Forum Discussion

wlopez's avatar
wlopez
Icon for Cirrocumulus rankCirrocumulus
Feb 24, 2023

ADFS Proxy balancing with LTM and Advanced WAF, without APM

Looking to do a new F5 configuration to load balance and protect with Advanced WAF a pair of existing Office 365 ADFS Proxy servers running the 2019 version.

I see that F5 is no longer supporting iApps for Office 365.

The new supported configuration seems to be using Guided Configuration.

All articles I've found so far, recquire using APM.

The 'F5 appliances we can use are running version 15.1.x and don't have APM, only LTM and Advanced WAF.

Is there an official supported solution to do ADFS Proxy (version 2019 or later) load balancing with Advanced WAF protecions?

If there isn't, should we still use the last version of the iApp Templates instead?

5 Replies

  • Hi mate,

    You right, iApp o365 is no longer supported. Microsoft changed its ADFS proxy requirements and certification. It means, to be in front of ADFS server farm and proxy ADFS Authentication workflow, the vendor (F5) must be ADFSPIP compliant. Lucky us, F5 is.

    But this certification requires additional steps, as MTLS between BIGIP and ADFS farm servers. And F5 integrated this development in APM only.

    Without APM, you can still load-balance ADFS farms with LTM + AWAF (traditional L3 or L7 load balancing), but your deployment will not be ADFSPIP compliant. ADFS farm will be load balanced like any other WebServer.

    Hope this help.

    • wlopez's avatar
      wlopez
      Icon for Cirrocumulus rankCirrocumulus

      Matthieu,

      Thanks for the detailed response.

      Does this apply to all Office 365 versions?

      The client I'm analyzing will do a deployment of Office 365 version 2019 and is asking for WAF protections for the internet facing ADFS servers.

      • Matt_Dierick's avatar
        Matt_Dierick
        Icon for Employee rankEmployee

        I think you are refering to the Office362 Applications Version 2019. Office 365 (the cloud service) does not have any version.

        Yes, it applies to all ADFS and clients versions.