3

We are deploying ADFS on server 2012 R2. Microsoft recommends a minimum of 2 ADFS servers, and 2 servers running the web application proxy role in the DMZ.

My question is: We already have in place 2 Apache reverse proxy servers in the DMZ running mod_balancer. Besides loosing the ability to do pre-authentication. Is where any reason to use microsoft web application proxy servers vs apache? We do not have a hardware load-balancer.

Thanks!

EDIT:

In other words. What are the implications of using redundant Apache reverse_proxies (VRRP) + mod_reverse_balancer to load balance the ADFS farm vs. Windows Application Proxies using NLB and ADFS farm using NLB?

Brandon
  • 53
  • 1
  • 8
  • 1
    Web application proxy won't give you load balancing functionality, it will give you AD FS proxy functionality. Load balancing can be achieved with Microsoft NLB though hardware load balancing is usually preferred. Also usually you use 2 AD FS proxies in the DMZ and 2 AD FS servers in the corporate network and both need to be load balanced. – Chris Mar 19 '15 at 08:45

1 Answers1

1

In my opinion, there are no big reasons to use Windows WAP instead of your Apache servers. If you use WAP, then you have better integration with ADFS of course, you can use the built-in 2 factors authentication. But you need additional servers, not great if you already have reverse proxies/load balancers in your environment.

Be careful with one thing: ADFS is using Windows authentication. When accessing your servers from the web, you need some mechanism on your reverse proxies to "translate" the forms-authentication of your proxy to NTLM/Kerberos-authentication used by ADFS (well unless it's ok for you to just show the default "login prompt" of your browser).

In my company, we have ADFS 3.0 servers behind F5 reverse proxies and everything is working correctly. No WAP.

Matthieu
  • 323
  • 1
  • 3
  • 7
  • Does the F5 pass through NTLM/Kerberos traffic? – Brandon Mar 20 '15 at 16:16
  • Yes if you configure it that way. Note: you are outside the network of your company, so you will not have SSO. But the HTTP-401 Unauthorized answer of ADFS will pass through. – Matthieu Mar 20 '15 at 16:23
  • Ah sorry, if you mean "does it pass through the traffic in my environment", the answer is no. We do forms authentication on the F5, and then the F5 does Kerberos delegation to the backend ADFS server. – Matthieu Mar 20 '15 at 16:25
  • @Brandon were you able to set up the reverse proxy in front of your AD FS? We are attempting to use Nginx instead of Apache, but we are getting handshake error most likely because the requested url from the proxy is IP, not the AD FS DNS. Any insights from your apache usage would be appreciated. Thanks. – CppLearner Apr 06 '16 at 04:33