ADFS load balancing using CNAME record but against MS guide lines?
We would like to load balance our ADFS using our BigIP load balancer. I'm not a networking guy or expert on BigIP so forgive me for any omissions/inaccuracies. The standard practice to load balance any Windows based service is to: Create a subzone of your DNS domain zone in question, e.g. lb.contoso.com Make the LBs authorative for this zone (i.e. they become the name servers) Within your contoso.com DNS zone, create a CNAME record of adfs.contoso.com mapping it to adfs.lb.contoso.com And finally configure your nodes inside BigIP However, MS explcitly state not to create a CNAME record for ADFS (and some other services too). Here is the snippet from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements (AD FS 2016 Requirements). It says (see line in bold): DNS Requirements For intranet access, all clients accessing AD FS service within the internal corporate network (intranet) must be able to resolve the AD FS service name to the load balancer for the AD FS servers or the AD FS server. For extranet access, all clients accessing AD FS service from outside the corporate network (extranet/internet) must be able to resolve the AD FS service name to the load balancer for the Web Application Proxy servers or the Web Application Proxy server. Each Web Application Proxy server in the DMZ must be able to resolve AD FS service name to the load balancer for the AD FS servers or the AD FS server. This can be achieved using an alternate DNS server in the DMZ network or by changing local server resolution using the HOSTS file. For Windows Integrated authentication, you must use a DNS A record (not CNAME) for the federation service name. For user certificate authentication on port 443, "certauth.<federation service name>" must be configured in DNS to resolve to the federation server or web application proxy. For device registration or for modern authentication to on premises resources using pre-Windows 10 clients, "enterpriseregistration.<upn suffix>", for each UPN suffix in use in your organization, must be configured to resolve to the federation server or web application proxy. ADFS seems to be a popular and common service that is load balanced by BigIP appliances, but doesn't the method we have to use in BigIP contradict the above MS recommendation? Or is there something happening behind the scene which is transforming the request or performing some other magic to essentially make it look like a non CNAME based request? I would be extremely grateful for any input, thoughts or ideas. Thank you
ADFS Proxy balancing with LTM and Advanced WAF, without APM
Looking to do a new F5 configuration to load balance and protect with Advanced WAF a pair of existing Office 365 ADFS Proxy servers running the 2019 version. I see that F5 is no longer supporting iApps for Office 365. The new supported configuration seems to be using Guided Configuration. All articles I've found so far, recquire using APM. The 'F5 appliances we can use are running version 15.1.x and don't have APM, only LTM and Advanced WAF. Is there an official supported solution to do ADFS Proxy (version 2019 or later) load balancing with Advanced WAF protecions? If there isn't, should we still use the last version of the iApp Templates instead?SSL Bridging and X fwd for ADFS
We currently have a VIP configured for external ADFS that is doing SSL passthrough. We are trying to utilize the X Forwarded for header with SSL bridging however during our change neither the SSL bridging or the x forwarded for option was sucessfull. When applying either or both config that traffic would fail and the web page would show page unreachable. Does anyone have any expereience with this type of change
Office 365's new "Modern Auth"
Hi All, We've just heard a rumor that Microsoft have released a new authentication model for Office 365 which they are using with Exchange Online and Skype for Business to start with. Now we have been told that with this new authentication model that ADFS being fronted by APM for authentication/acting as an ADFS proxy is not and will not be supported due to the change in the way authentication works. From what we can tell, it will only break application clients (ActiveSync/Office/Skype) that aren't just a web page, but we really don't have much detail. Does anyone have any experience with Office 365 off-prem setups and the new Modern Authentication model? Can anyone confirm that it doesn't in fact work? Is there anyone from F5 who has advice on if it's on the road map for being fixed/addressed/investigated? Thanks in advanced.Anyone tested F5 as a adfs proxy?
Hey, Currently we have deployed adfs using iApp template on our F5. Here F5 is just acting as reverse proxy and load balancing traffic between two of our adfs servers. Now we want to explore F5 as ADFS proxy option. Is anyone have worked on this or tested in LAB setup? Need your suggestions on this. I am very clear about configuration part. But need few more information like pros/cons of this deployment or anyone faced any kind of issues under this setup?Authenticate APM Network Access Policy with ADFS
I am struggling to understand the instructions to configure the authentication method for an APM VPN Network Access Policy and ADFS. We have an HA pair that is not licensed for LTM so I cannot use the iApp, I just upgraded the pair to 14.1.2 and am looking at this guide: https://techdocs.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-1-0/_jcr_content/pdfAttach/download/file.res/BIG-IP_Access_Policy_Manager__Authentication_and_Single_Sign-On.pdf Instead of pointing to our internal AD servers I would like to point to our public ADFS domain, is this possible?
Do ADFS Certs and F5 Certs Need to Be Upgraded Simultaneously
We have an F5 which load balances external traffic through our ADFS 2016 proxies, pointing to the default proxy URL, sts.'ourorg'.com. We need to replace the expiring ADFS certificates. Does the certificate upgrade need to happen simultaneously on both the ADFS servers and the F5 or if both have a valid certificate, whether the soon-to-expire or new, will communication still be secure? Thank you.
Use APM to access a web server (SP) requiring SAML by using a ADFS server (IdP)
Hi, At the moment I have a web server (Service Provider) and a Windows ADFS server (Identity Provider) which allows users on the main network to visit. (Work PC > Webserver > IdP > Webserver > now authenticated) I am now trying to set this up so users can access the web server remotely by using the F5 APM module. One option is that I set the F5 up as an IdP and connect to the SP. However, the web server is a SaaS and cannot be easy changed. For example I cannot change the SP to accept tokens from the F5. So my question is, can I somehow get the F5 to use the Windows ADFS server to assert the tokens on it's behalf. And how can I do this. Thanks for your time.
How to create an APM policy for on-prem application that uses SAML
Hello, I would like some guide on how to configure and APM policy and SSO. Basicalli, present a portal to force authentication when accessing https://mysite.example.com for example https://mysite.example.com is an on-prem application which is configure for ADFS saml authentication on an external IdP. Before putting an APM policy the traffic flow goes as follows. User access https://mysite.example.com (this app is behind f5 LTM) mysite.example.com redirects user to authenticate to myadfs.example.com and gets prompted by ADFS for username and password. myadfs.example.com authenticates and redirects back to mysite.example.com User is able to access mysite.example.com. After adding APM policy the traffic flow goes as follows. User access https://mysite.example.com (this app is behind f5 LTM) F5 presents a prompt for username and password (AD authentication) User is successful authenticated. Access is granted to https://mysite.example.com mysite.example.com redirects user to authenticate to myadfs.example.com ("AGAIN", can this be prevented since they already authenticated) and gets prompted by ADFS for username and password. myadfs.example.com authenticates and redirects back to mysite.example.com User is able to access mysite.example.com. Any advice really appreciated. Python datetime (With Examples)
ADFS Proxy- first time setup
Very new to ADFS and SAML especially with dealing with the F5. I have business case to add ADFS to one of my current setups. My organization has ADFS setup and i have a few questions for the community. Do i first connect and test the application with our current ADFS setup to make sure it can work? Once the ADFS has been tested and working, do i then try to do ADFS proxy withthe setup? or do i skip step 1 and just start with the ADFS proxy first and try to get that to work with the application? I have seen a few online labs for ADFs proxy etc... but just wondering what the community thinks? looking to have it setup like this: User -> F5 (VIP with login portal) -> sends info to ADFS -> ADFS sends token to F5 -> traffic goes to VPN tunnel to actual portal -> accepts the ADFS token -> User is logged into the service. trying to keep the initial traffic going down the tunnel first and getting redirected back to the F5 for authentication.
