ADFS, AD, OFFICE 365

we have 1 internal ADFS Server on our primary data center and secondary ADFS in our secondary data center, and traffic is redirected from office 365 to our internal ADFS Server through netscaler which is acting as reverse proxy.

In order to protect our internal ADFS server from any any outside sporadic attack, we need to set up external proxy adfs server

can you define the steps needed to streamline traffic from external ADFS Proxy server to our internal ADFS Server.

regarding setting up relying party trust etc.
pramod1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff GloverSr. Systems AdministratorCommented:
What version of ADFS are you using?
pramod1Author Commented:
Windows server 2012 adfs 3.0
Jeff GloverSr. Systems AdministratorCommented:
You should be able to easily stand up an ADFS proxy server in a DMZ. Steps are pretty simple. No new Relying party trusts, just setting up a new server with 2 NICs, and installing Web Application Proxy. The configuration wizard for WAP is setup for ADFS already. If you need more specific steps and how to setup DNS correctly, let me know
pramod1Author Commented:
Thanks I would appreciate if you am provide more specific steps
Jeff GloverSr. Systems AdministratorCommented:
OK, this is making an assumption that your current ADFS in internal and working.
First, Standup another 2012 server, same version as your ADFS server. If needs really only one NIC unless you expect to have lots of traffic. In most cases, no. For security, this should be in a DMZ and your ADFS server internal but that is not a hard and fast rule. The proxy simply needs to be able to talk to the ADFS server over 443. The Proxy needs to be a domain member.
Export the Communications certificate from your ADFS server with the private key. this is the main one for the ADFS site (like sts.domain.com). Using the Certificates MMC Snap In, import the certificate into the Computer Certificate store of the Proxy. It will need it later.
On the Proxy server, Install the Remote Access role. Select Web Application Proxy from the Features and let it install.
For configuration, you will need the Federation Service name and the Service Account/Password. Running the configuration wizard will prompt you.
  If you want a single proxy for both Servers, you will need to put it outside the Netscalers. For DNS, external dns should resolve to an address that is NATTed to the Federation Proxy server. Internal DNS should resolve to your Netscaler VIP.
  Last thing I would do is add the address into the Intranet zones so your internal users should use WIA to authenticate (when using IE or chrome). External users will go through the Proxy which defaults to Forms Based Authentication.
pramod1Author Commented:
I am copiling it into a document shortly, please review
pramod1Author Commented:
I am compiling
pramod1Author Commented:
•      Building ADFS Proxy server

•      First, Standup another 2012 server, same version as your ADFS server. If needs really only one NIC unless you expect to have lots of traffic. The proxy simply needs to be able to talk to the ADFS server over 443. The Proxy needs to be a domain member.


•      Export the Communications certificate from our ADFS server with the private key. this is the main one for the ADFS site (like sts.domain.com). Using the Certificates MMC Snap In, import the certificate into the Computer Certificate store of the Proxy. It will be needed later

•      On the Proxy server, Install the Remote Access role. Select Web Application Proxy from the Features and let it install.


•      For configuration, one will need the Federation Service name and the Service Account/Password. Running the configuration wizard will prompt .

•      If you want a single proxy for both Servers, you will need to put it outside the Netscalers. For DNS, external dns should resolve to an address that is NATTed to the Federation Proxy server. Internal DNS should resolve to your Netscaler VIP.

•      Building ADFS Proxy server

•      First, Standup another 2012 server, same version as your ADFS server. If needs really only one NIC unless you expect to have lots of traffic. The proxy simply needs to be able to talk to the ADFS server over 443. The Proxy needs to be a domain member.


•      Export the Communications certificate from our ADFS server with the private key. this is the main one for the ADFS site (like sts.domain.com). Using the Certificates MMC Snap In, import the certificate into the Computer Certificate store of the Proxy. It will be needed later

•      On the Proxy server, Install the Remote Access role. Select Web Application Proxy from the Features and let it install.


•      For configuration, one will need the Federation Service name and the Service Account/Password. Running the configuration wizard will prompt .

•      If you want a single proxy for both Servers, you will need to put it outside the Netscalers. For DNS, external dns should resolve to an address that is NATTed to the Federation Proxy server. Internal DNS should resolve to your Netscaler VIP.

( I didn’t get this point clearly – we have 1 internal ADFS SERVER , we want 1 external ADFS Proxy server, right now traffic is getting redirected from office 365 to netscaler to internal ADFS Server- can you please clarify on external and internal DNS configuration)
•      Last thing I would do is add the address into the Intranet zones so your internal users should use WIA to authenticate (when using IE or chrome). External users will go through the Proxy which defaults to Forms Based Authentication.

 I didn’t get this point clearly – we have 1 internal ADFS SERVER , we want 1 external ADFS Proxy server, right now traffic is getting redirected from office 365 to netscaler to internal ADFS Server- can you please clarify on external and internal DNS configuration)
Jeff GloverSr. Systems AdministratorCommented:
Do you want the netscaler still in the mix at all? If you only have one ADFS server, it is a waste of a resource to have it but some companies are like that.
pramod1Author Commented:
yes we want netscaler , we need tos et up proxy server because we had a attack on internal adfs server
Jeff GloverSr. Systems AdministratorCommented:
So you want a proxy server along with a Netscaler acting as a reverse proxy? Seems redundant.  I guess I would say your external DNS needs to point to an address that translates to your new Proxy server. Your internal DNS needs to point the same address (ADFS farm name) to the Netscaler VIP.
  And,.. Are you using AADConnect a all? If so, ADFS is pretty much redundant for Office 365 anyway.
pramod1Author Commented:
how the data flow will be controlled from proxy to internal adfs server
pramod1Author Commented:
our netscaler is already acting as a reverse proxy. we had bruce force attack on internal adfs server, we could not find external source ip from netscaler taht is the reason we are trying to put proxy server in between netscaler and internal adfs server
pramod1Author Commented:
need to know steps of traffic to internal adfs and dns set up, i have to send propsal
Jeff GloverSr. Systems AdministratorCommented:
So, point the netscaler targets to the ADFS proxy server. Simple enough. Then make sure internal DNS points to the ADFS server itself (if you are using WIA internally). People externally using Office 365 will contact the portal, be redirected to your External address of your ADFS farm. They will contact it through the Netscaler to the Proxy server. The proxy server does just that, it reverse proxies ADFS but provides Forms based Authentication. Given your explanation, I don't think you will gain anything except complexity. If the attack comes in to the Netscaler and you already cannot find the IP, putting a Reverse proxy in the middle won't help you find it.
pramod1Author Commented:
so where should i put reverse proxy or what best can be done here to mitigate the issue
pramod1Author Commented:
i thought proxy adfs can detect source ip
Jeff GloverSr. Systems AdministratorCommented:
But, if you are looking for Traffic

Internally. User contacts O365 portal. Enters Email or UPN (whichever you are using). Is redirected to internal ADFS server (whatever your internal DNS has as an A record for the farm name). You authenticate and are sent back to Office 365
The only difference with external clients is you will be redirected to the IP address you have published for ADFS externally. From your explanation, you will be redirected to the External address, NATTed to your Netscaler VIP. This will reverse proxy you to the ADFS proxy server. Which acts as a reverse proxy for the ADFS server,sending you there to logon with Forms Based Authentication. You authentication and are sent back to O365

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeff GloverSr. Systems AdministratorCommented:
Well, if the traffic comes in to your Netscaler first and then is sent to the ADFS proxy, if you can't detect the source now, you won't then. You need to figure out if you can find the IP from the Netscaler.
pramod1Author Commented:
so thsi will work to get the traffic, so do i need to put proxy server in between netscaler and internal adfs server ?
Jeff GloverSr. Systems AdministratorCommented:
Please state exactly what you are trying to accomplish here. Putting a Proxy in between Netscaler and the internal ADFS server will get you no more than what you have now. (but will give you one more point of failure).
pramod1Author Commented:
we have internal ADFS server , we suffered brute force attack we could not find the source ip (external ) from netsacler as traffic was redirected from office 365 , also didnt get any sign in failure report from azure AD , so we were thinking of setting up adfs proxy server to get one extra layer of security , we dont know where to put it , so next time attack happens proxy server could detect external source ip , as internal adfs server just gave logs of ip only for netscaler
Jeff GloverSr. Systems AdministratorCommented:
Then your best bet is to put it between the Firewall and the Netscaler. If you put it between the Netscaler and the ADFS server, you will get exactly the same results you are getting from your ADFS server logs.
  I disagree that you will get one extra layer of security, you will get one extra layer of complexity. You would be better off replacing the Netscaler with an ADFS proxy.
pramod1Author Commented:
thanks for the suggestion , i am not the person to decide to remove netscaler but yes i can between firewall and netscaler. one last question

so now
 external clients  will be redirected to the IP address i have published for ADFS externally. From your explanation, i will be redirected to the External address, NATTed to your Netscaler VIP
pramod1Author Commented:
what about persistent load balancing and no ssl offload to f5?
pramod1Author Commented:
ned to have vip on 443 how it will redirect traffic to netscaler
Jeff GloverSr. Systems AdministratorCommented:
I imagine as of now, that is how it is working since you are using Netscaler as a Reverse Proxy. Your external DNS will have a record for your ADFS farm name like sts.domain.com or similar. This will point to an IP assigned to your external Firewall. Your firewall should have a Natted Mapping redirecting traffic to that IP over to your Netscaler VIP. Your Netscaler VIP will have a target that points to your internal ADFS server IP.
  If you put a proxy in between the Firewall and the Netscaler, then your Firewall will have to be changed to redirect traffic to the ADFS proxy server. Also, unless you already have this, your Internal DNS record for your ADFS farm will have to point to the VIP of your Netscaler or you will have to rely on a host file entry to get your Proxy server to function correctly.
pramod1Author Commented:
we need to export token signing cert from internal adfs as well also no relying party trust or claim rules on proxy server?

need to know how external proxy will talk to netscaler
Jeff GloverSr. Systems AdministratorCommented:
OK, you are posting questions so fast, I cannot keep up. You have an F5 and a Netscaler? or was that just a typo? And I don't even understand your question about VIP on 443.  I can't tell you how to setup a Netscaler off hand. Or an F5. And SSL offload? Not to my knowledge.
pramod1Author Commented:
np
Jeff GloverSr. Systems AdministratorCommented:
A proxy server has no Relying party trusts. It is simply a Web Application Proxy with special rules for ADFS. You import the certificate into the Proxy server and it will ask for it during setup of the Proxy.
 The proxy talks to the ADFS server on 443 and 49443 so that is what the netscaler would have to forward.
Jeff GloverSr. Systems AdministratorCommented:
And in my experience, 49443 is usually not needed (but Microsoft said to do it before so I normally do)
pramod1Author Commented:
ok i am compiling in 1 doc ument , please go throw once and kindly let me know if everything ok , i will upload in half hr
thanks a lot sir
pramod1Author Commented:
Hi Jeff

if u get chance can u review or add anything if I have missed , like vip  OR DNS stuff
Building-ADFS-Proxy-server.docx
Jeff GloverSr. Systems AdministratorCommented:
Looks Ok to the best of my knowledge.
  I get it that you are working with what you can here but understand, Microsoft does not recommend ADFS as the Authentication provider for Office 365 anymore. It works of course but they recommend installing AADConnect and doing Password Sync. They have come a long way with that lately. But what you wrote seems OK.
pramod1Author Commented:
thanks Jeff, will close the ticket tomorrow i am sending this to my manager
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
NetScaler

From novice to tech pro — start learning today.