F5 with MS-ADFSPIP Support Going to WAP

Geller, Brian 21 Reputation points
2022-01-11T05:21:04.017+00:00

Hi! An organization configured designed AD FS to have external traffic flow to a MS-ADFSPIP Aware F5 Proxy than to an AD FS WAP then the internal AD FS farm.

Is this supported by Microsoft? I could not find anything definitive in the documentation. All the examples in the docs are for F5 to send the traffic directly to the internal AD FS servers.

Looking at logon audit logs I see that the "X-MS-Forwarded-Client-IP" value has of "<Real Client IP>, <F5 IP>". Will this cause issues with Extranet Smart Lockout thinking that the F5 IP is a client IP as well?

Traffic Flow:
[Client] -> [F5 Proxy] -> [WAP] -> [AD FS]

Thanks! @Pierre Audonnet - MSFT

Microsoft Security | Active Directory Federation Services
Windows for business | Windows Server | User experience | Other
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2022-01-11T13:16:05.52+00:00

    As long as the vendor implements all the specs from [MS-ADFSPIP], then yes this is a supported configuration and AD FS features usually depending on the WAP should work as expected.

    My understanding of the process is the following (and you can verify it in your environment - I don't have a lab at the moment).

    For a request, we consider all IP addresses (as per https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection#how-it-works).
    During a failed logon attempt, if we have all IPs in the familiar list for the user, then we increment the Familiar IPs counter. If at least one IP is unknown, then we increment the Unknown IPs counter.

    So multple proxies should not affect your protection.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 39,931 Reputation points
    2022-01-11T14:23:52.033+00:00

    Hello,

    A third party ADFS Proxy can supported as long as it stick the the following specifications:

    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adfspip/76deccb1-1429-4c80-8349-d38e61da5cbb
    [MS-ADFSPIP]: Active Directory Federation Services and Proxy Integration Protocol

    As F5 is third party vendor, you should check with them (F5 forum) also if this is supported by them.

    Also here some compatibility information:

    Frequently asked questions (FAQ) about AD FS
    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#are-third-party-proxies-supported-with-ad-fs

    ---------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.