ADFS 2.0 and 3.0 with Dell F5 design and implementation questions

Hello Experts

High level request:

Client is looking to implement a SSO solution called Service now [see link below for systems requirements, and is planning on setting up a federated server farm (2 servers) behind a hardware load balance
http://wiki.servicenow.com/index.php?title=Configuring_ADFS_2.0_to_Communicate_with_SAML_2.0

Customers accessing the application

Work computer, roaming: Users who are logged on to domain-joined computers with their corporate credentials, but who are not connected to the corporate network (for example, a work computer at home or at a hotel), can access the cloud service.

Home or public computer: When the user is using a computer that is not joined to the corporate domain, the user must sign in with their corporate credentials to access the cloud service.

Smart phone: On a smart phone, to access the cloud service such as Microsoft Exchange Online using Microsoft Exchange ActiveSync, the user must sign in with their corporate credentials.

Microsoft Outlook or other email clients: The user must sign in with their corporate credentials to access their Office 365 email if they are using Outlook or an email client that is not part of Office; for example, an IMAP or POP client

Solution Proposed:

Recommended Topology:

Federation server farm with WID and WAP [ADFS servers will be deployed on the internal network the OS installed will be Windows Server 2012 R2]

The diagram below was taken from MS, please see at the end of document section to recap, and the number of ADFS and component in the final design for both sites [primary and DR]. See attached image file

Questions:

Is an ADFS proxy or WAP necessary if we put the federated server farm behind the hardware load balancer? I need the solution to be redundant however it would seem unnecessary for us to build out 4 servers (2 for ADFS, 2 for proxy and/or WAP[Windows 2012 R2).

My understanding is the WAP will be used to present ADFS to the internet, so that we can allow external users to access the SSO internal application, and also we can use any kind of reverse proxy to do this, such as TMG or F5. Is that correct?

Should I follow the same Microsoft procedure to setup a farm of ADFS servers with NLB, even if we use a Hardware load balancer [F5]?

To recap

Primary Site
2 ADFS 2012 R2 deployed on the internal network where the DCD/DNS/Exchange servers are hosted
2 WAP servers deployed in a DMZ network
2 F5 HLB between internal network and DMZ
2 F5 HLB between DMZ and Internet

Secondary site or DR location
Same as above
ProposedADFS.jpg
Jerry SeinfieldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
The proxy servers provide a nice form for users to login to when challenged.

If you don't use the proxy servers you're given the default basic login and you have to type the domain\username with password combination.

Basically you want the forms authentication for the outside and you want windows authentication for the inside.

Having the proxy servers allows for this (proxy servers use form authentication, internal adfs servers use windows authentication) , and having 2 of each allows for high availability / redundancy.
0
Jerry SeinfieldAuthor Commented:
Thanks Kyle,

Going back to my original question, let's assume that I install Proxy servers [Windows 2008] or WAP servers[2012 R2] on a DMZ network, and there is a F5 Hardware load balancer between DMZ and internet,  is this still a good design? Are the proxy and WAP servers required even if I have a Hardware load balancer?

My plan is:

Install ADFS servers in the internal network [Each site or location will have 2 ADFS servers]

Each location will have 2 PROXY servers or WAP servers [depending on the OS selected]

Each site or location has a F5 HLB between DMZ and external world

My understanding is that to setup a farm of ADFS servers you have to deploy Windows Network load balancing, same for Proxy servers or WAP servers. Should I install NLB for the internal farm of ADFS servers and also proxy or WAP servers or the load balancing stuff must be configured at the Hardware load balancer?
0
Kyle AbrahamsSenior .Net DeveloperCommented:
This diagram may help:
https://devcentral.f5.com/articles/big-ip-and-adfs-part-1-ndash-ldquoload-balancing-the-adfs-farm-rdquo

I don't believe you need both the win NLB and a hardware one.  

Basically you have an NLB to create the network cluster - giving you the high availability.  So for every pair of servers you're going to want some kind of NLB.  Note that ADFS (at least 2.0) acts in an Active/Passive way.  In 2.0 (haven't gone to 3.0 yet) you need to run a powershell to actually kick over the farm to the other server.  The passive servers still can hit in read only, but to make modifications you need to be the primary.

In short . . . for every 2 servers you want some kind of NLB to create the single clustered-address.   Whether that's hardware (better as it's isolated) or software shouldn't make a difference.

Hope that helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jerry SeinfieldAuthor Commented:
Thanks Kyle, so assume that I do not need to install NLB, the procedure to deploy ADFS servers and proxy involves only the deployment of ADFS, configure certs, relay claims, and so on, and then setup the load balancer rules in the F5 appliance?

Is that assumption correct?
0
Kyle AbrahamsSenior .Net DeveloperCommented:
I would agree with that assumption.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.