up the ADFS (internal) servers, not the proxies and we're using ADFS 3.0. My LTM is BIG-IP 11.4.1 HF6.

 

Anyone know what I should do? I'm short on time, so I'll probably have to skip the iApp and do it all manually, but would still like to know for future installs..

 

deployment
devops
iApps
microsoft
security

6 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Mar 10, 2015

    Hi Alan, if you aren't using APM you can deploy using the template, disable strictness in the iApp properties, and then remove the http and ssl profiles from the virtual server. You could even switch the virtual server type to Fast L4 for better performance.

     

  • Jeff_R_141331's avatar
    Jeff_R_141331
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2015

    You really should be using Fast L4 for ADFS 3.0 on Server 2012 R2. ADFS on 2012 doesn't use IIS anymore so having a http profile on a L4 rule will actually stop it from working. We have this deployed and I'd be happy to explain further if needed.

     

    • Joseph_Johnson_'s avatar
      Joseph_Johnson_
      Icon for Nimbostratus rankNimbostratus
      Mar 12, 2015
      I was getting an authentication loop when logging into my adfs 3.0 sign in page, I changed to Fast L4 and now i am able to sign in. Thanks!
  • AlanMoen's avatar
    AlanMoen
    Icon for Cirrus rankCirrus
    Mar 10, 2015

    Mikeshmikus - thanks for the very quick response; I'll give it a shot.

     

    Jeff - I went through the iApp and it uses a standard virtual server with 443 as the service port. Mikeshmikus says I can modify the virtual server to a Fast L4 (which supports HTTPS but looks like it removes the http and ssl profiles); I have done this and am now waiting for my server team to install the servers. Is this what you're saying?

     

    Thanks for the responses!!

     

  • AlanMoen's avatar
    AlanMoen
    Icon for Cirrus rankCirrus
    Mar 13, 2015

    I've got the internal piece running, using the iApp with strictness diasabled and setting the VS to Fast L4. It appears to be working; I'll know for sure once we get the proxy servers/LTMs up in the DMZ.

     

    Thanks again for the assistance!