ADFS Proxy Replacement on F5 BIG-IP
BIG-IP Access Policy Manager can now replace the need for Web Application Proxy servers providing security for your modern AD FS deployment with MS-ADFSPIP support released in BIG-IP v13.1. This article will provide a one stop shop for you to gather information on the solution and leverage it in your environment.
What is an AD FS Proxy?
AD FS proxies are Windows servers that provide access to external users to the AD FS farm in the internal network. This is done on a server called a Web Application Proxy (WAP). More recent versions of Active Directory Federation Services require the proxy to support MS-ADFSPIP (ADFS Proxy Integration Protocol) which involves client certificate auth between proxy and AD FS, trust establishment, header injection, and more. As noted above, BIG-IP APM v13.1 has support for MS-ADFSPIP. You can see Microsoft’s notes on this and supported third party proxies here, noting that F5 is on the list.
Here’s a typical ADFS deployment:
So what does BIG-IP do for me?
Glad you asked! Here’s an example of the single tier deployment architecture. You can also split these roles into a two tier architecture.
As you can see, BIG-IP is taking the roles of both load balancer and the web application proxies protecting AD FS. In this diagram we’re adding additional security with Advanced WAF, DDoS, and Network Firewall services. You can see the F5/Microsoft announcement at Ignite here about this new feature.
If you want to understand more about the architecture, check out John Wagnon’s awesome lightboard lesson here.
How do I deploy it?
There are a few ways to do it. The simplest is with the latest iApp template to help you deploy everything, available from https://downloads.f5.com. Make sure you’re using at least v1.2.0rc6. You can also get the related deployment guide here.
If you want to deploy manually, there are instructions in the deployment guide. The support article here also covers basic deployment and how the pieces work. Who doesn’t love reading support articles?
For the admin the new feature comes down to this amazing simple checkbox:
Checking a box and entering credentials is WAY easier than deploying multiple Windows servers, configuring them as WAPs, establishing trust, then maintaining and securing them going forward. Access Policy Manager will maintain that trust, exchanging certificates automatically before they expire with AD FS.
Note that no access profile is assigned above. If you want one to add more security flexibility then the access profile is supported as well. Check the deployment guide for requirements. If you don’t use one, no access sessions are used.
Here’s a quick video explaining the solution and demoing deployment using the iApp.
What else can I do?
You can add more security using access profiles to add preauthentication, multifactor, etc. A basic access policy (with Azure MFA optional) is included in the iApp. Also included in the iApp is network firewall policy deployment. You can add Advanced WAF features like brute force, credential stuffing, bot protection, and more if desired too.
Published Mar 13, 2018
Version 1.0
Graham_Alderso1
Employee
EmployeeGraham_Alderso1Employee
Employee
Graham_Alderso1NPolitis, no, not a simple way. It may be possible with some iRules but the official supported method would continue to be two virtual servers. This also provides you with troubleshooting flexibility you probably don't want to lose.
You can deploy them at the same destination IP address however, and use the source IP constraint on the VS page for the internal load balancing only virtual server, though. You'd constrain it to your internal network, e.g.: 10.0.0.0/8 instead of the default 0.0.0.0/0. You would need to make this source address adjustment manually, outside the iApp with strictness disabled.
MarvinCirrocumulus
Hi graham, I am looking into similar implementation F5 as ADFS proxy using Azure MFA, the first time a deploy the iApp sugin v1.2.0r8 I get the following message ADFS Trust Establishment Failed: Failed to establish ADFS trust relationship on the virtual server /UAT/testADFS.app/testADFS_adfs_vs_443: Can't connect to ADFS. What does it exactly need to do? Connect to the ADFS server, authenticate and establish a secure connection?
- Graham_Alderso1
Marvin, the primary ADFS server must be online and reachable to establish trust from the BIG-IP.
CEMIT2Nimbostratus
Hi Graham, we also are having Marvin's issue both with RC8 via Official Deployment instructions and Manual implementation via this article (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-third-party-integration-13-1-0/12.html). We are on 13.1.1. We validated communication is occurring between the VIP and ADFS server, but still fails to establish trust. Validated no drops on firewall. We also went through Microsoft's Analyzer tool to validate our ADFS configuration. All pass. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-diagnostics-analyzer
Are there any other troubleshooting steps you can provide? Are there any non-OOB configuration steps taken on the ADFS server itself?
- Graham_Alderso1
No changes needed at the ADFS server. Are you entering your username in the correct format and is it an admin? It should be entered as: mydomain\myadminuser
- CEMIT2
Graham, thanks for the feedback. Yep, validated this again. We decrypted the traffic traffic between the VIP's VLAN Self-IP and our ADFS server, and the only traffic we see is the health checks.
Any more information you can provide on how the Virtual Server builds trust would be helpful.
Is there any reason why building trust wouldn't work on a standby node?
Also, maybe you can suggest for future Release Candidates for this iApp template, they include an error for incorrect credentials apart from the connectivity, I'm sure what you just mentioned has gotten others before.
Thanks again.
- Marvin
Ok Graham, I was just looking into the contents and how it is deployed and I currently dont have any connection to the ADFS server so that is normal. Is the Iapp compatible with BIg IP 14.1 and are there improvements of the ADFS integration with this new version or is version 13.1 still the recommended version?
- Graham_Alderso1
CEMIT2, I'd suggest that you check the APM logs under /var/log/apm to see what the error message is. As far as building from a standby node, I haven't tried that. If you're trying that today, perhaps try from the active node. For more recent development of the template we've moved to the new Guided Configuration, which you'll see on your box under Access once upgraded to the latest release of 13.1 or later.
- Graham_Alderso1
Marvin,
Yes, the iApp is compatible and you can continue using it. However, as noted in the comment directly above, new development is now focused on enhancing the Guided Configuration process for deploying ADFS Proxy instead of the iApp. You'll find that it asks similar questions, but in a more "guided" fashion.
As far as which version, you'll have the same set of capabilities for ADFS Proxy specifically on 13.1 or 14.1, but obviously other many features have advanced significantly in 14.1 and I'd highly recommend checking it out.
- Micha
Hi Graham, i have an question about the "these are your claims page" is this an default page on the adfs server? or how can i created it?