Link to home
Start Free TrialLog in
Avatar of pramod1
pramod1Flag for United States of America

asked on

ADFS, AD, OFFICE 365

we have 1 internal ADFS Server on our primary data center and secondary ADFS in our secondary data center, and traffic is redirected from office 365 to our internal ADFS Server through netscaler which is acting as reverse proxy.

In order to protect our internal ADFS server from any any outside sporadic attack, we need to set up external proxy adfs server

can you define the steps needed to streamline traffic from external ADFS Proxy server to our internal ADFS Server.

regarding setting up relying party trust etc.
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

What version of ADFS are you using?
Avatar of pramod1

ASKER

Windows server 2012 adfs 3.0
You should be able to easily stand up an ADFS proxy server in a DMZ. Steps are pretty simple. No new Relying party trusts, just setting up a new server with 2 NICs, and installing Web Application Proxy. The configuration wizard for WAP is setup for ADFS already. If you need more specific steps and how to setup DNS correctly, let me know
Avatar of pramod1

ASKER

Thanks I would appreciate if you am provide more specific steps
OK, this is making an assumption that your current ADFS in internal and working.
First, Standup another 2012 server, same version as your ADFS server. If needs really only one NIC unless you expect to have lots of traffic. In most cases, no. For security, this should be in a DMZ and your ADFS server internal but that is not a hard and fast rule. The proxy simply needs to be able to talk to the ADFS server over 443. The Proxy needs to be a domain member.
Export the Communications certificate from your ADFS server with the private key. this is the main one for the ADFS site (like sts.domain.com). Using the Certificates MMC Snap In, import the certificate into the Computer Certificate store of the Proxy. It will need it later.
On the Proxy server, Install the Remote Access role. Select Web Application Proxy from the Features and let it install.
For configuration, you will need the Federation Service name and the Service Account/Password. Running the configuration wizard will prompt you.
  If you want a single proxy for both Servers, you will need to put it outside the Netscalers. For DNS, external dns should resolve to an address that is NATTed to the Federation Proxy server. Internal DNS should resolve to your Netscaler VIP.
  Last thing I would do is add the address into the Intranet zones so your internal users should use WIA to authenticate (when using IE or chrome). External users will go through the Proxy which defaults to Forms Based Authentication.
Avatar of pramod1

ASKER

I am copiling it into a document shortly, please review
Avatar of pramod1

ASKER

I am compiling
Avatar of pramod1

ASKER

•      Building ADFS Proxy server

•      First, Standup another 2012 server, same version as your ADFS server. If needs really only one NIC unless you expect to have lots of traffic. The proxy simply needs to be able to talk to the ADFS server over 443. The Proxy needs to be a domain member.


•      Export the Communications certificate from our ADFS server with the private key. this is the main one for the ADFS site (like sts.domain.com). Using the Certificates MMC Snap In, import the certificate into the Computer Certificate store of the Proxy. It will be needed later

•      On the Proxy server, Install the Remote Access role. Select Web Application Proxy from the Features and let it install.


•      For configuration, one will need the Federation Service name and the Service Account/Password. Running the configuration wizard will prompt .

•      If you want a single proxy for both Servers, you will need to put it outside the Netscalers. For DNS, external dns should resolve to an address that is NATTed to the Federation Proxy server. Internal DNS should resolve to your Netscaler VIP.

•      Building ADFS Proxy server

•      First, Standup another 2012 server, same version as your ADFS server. If needs really only one NIC unless you expect to have lots of traffic. The proxy simply needs to be able to talk to the ADFS server over 443. The Proxy needs to be a domain member.


•      Export the Communications certificate from our ADFS server with the private key. this is the main one for the ADFS site (like sts.domain.com). Using the Certificates MMC Snap In, import the certificate into the Computer Certificate store of the Proxy. It will be needed later

•      On the Proxy server, Install the Remote Access role. Select Web Application Proxy from the Features and let it install.


•      For configuration, one will need the Federation Service name and the Service Account/Password. Running the configuration wizard will prompt .

•      If you want a single proxy for both Servers, you will need to put it outside the Netscalers. For DNS, external dns should resolve to an address that is NATTed to the Federation Proxy server. Internal DNS should resolve to your Netscaler VIP.

( I didn’t get this point clearly – we have 1 internal ADFS SERVER , we want 1 external ADFS Proxy server, right now traffic is getting redirected from office 365 to netscaler to internal ADFS Server- can you please clarify on external and internal DNS configuration)
•      Last thing I would do is add the address into the Intranet zones so your internal users should use WIA to authenticate (when using IE or chrome). External users will go through the Proxy which defaults to Forms Based Authentication.

 I didn’t get this point clearly – we have 1 internal ADFS SERVER , we want 1 external ADFS Proxy server, right now traffic is getting redirected from office 365 to netscaler to internal ADFS Server- can you please clarify on external and internal DNS configuration)
Do you want the netscaler still in the mix at all? If you only have one ADFS server, it is a waste of a resource to have it but some companies are like that.
Avatar of pramod1

ASKER

yes we want netscaler , we need tos et up proxy server because we had a attack on internal adfs server
So you want a proxy server along with a Netscaler acting as a reverse proxy? Seems redundant.  I guess I would say your external DNS needs to point to an address that translates to your new Proxy server. Your internal DNS needs to point the same address (ADFS farm name) to the Netscaler VIP.
  And,.. Are you using AADConnect a all? If so, ADFS is pretty much redundant for Office 365 anyway.
Avatar of pramod1

ASKER

how the data flow will be controlled from proxy to internal adfs server
Avatar of pramod1

ASKER

our netscaler is already acting as a reverse proxy. we had bruce force attack on internal adfs server, we could not find external source ip from netscaler taht is the reason we are trying to put proxy server in between netscaler and internal adfs server
Avatar of pramod1

ASKER

need to know steps of traffic to internal adfs and dns set up, i have to send propsal
So, point the netscaler targets to the ADFS proxy server. Simple enough. Then make sure internal DNS points to the ADFS server itself (if you are using WIA internally). People externally using Office 365 will contact the portal, be redirected to your External address of your ADFS farm. They will contact it through the Netscaler to the Proxy server. The proxy server does just that, it reverse proxies ADFS but provides Forms based Authentication. Given your explanation, I don't think you will gain anything except complexity. If the attack comes in to the Netscaler and you already cannot find the IP, putting a Reverse proxy in the middle won't help you find it.
Avatar of pramod1

ASKER

so where should i put reverse proxy or what best can be done here to mitigate the issue
Avatar of pramod1

ASKER

i thought proxy adfs can detect source ip
ASKER CERTIFIED SOLUTION
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Well, if the traffic comes in to your Netscaler first and then is sent to the ADFS proxy, if you can't detect the source now, you won't then. You need to figure out if you can find the IP from the Netscaler.
Avatar of pramod1

ASKER

so thsi will work to get the traffic, so do i need to put proxy server in between netscaler and internal adfs server ?
Please state exactly what you are trying to accomplish here. Putting a Proxy in between Netscaler and the internal ADFS server will get you no more than what you have now. (but will give you one more point of failure).
Avatar of pramod1

ASKER

we have internal ADFS server , we suffered brute force attack we could not find the source ip (external ) from netsacler as traffic was redirected from office 365 , also didnt get any sign in failure report from azure AD , so we were thinking of setting up adfs proxy server to get one extra layer of security , we dont know where to put it , so next time attack happens proxy server could detect external source ip , as internal adfs server just gave logs of ip only for netscaler
Then your best bet is to put it between the Firewall and the Netscaler. If you put it between the Netscaler and the ADFS server, you will get exactly the same results you are getting from your ADFS server logs.
  I disagree that you will get one extra layer of security, you will get one extra layer of complexity. You would be better off replacing the Netscaler with an ADFS proxy.
Avatar of pramod1

ASKER

thanks for the suggestion , i am not the person to decide to remove netscaler but yes i can between firewall and netscaler. one last question

so now
 external clients  will be redirected to the IP address i have published for ADFS externally. From your explanation, i will be redirected to the External address, NATTed to your Netscaler VIP
Avatar of pramod1

ASKER

what about persistent load balancing and no ssl offload to f5?
Avatar of pramod1

ASKER

ned to have vip on 443 how it will redirect traffic to netscaler
I imagine as of now, that is how it is working since you are using Netscaler as a Reverse Proxy. Your external DNS will have a record for your ADFS farm name like sts.domain.com or similar. This will point to an IP assigned to your external Firewall. Your firewall should have a Natted Mapping redirecting traffic to that IP over to your Netscaler VIP. Your Netscaler VIP will have a target that points to your internal ADFS server IP.
  If you put a proxy in between the Firewall and the Netscaler, then your Firewall will have to be changed to redirect traffic to the ADFS proxy server. Also, unless you already have this, your Internal DNS record for your ADFS farm will have to point to the VIP of your Netscaler or you will have to rely on a host file entry to get your Proxy server to function correctly.
Avatar of pramod1

ASKER

we need to export token signing cert from internal adfs as well also no relying party trust or claim rules on proxy server?

need to know how external proxy will talk to netscaler
OK, you are posting questions so fast, I cannot keep up. You have an F5 and a Netscaler? or was that just a typo? And I don't even understand your question about VIP on 443.  I can't tell you how to setup a Netscaler off hand. Or an F5. And SSL offload? Not to my knowledge.
Avatar of pramod1

ASKER

np
A proxy server has no Relying party trusts. It is simply a Web Application Proxy with special rules for ADFS. You import the certificate into the Proxy server and it will ask for it during setup of the Proxy.
 The proxy talks to the ADFS server on 443 and 49443 so that is what the netscaler would have to forward.
And in my experience, 49443 is usually not needed (but Microsoft said to do it before so I normally do)
Avatar of pramod1

ASKER

ok i am compiling in 1 doc ument , please go throw once and kindly let me know if everything ok , i will upload in half hr
thanks a lot sir
Avatar of pramod1

ASKER

Hi Jeff

if u get chance can u review or add anything if I have missed , like vip  OR DNS stuff
Building-ADFS-Proxy-server.docx
Looks Ok to the best of my knowledge.
  I get it that you are working with what you can here but understand, Microsoft does not recommend ADFS as the Authentication provider for Office 365 anymore. It works of course but they recommend installing AADConnect and doing Password Sync. They have come a long way with that lately. But what you wrote seems OK.
Avatar of pramod1

ASKER

thanks Jeff, will close the ticket tomorrow i am sending this to my manager