Share via

Should the custom health probe (/adfs/probe) on the Azure Application Gateway be configured to use HTTP or HTTPS?

pavan b a 0 Reputation points
2024-07-26T14:50:45.8933333+00:00

We are hosting an ADFS farm on Azure, including an external Application Gateway configured with two WAP servers in its backend pool. Currently, the health probe uses the HTTP protocol with the path /adfs/probe, as recommended by Microsoft. However, we are unable to associate the health probe with the backend setting, which is configured to use the HTTPS protocol. Should we change the health probe to use the HTTPS protocol to resolve this issue, and is this configuration supported by the Application Gateway?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,014 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,226 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 7,441 Reputation points
    2024-07-27T16:26:53.6733333+00:00

    Hello pavan b a,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    I understand that you are contemplating whether you should use the custom health probe /adfs/probe on the Azure Application Gateway to be configured to use HTTP or HTTPS due to Microsoft recommendation and backend settings.

    Solution

    In your scenario, the issue arises because your Azure Application Gateway's backend settings are configured to use HTTPS, while the health probe is configured to use HTTP. The Application Gateway expects the health probe and backend settings to match in terms of the protocol being used.

    To resolve this issue, by system architecture design, you should indeed change the health probe to use the HTTPS protocol. This will ensure that the health probe checks are consistent with the backend's configuration, allowing the Application Gateway to correctly determine the health of your Web Application Proxy (WAP) servers.

    Ensure you find the health probe associated with your WAP servers. This will typically be under the "Health Probes" section and edit the Health Probe:

    • Change the protocol from HTTP to HTTPS.
    • Ensure the path remains /adfs/probe, as recommended by Microsoft.
    • If necessary, update the port to match the HTTPS port being used by your WAP servers (usually port 443).

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    0 comments