philb19
asked on
ADFS server internal on different network than client wifi network
Hi -we use ASA 9.1 ios We have a wifi network that terminates on the ASA.
the wifi clients therefore are on different interface network than the adfs server which is on the inside interface of the asa
the internal adfs server is reached by the web app proxy in dmz
now when the wifi mobile users go to 0365 site (sharepoint) to login they hit micrsoft site ok but then MS cant reach back to the adfs server to present our login page. When on the inside interface of asa or external to our LAN the adfs webproxy and adfs all works fine for thise clients. As the internal adfs server is on a different internal network to the internal wifi users i think asa is having trouble - I have tried ACL entries etc + dns but not sure how to resolve - thanks
the wifi clients therefore are on different interface network than the adfs server which is on the inside interface of the asa
the internal adfs server is reached by the web app proxy in dmz
now when the wifi mobile users go to 0365 site (sharepoint) to login they hit micrsoft site ok but then MS cant reach back to the adfs server to present our login page. When on the inside interface of asa or external to our LAN the adfs webproxy and adfs all works fine for thise clients. As the internal adfs server is on a different internal network to the internal wifi users i think asa is having trouble - I have tried ACL entries etc + dns but not sure how to resolve - thanks
What dns Wi-Fi network is using?
I mean it is resolving to ADFS internal IP or external IP?
You need to open 443 outbound from Wi-Fi to ADFS public IP or private IP depending on configured DNS so that Wi-Fi client can reach to ADFS
I mean it is resolving to ADFS internal IP or external IP?
You need to open 443 outbound from Wi-Fi to ADFS public IP or private IP depending on configured DNS so that Wi-Fi client can reach to ADFS
ASKER
No that's open thanks - ACL out 443 to adfs web app proxy
Im pretty sure its something to do with hairpinning or U turn traffic through ASA
Im pretty sure its something to do with hairpinning or U turn traffic through ASA
ASKER
Hi I solved myself - what was going on was the https traffic was going outbound to a clouded proxy and then couldn't U turn back to find our internal ADFS server - the internal adfs server is on a different interface than the mobile wifi - its on the inside interface of asa.
solution is to bypass the internal adfs server https traffic from going to the clouded proxy.
solution is to bypass the internal adfs server https traffic from going to the clouded proxy.
It's standard practice to route all adfs traffic to external proxy interface
This is true specially when you have adfs servers located in azure connected with vpn tunnel
Your problem is adfs traffic once going through proxy is getting disconnected for some reason
May be because ssl decrypting or insertion future is on with firewall / proxy filtering device for internal clients while accessing external contents. When that happens actual web site asel cert is getting replaced with proxy server certificate
Adfs connection should work with its own certificate only
When client access adfs with internal IP, ssl decryption future is getting bypassed
This is true specially when you have adfs servers located in azure connected with vpn tunnel
Your problem is adfs traffic once going through proxy is getting disconnected for some reason
May be because ssl decrypting or insertion future is on with firewall / proxy filtering device for internal clients while accessing external contents. When that happens actual web site asel cert is getting replaced with proxy server certificate
Adfs connection should work with its own certificate only
When client access adfs with internal IP, ssl decryption future is getting bypassed
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER