An AD FS proxy server (WAP) protects the AD FS server from internet-based threats. The WAP server also authenticates users from the internet.

Note: Terminating SSL between the WAP and AD FS server is not supported. Terminating SSL breaks the trust between the WAP and AD FS.

In our example deployment, “Kemp Demo” has deployed AD FS 3.0 in their environment to facilitate claims-based authentication for their Microsoft Exchange 2013 infrastructure and allow for SSO capabilities across applications. A pair of AD FS Proxy (WAP) servers are added in the DMZ to provide additional protection and security for clients accessing the application from the internet. External clients connect to the AD FS Proxy (WAP) servers and the AD FS Proxy (WAP) server proxy that connection through the internal LoadMaster to a healthy AD FS server. The deployment contains the following:

  • Two AD FS 3.0 servers
  • Two AD FS 3.0 Proxy servers (WAP)
  • Two Microsoft Exchange 2013 Multi-Role servers
  • LoadMaster HA cluster on the internal LAN
  • LoadMaster HA cluster in the DMZ

A name space of owa.Kempdemo.com is used for access to the Microsoft Exchange environment. A name space of adfs.Kempdemo.com is used for access to the AD FS and the AD FS Proxy (WAP) farms. Split Domain Name System (DNS) is implemented, which allows these name spaces to be used both internally and externally in the environment.

  1. The client accesses the workload at https://owa.kempdemo.com/owa.
  2. The client is directed to the AD FS URL, https://adfs.kempdemo.com, which is a Virtual Service on the DMZ LoadMasters for AD FS Proxies (WAP).
  3. The LoadMaster sends traffic to a healthy AD FS Proxy (WAP) server based on the scheduling method.
  4. The AD FS Proxy (WAP) server proxies the connection to the AD FS servers published through the internal LoadMasters.
  5. The LoadMaster sends traffic to the healthy AD FS server based on the scheduling method.
  6. The AD FS server authenticates the user against Active Directory.
  7. The AD FS server returns a SAML token to the AD FS Proxy (WAP).
  8. The AD FS Proxy (WAP) returns a SAML token to the client for authentication.
  9. The client connects to Microsoft Exchange 2013 with a SAML token for authentication and accesses the workload.