For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

HandleX101_3510's avatar
HandleX101_3510
Icon for Nimbostratus rankNimbostratus
Nov 10, 2015

F5 Deployment Options for Microsoft AD FS

Hello everyone,

 

I have read over the F5 iApp/Microsoft AD FS Deployment Guide and have done my DD by researching online, however it seems all my researching and reading so far has proven to be fruitless. So here I am, hoping someone on DevCentral can help or place me in the right direction!

 

I am currently in the process of deploying AD FS on two MS 2012 R2 servers internally, with the need for external access. I would really much rather prefer NOT having to deploy the additional Proxy servers - but unfortunately our LTMs do not have the required fully licensed and provisioned APM module; we have 2 LTMS (running 11.4.1 HF4) in a HA Pair. That being said, looks like we will end up having 2 internal AD FS servers internally and 2 external AD FS Proxy servers. We are in the process of obtaining a quote for the addition of the APM module, as it seems this would be the most cost-effective, scalable, and administrative-ease of a decision to go with. In the meantime, I am visiting the only other option - the "Load Balancing the AD FS Proxy server" deployment model.

 

This is where I have some questions, if anyone could assist, it would be greatly appreciated:

 

  1. When reading the deployment guide for the "LB the AD FS Proxy servers" model, if I am understanding this correctly - F5 recommends Two LTMs in the front of the actual AD FS farm (corporate) and then an additional two LTMs in front of the AD FS Proxy servers (DMZ)?

  2. If the above is correct, then I understand that at the moment the known and available deployment options are:

     

    1. Have the required LTMs in the front of the AD FS farm and in the front of the AD FS proxy, as specified in the documentation/deployment guide.

       

    2. Obtain a fully licensed and provided APM module, which I can then use to deploy for AD FS (external access). By obtaining and deploying the APM module, this would remove the need for the two additional Microsoft AD FS Proxy servers.

       

  3. Are there any other deployment options besides the two listed above? Given that I only have 2 LTMs and that is almost guaranteed, to not change.

     

  4. Would there be anyway for me to configure the LTMs in front of both the AD FS farm AND in front of the AD FS proxy servers at the same time, with just the 2 LTMs?

     

  5. If it came down to it and I did have to deploy the two additional Microsoft AD FS Proxy servers, couldn't I get away with ONLY deploying the F5 LTMs in front of the AD FS farm?

     

  6. Or would this be pointless or not recommended?

     

  7. And why? Besides the lack of load-balancing the AD FS Proxy servers...

     

microsoft

1 Reply

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Nov 10, 2015

    Hi,

     

    Load balancing the AD FS Proxy servers isn't required; the diagram is displaying that option. You can deploy AD FS Proxy behind LTM, or on its own. Both would forward traffic to an LTM fronting the AD FS servers.

     

    If you just have AD FS servers, you can secure them with APM doing pre-auth and SSO; no AD FS Proxy required in that scenario.

     

    You could do 4 by deploying the iApp twice on the same pair of LTMs, with the AD FS Proxy VS listening only on the DMZ VLAN(s) and the Proxy server pointing to the AD FS VS, which would be listening on the internal VLAN. The AD FS VS would need to be Fast L4 (no SSL decryption).

     

    Does that help?