Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

AD FS 4.0 source ip address

Hi Guys,

We are implementing AD FS 4.0 with (server based, not APM) WAP, and would like to be able to see who is using the service by means of source ip address. Now, as stated by MS the requirements are as follows:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq

AD FS is a stateless system. Hence, load balancing is fairly simple for logins. The following are key recommendations for load balancing systems.

  1. Load balancers SHOULD not be configured with IP affinity. This may put undue load on a subset of your servers in certain Exchange Online scenarios.
  2. Load balancers MUST not terminate the HTTPS connections and reinitiate a new connection to the ADFS server.
  3. Load balancers SHOULD ensure that the connecting IP address should be translated as the source IP in the HTTP packet when being sent to ADFS. In the event that a load balancer cannot send the source IP in the HTTP packet, the load balancer MUST add (or append in case of existing) the IP address to the x-forwarded-for header. This is required for the correct handling of certain IP related features (Banned IP, Extranet Smart Lockout,…) and could lead to reduced security if improperly configured.
  4. Load balancers SHOULD support SNI. In the event it does not, ensure that AD FS is configured to create HTTPS bindings to handle non SNI capable clients.
  5. Load balancers SHOULD use the AD FS HTTP health probe endpoint to detect if the AD FS or WAP servers are up and running and exclude them if a 200 OK Is not returned.

The first thing that popped up in my mind was to insert the xff header, but that would require SSL offloading, breaking the ADFSPIP trust relationship between WAP and AD FS, as per AD FS 4.0. So that means rule 2 and 3 are in contradiction to each other and therefor an impossible combination. (tried it - not working ofcourse)

Would using APM as WAP - instead of using servers - do any good? Or something else i overlooked?

There must be more people using this setup that stumbled on this same problem.

Thanks,

Erik

0
Rate this Question

Answers to this Question