Big-IP and ADFS Part 5 – “Working with ADFS 3.0 and SNI”
Can you believe it? It’s true, it’s true! There’s a part 5. What can I say? Times change; people change; software changes. Active Directory Federation Services, (ADFS) is no exception. While the BIG-IP with SAML 2.0 can alleviate the need for and ADFS infrastructure in many use cases, there are still organizations that need/want to continue utilizing ADFS. Fortunately, regardless of which way you go, F5 can help. So, in the spirit of free will, collaboration, and serving the greater good, (too much?), let’s talk about load balancing ADFS 3.0 with the BIG-IP.
As you may, or may not, recall the previous posts around BIG-IP and ADFS revolved around load balancing ADFS 2.0 and ADFS Proxy, replacing the ADFS Proxy with Access Policy Manager, and replacing the entire ADFS infrastructure with APM and SAML. The good news is that these posts are still relevant with regards to ADFS 3.0 and the ADFS proxy replacement, (WAP); well for the most part anyway.
ADFS and SNI
While there are numerous differences between ADFS 3.0 and previous versions, the most significant change with respect to providing HA and scalability for the ADFS 3.0 infrastructure is its use of Server Name Indication, (SNI). To Successfully integrate a load balancing solution, ( including full reverse proxy), into the ADFS environment the device must support SNI. The load balancing device must be able to present the server name to the backend host as part of the initial Client Hello. Fortunately, the BIG-IP, (ver. 11.1.0 and later) supports this TLS protocol extension.
The rest of this post will provide guidance on enabling SNI support for ADFS 3.0 integration. For overall guidance refer to parts one thru three of this series as well as the recently published ADFS 2.0 Deployment Guide.
SNI and the Server Profile
The BIG-IP provides a virtual server, (listener), that receives client SSL connections and subsequently intelligently passes traffic into a pool of ADFS/WAP servers. Depending upon the organization’s infrastructure and security requirements, the BIG-IP can simply receive encrypted client connections and pass them through to the backend ADFS farm, (aka SSL tunneling). However, the preferred method, (SSL bridging), receives encrypted clients connections; terminates and decrypts the traffic. The traffic is then re-encrypted and sent to the backend application servers. This method adds an additional layer of security since external traffic never directly connects to the internal domain-joined machines as well affording the ability to perform additional deep packet inspection.
SSL bridging back to the ADFS farm requires associating a server SSL profile to the virtual server. Enabling SNI is simply a matter of specifying the server name on the associated server SSL profile, (see below).
1. Navigate to the appropriate profile;
2. Select ‘Advanced’ configuration and enter the FQDN of the backend ADFS service hostname. The hostname will now be provided during the TLS negotiation. In the example below, the server name is ‘fs.f5demo.net’, (refer to the highlighted field). Like I said, simple!
Health Monitoring and SNI
Effectively monitoring the backend ADFS/WAP farm members is a little trickier but very doable. Since the built-in HTTP monitors do not provide the server name as part of the TLS negotiation, using them will result in the being backend servers being incorrectly marked as down, (not good).
You could simply use a non-HTTP monitor, (ICMP being the most common), but that doesn’t provide a reasonable guarantee that the actual ADFS service is functioning. Better than that, what we can do is create an external custom SNI enabled monitor that validates the service metadata and associate it to the pool. It’s as easy as 1,2,3,…..um.. 4,5,6.
1. Download the script: http://www.f5.com/pdf/deployment-guides/sni-eav.zip
2. Upload the previously downloaded file into the BIG-IP via the web interface. Navigate to ‘System’ –> ‘External Monitor Program List’ –> ‘Import’;
IMPORTANT!!!
If ADFS proxy server is configured to accept SSL/TLS connections only using TLSv1.1 or better , the monitor will not work.
If have come up with this one-liner to replace the “curl” based command in the script. Thanks to Jerry Tower for helping fix the actual HTTP request as well as testing the script.
(echo -e "GET $URI HTTP/1.1\r\nHost: $HOST\r\nConnection: Close\r\n\r\n"; sleep 2) | openssl s_client –quiet –servername $HOST -connect $NODE:$PORT 2> /dev/null| grep -i "$RECV" 2>&1> /dev/null
The script line that this one-liner should replace is the following:
curl-apd -k -v -i --resolve $HOST:$PORT:$NODE https://$HOST$URI | grep -i "${RECV}" 2>&1 > /dev/null
3. Browse to and select the file. Provide a name for the file and select ‘Import’;
4. Create a new external monitor utilizing the associate external file. Navigate to ‘Local Traffic’ –> ‘+’ sign;
5. Provide a name and select ‘External’ for the type. Select the previously created external program. The script provided requires three, (3) variables entered as name/value pairs. The variables are listed below. Select ‘Finished’;
Name | Value |
RECV | HTTP/1.1 200 |
URI | /FederationMetadata/2007-06/FederationMetadata.xml |
HOST |
6. Associate the newly created monitor to the ADFS pool and/or the WAP pool. Select ‘Local Traffic’ –> ‘Pools’ –> ‘Pool List’. Move the monitor into the active pane and select ‘Update’.
Additional Links:
Big-IP and ADFS Part 1 – “Load balancing the ADFS Farm”
Big-IP and ADFS Part 2 – “APM–An Alternative to the ADFS Proxy”
Big-IP and ADFS Part 3 – “ADFS, APM, and the Office 365 Thick Clients”
Big-IP and ADFS Part 4 – “What about Single Sign-Out?”
BIG-IP Access Policy Manager (APM) Wiki Home - DevCentral Wiki
- Loren_Hudson_14NimbostratusWell I tried to follow this very simple recipe and failed. I have even added the 3 corrections listed in the comments above. I am very surprised that the original page has not been fixed. I am confused on which fqdn I should add as a ssl profile and for the SNI. I have tried the FQDN of the adfs server and the FQDN of my external presence. In both cases it fails anyways. Does anyone have a more inclusive set of directions starting with settings for creating the external VS and the ADFS Pool?
- Dragan_24408NimbostratusAlso, one more adjustment. There should be a space in the script, line: curl-apd -k -v --resolve $SNI:$PORT:$NODE https://$SNI$URI 2>&1 > /dev/null | grep -i "${RECV}" should have been with a space after "curl": curl -apd -k -v --resolve $SNI:$PORT:$NODE https://$SNI$URI 2>&1 > /dev/null | grep -i "${RECV}" :)
- Damien_Solodow_NimbostratusTwo items to adjust: The first character in line 4 of the script should be instead of s The correct value for the RECV variable should be HTTP/1.1 200 There shouldn't be a period after the second 1 Once I made those adjustments it worked correctly. :)
- WK_98444NimbostratusIn the last image of your example, shouldn't the monitor name be "ADFS3.0_Monitor", not SNI_EAV?