Should the custom health probe (/adfs/probe) on the Azure Application Gateway be configured to use HTTP or HTTPS?

Question

Should the custom health probe (/adfs/probe) on the Azure Application Gateway be configured to use HTTP or HTTPS?

pavan b a 0

We are hosting an ADFS farm on Azure, including an external Application Gateway configured with two WAP servers in its backend pool. Currently, the health probe uses the HTTP protocol with the path /adfs/probe, as recommended by Microsoft. However, we are unable to associate the health probe with the backend setting, which is configured to use the HTTPS protocol. Should we change the health probe to use the HTTPS protocol to resolve this issue, and is this configuration supported by the Application Gateway?

Sina Salam 22,031 Reputation points Volunteer Moderator

2024-07-27T16:26:53.6733333+00:00
Hello pavan b a,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

I understand that you are contemplating whether you should use the custom health probe /adfs/probe on the Azure Application Gateway to be configured to use HTTP or HTTPS due to Microsoft recommendation and backend settings.

Solution

In your scenario, the issue arises because your Azure Application Gateway's backend settings are configured to use HTTPS, while the health probe is configured to use HTTP. The Application Gateway expects the health probe and backend settings to match in terms of the protocol being used.

To resolve this issue, by system architecture design, you should indeed change the health probe to use the HTTPS protocol. This will ensure that the health probe checks are consistent with the backend's configuration, allowing the Application Gateway to correctly determine the health of your Web Application Proxy (WAP) servers.

Ensure you find the health probe associated with your WAP servers. This will typically be under the "Health Probes" section and edit the Health Probe:

Change the protocol from HTTP to HTTPS.

Ensure the path remains /adfs/probe, as recommended by Microsoft.

If necessary, update the port to match the HTTPS port being used by your WAP servers (usually port 443).

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
pavan b a 0 Reputation points

2024-08-01T13:05:21.4733333+00:00
Thank you for your response. We attempted to set the custom health probe rule (/adfs/probe) to HTTPS and associated it with the existing backend setting, which is also configured for HTTPS. Unfortunately, the backend WAP servers are still showing as unhealthy.

To investigate further, we ran the following PowerShell command on the backend WAP server for both HTTP and HTTPS. We found that the command succeeds only when using HTTP.

So can you please advise on how to make sure that the health probe(\adfs\probe) on WAP server also works with HTTPS

*PS C:\Windows\system32> Invoke-WebRequest -Uri http://XXXXXXXXXXXXXX.XXXdev.com/adfs/probe | select statuscode

StatusCode

200

PS C:\Windows\system32> Invoke-WebRequest -Uri https://XXXXXXXXXXXXXX.XXXdev.com/adfs/probe | select statuscode

Invoke-WebRequest : Service Unavailable

HTTP Error 503. The service is unavailable.

At line:1 char:1

Invoke-WebRequest -Uri https://XXXXXXXXXXXXXX.XXXdev.com//adfs/pr ...

+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand*

1 answer

Your answer

Sina Salam 22,031 Reputation points Volunteer Moderator

2024-07-27T16:26:53.6733333+00:00

Hello pavan b a,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

I understand that you are contemplating whether you should use the custom health probe /adfs/probe on the Azure Application Gateway to be configured to use HTTP or HTTPS due to Microsoft recommendation and backend settings.

Solution

In your scenario, the issue arises because your Azure Application Gateway's backend settings are configured to use HTTPS, while the health probe is configured to use HTTP. The Application Gateway expects the health probe and backend settings to match in terms of the protocol being used.

To resolve this issue, by system architecture design, you should indeed change the health probe to use the HTTPS protocol. This will ensure that the health probe checks are consistent with the backend's configuration, allowing the Application Gateway to correctly determine the health of your Web Application Proxy (WAP) servers.

Ensure you find the health probe associated with your WAP servers. This will typically be under the "Health Probes" section and edit the Health Probe:

Change the protocol from HTTP to HTTPS.

Ensure the path remains /adfs/probe, as recommended by Microsoft.

If necessary, update the port to match the HTTPS port being used by your WAP servers (usually port 443).

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
pavan b a 0 Reputation points

2024-08-01T13:05:21.4733333+00:00

Thank you for your response. We attempted to set the custom health probe rule (/adfs/probe) to HTTPS and associated it with the existing backend setting, which is also configured for HTTPS. Unfortunately, the backend WAP servers are still showing as unhealthy.

To investigate further, we ran the following PowerShell command on the backend WAP server for both HTTP and HTTPS. We found that the command succeeds only when using HTTP.

So can you please advise on how to make sure that the health probe(\adfs\probe) on WAP server also works with HTTPS

*PS C:\Windows\system32> Invoke-WebRequest -Uri http://XXXXXXXXXXXXXX.XXXdev.com/adfs/probe | select statuscode

StatusCode

200

PS C:\Windows\system32> Invoke-WebRequest -Uri https://XXXXXXXXXXXXXX.XXXdev.com/adfs/probe | select statuscode

Invoke-WebRequest : Service Unavailable

HTTP Error 503. The service is unavailable.

At line:1 char:1

Invoke-WebRequest -Uri https://XXXXXXXXXXXXXX.XXXdev.com//adfs/pr ...

+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand*

Answer 1

KapilAnanth-MSFT 49,616 Microsoft Employee Moderator

@pavan b a ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your comment,

It is evident that that the backend's health page(/adfs/probe) is not responding to HTTPS (Port 443)
However, may I ask if the backend service as a whole is capable of responding over HTTPS
If not,
- Then there is no point is using a HTTPS BackendSettings
- You can simply use a HTTP BackendSettings
If yes,
- Then can you share the document where Microsoft recommends the use of HTTP Protocol for health check up with Application Gateway?
- Or is this a POC design

Cheers,

Kapil

pavan b a 0 Reputation points

2024-08-02T12:06:40.06+00:00

Hi Kapil,

Thank you for the response

This is a not a POC design . We are deploying a multi region ADFS farm by making use of Traffic manger ->external Application gateways -WAP servers - Internal Load Balancer-ADFS Servers

We are aware of the Microsoft recommendation to use HTTP for the ADFS/WAP health probe. However, we encountered an issue when configuring the custom health probe on the external Application Gateway. When we set the custom health probe to HTTP, the system forces us to configure the backend settings to run on the same protocol, which is HTTP. However, we would prefer to use HTTPS in the backend setting to ensure end-to-end TLS encryption to the backend targets.

We are currently uncertain whether the backend WAP servers' health probe (/adfs/probe) works with HTTPS, so we are continuing to investigate this issue.

The only guidance from Microsoft recommends using HTTP with an external load balancer, but there is no specific documentation regarding the use of HTTPS with an Application Gateway.

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs#create-and-deploy-the-internet-facing-public-load-balancer

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements#load-balancer-requirements
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2024-08-02T12:59:03.9+00:00
@pavan b a ,

Thanks for sharing the documents and your architecture.

Your observation is correct, Azure Load Balancer is different from Azure App gateway.

App gateway requires that the health probe and the backend http settings have the same protocol.

From the Load Balancer requirements doc, it appears you must use HTTP (not HTTPS) health probe endpoints

Also from ADFS FAQ : What are load-balancing requirements for AD FS and WAPs

Since you are hitting a design requirement, I would suggest you

Consider using Azure Load Balancer

or Consider using HTTP BackendSettings. (TLS Offload)

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil
pavan b a 0 Reputation points

2024-08-05T14:03:39.9366667+00:00

Thanks Kapil for the response

Unfortunately we will have to use Application gateway only for ADFS as it has WAF capabilities . Whereas it is not available with Load balancer. Also as per our security guidelines we are expected to enforce end to end encryption by making use of HTTPS in the backend setting.

So Is there any workaround for Application gateway that can help configure the backend settings on HTTPS while keeping the health probe on HTTP ?

Thanks,

Pavan
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2024-08-06T10:46:53.1+00:00
Hi @pavan b a ,

Unfortunately, I don't think there are any workarounds other than TLS Offload.

The BackendSettings and Probe should have the same Protocol.

Maybe you can consider using AFD which also supports WAF Capabilities.

See : Health probes Supported protocols

The architecture would change as you would not require a Traffic Manager

However, this requires that the "WAP servers" are publicly available

I am not sure if ADFS/your security guidelines supports this (having WAP publicly available)

Cheers,

Kapil
pavan b a 0 Reputation points

2024-08-07T13:37:53.02+00:00

Hi Kapil,

We reached out to Microsoft support, and they suggested using the metadata path along with the HTTP protocol for the health probe:

/XXXXXXXXXXX.com/FederationMetadata/2007-06/FederationMetadata.xml

After implementing this, we found that the backend WAP servers are now showing as healthy. The support team mentioned that this endpoint allows the Application Gateway to download the federation metadata XML file, which is approximately 70KB.

However, I have concerns that since the health probe is sent every 30 seconds, this might place an undue load on the Application Gateway.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2024-08-08T08:47:52.1266667+00:00
Hi @pavan b a ,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

From the Custom health probe docs, I don't see any mention of load on Application Gateway because of health probes.

Do you see any deterioration in App gateway performance post implementing this?

Also, I see you can use "Matching criteria" as "HTTP response status code match" which will only consider the http response code

The thing you should consider is the "Time-out" value, i.e., there should be response before the time out value expires for a health probe

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Should the custom health probe (/adfs/probe) on the Azure Application Gateway be configured to use HTTP or HTTPS?

Problem

Solution

Accept Answer

StatusCode

1 answer

Your answer