High level request:
Client is looking to implement a SSO solution called Service now [see link below for systems requirements, and is planning on setting up a federated server farm (2 servers) behind a hardware load balance
Customers accessing the application
Work computer, roaming: Users who are logged on to domain-joined computers with their corporate credentials, but who are not connected to the corporate network (for example, a work computer at home or at a hotel), can access the cloud service.
Home or public computer: When the user is using a computer that is not joined to the corporate domain, the user must sign in with their corporate credentials to access the cloud service.
Smart phone: On a smart phone, to access the cloud service such as Microsoft Exchange Online using Microsoft Exchange ActiveSync, the user must sign in with their corporate credentials.
Microsoft Outlook or other email clients: The user must sign in with their corporate credentials to access their Office 365 email if they are using Outlook or an email client that is not part of Office; for example, an IMAP or POP client
Federation server farm with WID and WAP [ADFS servers will be deployed on the internal network the OS installed will be Windows Server 2012 R2]
The diagram below was taken from MS, please see at the end of document section to recap, and the number of ADFS and component in the final design for both sites [primary and DR]. See attached image file
Is an ADFS proxy or WAP necessary if we put the federated server farm behind the hardware load balancer? I need the solution to be redundant however it would seem unnecessary for us to build out 4 servers (2 for ADFS, 2 for proxy and/or WAP[Windows 2012 R2).
My understanding is the WAP will be used to present ADFS to the internet, so that we can allow external users to access the SSO internal application, and also we can use any kind of reverse proxy to do this, such as TMG or F5. Is that correct?
Should I follow the same Microsoft procedure to setup a farm of ADFS servers with NLB, even if we use a Hardware load balancer [F5]?
2 ADFS 2012 R2 deployed on the internal network where the DCD/DNS/Exchange servers are hosted
2 WAP servers deployed in a DMZ network
2 F5 HLB between internal network and DMZ
2 F5 HLB between DMZ and Internet
Secondary site or DR location
Same as above