F5 with MS-ADFSPIP Support Going to WAP

Geller, Brian 21 Reputation points
2022-01-11T05:21:04.017+00:00

Hi! An organization configured designed AD FS to have external traffic flow to a MS-ADFSPIP Aware F5 Proxy than to an AD FS WAP then the internal AD FS farm.

Is this supported by Microsoft? I could not find anything definitive in the documentation. All the examples in the docs are for F5 to send the traffic directly to the internal AD FS servers.

Looking at logon audit logs I see that the "X-MS-Forwarded-Client-IP" value has of "<Real Client IP>, <F5 IP>". Will this cause issues with Extranet Smart Lockout thinking that the F5 IP is a client IP as well?

Traffic Flow:
[Client] -> [F5 Proxy] -> [WAP] -> [AD FS]

Thanks! @Pierre Audonnet - MSFT

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,205 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,201 questions
Accepted answer
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-01-11T13:16:05.52+00:00

    As long as the vendor implements all the specs from [MS-ADFSPIP], then yes this is a supported configuration and AD FS features usually depending on the WAP should work as expected.

    My understanding of the process is the following (and you can verify it in your environment - I don't have a lab at the moment).

    For a request, we consider all IP addresses (as per https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection#how-it-works).
    During a failed logon attempt, if we have all IPs in the familiar list for the user, then we increment the Familiar IPs counter. If at least one IP is unknown, then we increment the Unknown IPs counter.

    So multple proxies should not affect your protection.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,391 Reputation points
    2022-01-11T14:23:52.033+00:00

    Hello,

    A third party ADFS Proxy can supported as long as it stick the the following specifications:

    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adfspip/76deccb1-1429-4c80-8349-d38e61da5cbb
    [MS-ADFSPIP]: Active Directory Federation Services and Proxy Integration Protocol

    As F5 is third party vendor, you should check with them (F5 forum) also if this is supported by them.

    Also here some compatibility information:

    Frequently asked questions (FAQ) about AD FS
    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#are-third-party-proxies-supported-with-ad-fs

    ---------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments