ADFS Proxy Replacement on F5 BIG-IP
BIG-IP Access Policy Manager can now replace the need for Web Application Proxy servers providing security for your modern AD FS deployment with MS-ADFSPIP support released in BIG-IP v13.1. This article will provide a one stop shop for you to gather information on the solution and leverage it in your environment.
What is an AD FS Proxy?
AD FS proxies are Windows servers that provide access to external users to the AD FS farm in the internal network. This is done on a server called a Web Application Proxy (WAP). More recent versions of Active Directory Federation Services require the proxy to support MS-ADFSPIP (ADFS Proxy Integration Protocol) which involves client certificate auth between proxy and AD FS, trust establishment, header injection, and more. As noted above, BIG-IP APM v13.1 has support for MS-ADFSPIP. You can see Microsoft’s notes on this and supported third party proxies here, noting that F5 is on the list.
Here’s a typical ADFS deployment:
So what does BIG-IP do for me?
Glad you asked! Here’s an example of the single tier deployment architecture. You can also split these roles into a two tier architecture.
As you can see, BIG-IP is taking the roles of both load balancer and the web application proxies protecting AD FS. In this diagram we’re adding additional security with Advanced WAF, DDoS, and Network Firewall services. You can see the F5/Microsoft announcement at Ignite here about this new feature.
If you want to understand more about the architecture, check out John Wagnon’s awesome lightboard lesson here.
How do I deploy it?
There are a few ways to do it. The simplest is with the latest iApp template to help you deploy everything, available from https://downloads.f5.com. Make sure you’re using at least v1.2.0rc6. You can also get the related deployment guide here.
If you want to deploy manually, there are instructions in the deployment guide. The support article here also covers basic deployment and how the pieces work. Who doesn’t love reading support articles?
For the admin the new feature comes down to this amazing simple checkbox:
Checking a box and entering credentials is WAY easier than deploying multiple Windows servers, configuring them as WAPs, establishing trust, then maintaining and securing them going forward. Access Policy Manager will maintain that trust, exchanging certificates automatically before they expire with AD FS.
Note that no access profile is assigned above. If you want one to add more security flexibility then the access profile is supported as well. Check the deployment guide for requirements. If you don’t use one, no access sessions are used.
Here’s a quick video explaining the solution and demoing deployment using the iApp.
What else can I do?
You can add more security using access profiles to add preauthentication, multifactor, etc. A basic access policy (with Azure MFA optional) is included in the iApp. Also included in the iApp is network firewall policy deployment. You can add Advanced WAF features like brute force, credential stuffing, bot protection, and more if desired too.
Published Mar 13, 2018
Version 1.0
Graham_Alderso1
Employee
EmployeeGraham_Alderso1Employee
Employee
Graham_Alderso1You'll implement changes to the logon page object similar to this: https://devcentral.f5.com/s/articles/office-365-logon-enhancement-username-capture-27497
 
That article is using APM as SAML IdP instead of ADFS, but in both SAML and WS-Fed (ADFS) cases the username is sent along and you can extract it to insert into the APM logon page.
 
Karthik_Krishn1Cirrostratus
Thanks Graham. I used the information from your link and from another to configure pre-population fr when F5 was the SAML iDP however it's not working for the ADFS implementation. The branch rule " expr { [mcget {session.logon.last.username}] ne "" }" fails, however it goes further when i use " expr { [mcget {session.logon.last.username}] } but then fails the AD query ( 'no matching user found with filter userPrincipalName='). I even tried changing it to sAMAccountName but no luck. I got rid of the Ad query and the logon page shows up with the username field blanked out.
I have this working for the F5 as SAML iDP and my thought was the same as what you suggested but I think there is some subtle change that is affecting the behaviour in this case.
- Karthik_Krishn1
I was able to solve this issue and am able to pre-populate the user name
raZorTTHi,
Wondering if anyone has had an issue when selecting an existing Access Profile? We are running v11.4.1 (soon to be upgraded) but when we select an existing profile the F5 never returns the HTTP response to the client.
Looking in the logs, we can see the access policy completing, but the client just gets a connection error.
If we select do not provide secure authentication using APM, and then disable strict updates and manually assign our existing access profile it works.
Nothing obvious stands out in the ltm logs
Cheers, Simon
- Graham_Alderso1
Hello Simon,
I have not seen this issue but recommend upgrading to 13.1 before spending any more time troubleshooting this use case since 13.1 is required for MS-ADFSPIP support, which is required by Microsoft to act as an ADFS Proxy.
- raZorTT
Thanks Graham,
12.1.3 is as high as we can go in the short term due to hardware
Is MS-ADFSPIP required for ADFS 4.0? We currently only run ADFS 3.0, but handy to know the requirements when we look to update.
Cheers, Simon
- Graham_Alderso1
Yes, unfortunately MS-ADFSPIP is required for full MS support from ADFS 3 (Windows 2012) on.
a_basharatNimbostratus
Hi Graham, I understand from the article and the user's comments, that any F5 image version above "v13.1" [i.e. v.14] will work, Can you confirm? Is there any field or visible option that you can see on the APM that corroborate the support for MS-ADFSPIP?
- Graham_Alderso1
a.basharat you are correct regarding versions. Support for this feature can be verified on your BIG-IP by checking for the ADFS Proxy section shown in the screenshot under the "How do I deploy it" heading above.
NPolitis_234832Hi,
Is there any easy way (meaning not deploying a second virtual server) to differentiate "inside" users from "outside" users when using the APM ADFS Proxy feature ?
Regards,
NPO