Adfs internet / intranet

Question

Adfs internet / intranet

Ralph Knoche 1

Hi we are using adfs with WAP. Internal and external Users are always connecting via WAP Top the adfs, so we can’t use Intranet ( that means a web application proxy is not present in front of AD FS) and "Extranet" in the Access rules to divide between incoming Users. Intranet/Extranet does not refer to internal or external subnets in adfs Access rules from my understanding.

What we want to achieve is that Users with a specific external IP dont need to do MFA, but for the rest of the Users with various ips it is needed.
Tried a lot of different configuraion today with specific Networks in Access rules. Mayen it is Not possible bedaure the Src ip is always the wap on adfs ?

Pierre Audonnet - MSFT 10,201 Reputation points Microsoft Employee Moderator

2020-08-11T23:02:16.667+00:00

First of, the design seems off. Why wouldn't you be able to use the Internal ADFS directly? Is that a DNS issue? Split brain DNS can be super easy to deploy if you have Window 8 clients or higher (as they can use Name Resolution Policy Tables) or/and Windows Server 2016 (or higher) domain controllers/DNS servers (as they can use DNS policies, which makes it super easy to do a split-brain DNS).

Then, when using WAPs, you are supposed to have the actual IP of the client at the ADFS level. If not, you might have another element in the mix that you are not mentioning (such as a load balancer or a reverse proxy on the front).

1 answer

Your answer

Pierre Audonnet - MSFT 10,201 Reputation points Microsoft Employee Moderator

2020-08-11T23:02:16.667+00:00

First of, the design seems off. Why wouldn't you be able to use the Internal ADFS directly? Is that a DNS issue? Split brain DNS can be super easy to deploy if you have Window 8 clients or higher (as they can use Name Resolution Policy Tables) or/and Windows Server 2016 (or higher) domain controllers/DNS servers (as they can use DNS policies, which makes it super easy to do a split-brain DNS).

Then, when using WAPs, you are supposed to have the actual IP of the client at the ADFS level. If not, you might have another element in the mix that you are not mentioning (such as a load balancer or a reverse proxy on the front).

Answer 1

Mark Morowczynski 252 Microsoft Employee

You shouldn't be exposing ADFS directly to the internet but you can do some of this you want to require MFA by location in Azure AD. We have workshops to help move off ADFS https://techcommunity.microsoft.com/t5/community-events-list/microsoft-workshops-how-to-successfully-migrate-away-from-ad-fs/m-p/3668480 & https://www.microsoft.com/en-us/security/business/identity-access/upgrade-adfs

Share via

Adfs internet / intranet

1 answer

Your answer