This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 19%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETK%3C/text%3E%3C/svg%3E)
Hi,
We want our domain users to authenticate to 3rd party websites we will create a ADFS federation with.
When they launch the website from our own domain SSO should be used, when they launch the site from the internet MFA should be included as well.
Now ALL best practice topologies I find on the internet include a Web Application Proxy in the DMZ, like this one over here : https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/media/best-practices-securing-ad-fs/adfssec1.png
Am I missing something here ? I dont think we need WAP for our scenario, we will use our own loadbalancer (Netscaler) just as a reverse proxy to hide the adfs address.
Shortly said, I leave ADFS in our INTRANET close to the domain controller and our LB has a virtual ip which points to the adfs server. Is this correct ?
thanks all
Couple of things.
The WAP is useful as soon as you want the ADFS farm to be used externally. Users who are trying to reach the FQDN of your ADFS farm while connected to the Internet will resolve to the IP address of the WAP or the load-balancer in front of the WAP servers. Whereas internal users will reach the FQDN of your ADFS farm using the the IP address of the ADFS server or the load-balancer in front of the ADFS servers. There is a split-brain DNS configuration to make it work (see section DNS requirement here).
When a user goes through a WAP server to reach ADFS, the user's request will be tagged and the ADFS servers will be able to use that information to:
None of these aforementioned features require to have your WAP domain joined. As a matter of fact, if you are using WAP only to publish your ADFS, you do not need to domain-join it. However, if you want to use your WAP to also publish Kerberos-based application externally (using protocol transition) then the WAP has to be domain-joined (basically to be able to do Kerberos).
You cannot replace the WAP with a NetScaler. It is not a supported replacement (to be a supported replacement the solution has to implement the following: MS-ADFSPIP: Active Directory Federation Services and Proxy Integration Protocol and as of today, I am just aware that F5 BigIP did it). Unsupported solutions will not enable ADFS to detect the query is coming from outside and the features mentioned will no longer work. It might also break some authentication method depending on how they are implemented (such as certificate based authentication or device authentication for Windows Hello for Business with certificate trust). But you can use Netscaler to load balance the traffic to your WAP servers and to your ADFS servers (there would be two different virtual IP one for the external WAP and one for the internal ADFS).
Regarding your specific scenario, I am assuming this 3rd party applications are trusted (federated) with your ADFS farm (they are relying party trusts in your farm). Then if your users are expected to access these applications solely when they are connected on the corporate network (or when they are connected via VPN), then you might not need a WAP at all. But often users also need to access the apps when they are not connected on-premises. And it seems to be your case as you would like to trigger MFA when these users are externally connected. So in that case you would deploy a WAP that you can publish with Netscaler. And then configure Access Policy to trigger MFA when the condition you pick are met (and it could be a combination of conditions such as user is connected externally and member of a specific group).
thanks a lot for the very great and detailed explanation !
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 14.000000000000002%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Just as a follow up, Citrix NetScaler ADC v13.0 and above are MS-ADFSPIP protocol compliant, so the answer is yes this is now possible.
