Forum Discussion

raydakis's avatar
raydakis
Icon for Altocumulus rankAltocumulus
Apr 14, 2023

ADFS WAP servers failed to establish trust with ADFS 2019 servers using internal vip

Hello guys,

We are in ADFS 2019 environnment.
I have 2 ADFS servers internally and 2 WAP servers in DMZ.
I have 1 vs(ssl bridging on F5 DMZ) to loadblalance WAP servers for external users
and another vs (ssl bridging on internal F5) to loadblalance ADFS servers for internal users.
The WAPs goes through the internal vip which load balanced internal ADFS servers.
The problem seems to be with the Trust with the Primary ADFS servers (using powershell command line "Install-WebApplicationProxy).
The WAP servers are not able to reestablish trust.
But the trust work when WAP servers point directly to internal ADFS server

Please advise how can i fix this.

Thanks,

  • Is it possible to try the following:

    VS #1 (traffic between external users and WAP servers) - Configure SSL bridging
    VS #2 (traffic between WAP servers and ADFS servers) - Configure SSL pass-through

    I believe the reason for the trust failing is due to there being SSL client authentication between the WAP servers and ADFS servers. So therefore on VS #2, you can only have SSL pass-through, otherwise it will break this client authentication.

  • Is it possible to try the following:

    VS #1 (traffic between external users and WAP servers) - Configure SSL bridging
    VS #2 (traffic between WAP servers and ADFS servers) - Configure SSL pass-through

    I believe the reason for the trust failing is due to there being SSL client authentication between the WAP servers and ADFS servers. So therefore on VS #2, you can only have SSL pass-through, otherwise it will break this client authentication.

    • raydakis's avatar
      raydakis
      Icon for Altocumulus rankAltocumulus

      Hello Michael,

       I'll try It.

      Many thanks,