ADFS 3.0, connecting MS Web Application Proxys to Load-Balanced ADFS 3.0 Servers

Question

Hello everyone,&nbsp;
I am completely stuck on figuring this one out. As we all know, ADFS 3.0 uses SNI, for testing I am using the basic tcp monitor to bring my nodes up on the pool. My nodes are two adfs 3.0 servers, tstadfs1/2. I also have two proxys, tstpx1/2. I have followed the instructions (part 1 and 5) here: https://devcentral.f5.com/articles/big-ip-and-adfs-part-5-working-with-adfs-30-and-sni with no luck.&nbsp;
When I try to connect the proxy to my ADFS farm, it sits there and spins, and I only get this in event viewer: &nbsp;

Unable to retrieve proxy configuration data from the Federation Service. &nbsp;
Additional Data &nbsp;
Trust Certificate Thumbprint: 
25CC757E17BABF671434D5276AE5BEF6471C9180 &nbsp;
Status Code: 
Unauthorized &nbsp;
Exception details: 
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()&nbsp;

I have configured the Server SSL Profile in the Advanced settings to have my FQDN of my Federation Service Name. which in this case is: "tstadfs.test.domain.com". I am able to connect the Proxys to the ADFS nodes directly bypassing the pool, so ADFS is set up properly. I can't possibly see where I'm going wrong here.&nbsp;
The ADFS VS is only doing Auto Map for source address translation. I'm using the SSL Tunneling method from part 1 in the link above. Can anyone send me screenshots of their VS + Server SSL Profile configuration that has this working? Any advice is appreciated.&nbsp;

mikeshimkus_111 · Answer

Hi denux, I'm confused.  You say you are using the SSL tunneling (aka pass-through) method, however that method doesn't require any SSL profiles.  What SSL profiles do you have assigned to the ADFS VS?&nbsp;
Mike&nbsp;

denux_194002 · Answer

Hey Mike,

I just realized that a few minutes ago before I saw this. I had SSL profiles configured on the Virtual Server configuration. I removed these from the VS Config and everything now works. I was under the impression that you needed an SSL profile configured no matter what. (i'm still a little new to f5)

Just so I understand completely, without any SSL profiles configured, from end-to-end the SSL traffic is staying the same and not being altered in any fashion?

mikeshimkus_111 · Answer

That is correct. The only SNI consideration left is related to monitoring, which can be achieved using the EAV script. The one included in the iApp/deployment guide has a couple of corrections (we're in the process of adding the SSL pass-through option to the iApp as well).

denux_194002 · Answer

Awesome, thanks a ton!

Forum Discussion

ADFS 3.0, connecting MS Web Application Proxys to Load-Balanced ADFS 3.0 Servers

4 Replies

Recent Discussions

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

Related Content

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

NGINXaaS for Azure: Load Balancing

Deploying F5 BIG-IP with Azure Cross-region load balancer

NGINX Load balancing feature

Using Distributed Cloud DNS Load Balancer with Geo-Proximity and failover scenarios