Hi A customer has new AD/ADFS 3.0 infra and wants federation to Office 365. This can be done with BIG-IP LTM+APM replacing the ADFS proxies. There is a deployment guide and iApp for ADFS supporting ADFS 3.0, but there is no mention of directory synchronization, which is needed between O365 on on-premises AD. Traditionally the synchronization has been implemented with Microsoft's DirSync tool. This Summer Microsoft released a replacement called Azure AD Connect for the DirSync tool. So it will be used. Now it seems to be that the new Azure AD Connect wizard (GUI) requires the installation of the Web Application Proxy (WAP) roles before it can complete. We would like to avoid the WAP servers as it is counterintuitive to replacing them with LTM+APM. Are there any guidelines/instructions/knowhow how to use/configure the new Azure AD Connect tool properly for synchronization without WAP, in a case where BIG-IPs will replace them in the ADFS federation side? Also when running Azure AD Connect wizard, what issues we might face when having F5 instead of WAP if it can be configured so?

I am not sure I follow you - Azure AD Connect is just synchronization tool - I have installed/used it, and do not recall it asking for WAP role installation. So you should not see any issues.

I just dug into it further. I think I see what is going on - AD Azure Connect now allows users to both setup AD user replication to Azure AD and setup federated domain status with ADFS at the same time. Proxy is not a required field to be filled out in the process, as far as I can tell - so I suggest just skipping it altogether when going through the wizard.

Thanks Michael. I think the WAP role installation is required in the Federation setup side of the wizard. Have to check if and how it can be skipped. However as the federation to O365 is one of the use scenarios in the newest F5 deployment guide, then the steps, which needs to be done in the ADFS side, especially with Azure AD Connect, should be in the guide, too. Either as wizard steps or as powershell commands, something similar as earlier for the DirSync tool.

BIG-IP with APM federation to O365 / Azure AD Connect requiring Web Application Proxy - can we do without WAP?

11 Replies

Michael_Koyfma1
Cirrus
Oct 12, 2015
I am not sure I follow you - Azure AD Connect is just synchronization tool - I have installed/used it, and do not recall it asking for WAP role installation. So you should not see any issues.
Michael_Koyfma1
Cirrus
Oct 12, 2015
I just dug into it further. I think I see what is going on - AD Azure Connect now allows users to both setup AD user replication to Azure AD and setup federated domain status with ADFS at the same time. Proxy is not a required field to be filled out in the process, as far as I can tell - so I suggest just skipping it altogether when going through the wizard.
- THi
  Nimbostratus
  Oct 12, 2015
  Thanks Michael. I think the WAP role installation is required in the Federation setup side of the wizard. Have to check if and how it can be skipped. However as the federation to O365 is one of the use scenarios in the newest F5 deployment guide, then the steps, which needs to be done in the ADFS side, especially with Azure AD Connect, should be in the guide, too. Either as wizard steps or as powershell commands, something similar as earlier for the DirSync tool.
Michael_Koyfman
Cirrocumulus
Oct 12, 2015
I just dug into it further. I think I see what is going on - AD Azure Connect now allows users to both setup AD user replication to Azure AD and setup federated domain status with ADFS at the same time. Proxy is not a required field to be filled out in the process, as far as I can tell - so I suggest just skipping it altogether when going through the wizard.
- THi
  Nimbostratus
  Oct 12, 2015
  Thanks Michael. I think the WAP role installation is required in the Federation setup side of the wizard. Have to check if and how it can be skipped. However as the federation to O365 is one of the use scenarios in the newest F5 deployment guide, then the steps, which needs to be done in the ADFS side, especially with Azure AD Connect, should be in the guide, too. Either as wizard steps or as powershell commands, something similar as earlier for the DirSync tool.
houstonrob_1173
Nimbostratus
Oct 13, 2016
I know this is a year old article but I was curious if you ever figured this out. We are looking at using APM instead of ADFS Proxy servers but our Windows admin says the WAP role is required. Is this something that APM can also replace?
- Michael_Koyfma1
  Cirrus
  Oct 13, 2016
  Are you looking to replace ADFS, or just ADFS proxy? Both scenarios should work. WAP role is not required if you want to use APM as a proxy to ADFS either - I suggest you simply give it a try using this guide: https://f5.com/solutions/deployment-guides/microsoft-active-directory-federation-services-big-ip-v11-ltm-apm
  
  If you run into any issues, please report them here on this thread and we can look at it then.
- houstonrob_1173
  Nimbostratus
  Oct 18, 2016
  Just ADFS proxy, I took your advice and just started putting it in and it seems to be working except I don't want users to get an actual login page. When we go straight to the ADFS farm, they're logged in with their computer credentials, is this supposed to do the same?
- Michael_Koyfma1
  Cirrus
  Oct 18, 2016
  I am confused - if you are setting up ADFS proxy, then I presume it is for external/remote users, correct? If so, why would you want them to be logged in automatically? Are you saying that you only allow remote access from domain-joined machines? You can try to setup NTLM authentication on the APM policy to avoid the login page, but then you also need to have login page for non-domain-joined devices, right?
  
  Check out this article and let me know if it makes sense.
  
  https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication