pramod1
asked on
ACTIVE DIRECTORY, EXCHANGE, office 365, citrix
we have till now traffic from firewall - citrix netscaler - asa firewall - internal network. when we had spray attack we could not find the original source ip hitting ADFS server as messages were redirected from 365 and not authenticated as 365 experts say.
we did enable extranet lock out policy on Adfs 2012 R2 server but that didnt work any reason just because we didnt had WAP server?
on other hand when i read various articles i see extranet lock out was introduced in 2016 adfs is it correct? or came with some new features
does WAP servers document original IP in spray attacks
2) will WAP servers have to be also 2016 when i upgrade ADFS server to 2016, i believe we are talking two different servers.
3) I read Load balancers SHOULD ensure that the connecting IP address should be translated as the source IP in the HTTP packet when being sent to ADFS. In the event that a load balancer cannot send the source IP in the HTTP packet, the load balancer MUST add (or append in case of existing) the IP address to the x-forwarded-for header. -is this to be done on WAP proxy server?
4) if WAP is placed between firewall and citrix netscaler , ssl termination should not be done at firewall level?
5) we dont have conditional access policy defined in azure AD , will this help apart from above adfs proxy installation
6) if we install ADFS 2016, does all users should be at outlook 2013 or above , is MFA enabled by default in adfs 2016
7)Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018—look for this ability to come via Windows Update., so what is different from windows server 2012 adfs server?
we did enable extranet lock out policy on Adfs 2012 R2 server but that didnt work any reason just because we didnt had WAP server?
on other hand when i read various articles i see extranet lock out was introduced in 2016 adfs is it correct? or came with some new features
does WAP servers document original IP in spray attacks
2) will WAP servers have to be also 2016 when i upgrade ADFS server to 2016, i believe we are talking two different servers.
3) I read Load balancers SHOULD ensure that the connecting IP address should be translated as the source IP in the HTTP packet when being sent to ADFS. In the event that a load balancer cannot send the source IP in the HTTP packet, the load balancer MUST add (or append in case of existing) the IP address to the x-forwarded-for header. -is this to be done on WAP proxy server?
4) if WAP is placed between firewall and citrix netscaler , ssl termination should not be done at firewall level?
5) we dont have conditional access policy defined in azure AD , will this help apart from above adfs proxy installation
6) if we install ADFS 2016, does all users should be at outlook 2013 or above , is MFA enabled by default in adfs 2016
7)Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018—look for this ability to come via Windows Update., so what is different from windows server 2012 adfs server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.