In deployments where select advanced claim rules such as IP network and trust levels for instance are not in use, LoadMaster devices can be placed in the DMZ and can proxy authentication requests to internal AD FS servers without requiring additional AD FS proxy (WAP) servers. This can help customers save on hardware, software, and management costs associated with maintaining additional AD FS proxy servers.

Note: If you are using advanced claims with the AD FS infrastructure, the LoadMaster can be used alongside the AD FS Proxy Farm but cannot be used as a replacement.

In our example deployment, “Kemp Demo” has deployed AD FS 3.0 in their environment to facilitate claims-based authentication for their Microsoft Exchange 2013 infrastructure and allow for SSO capabilities across applications. A pair of LoadMasters are added in the DMZ to provide additional protection and security for clients accessing the application from the internet. External clients will connect to the LoadMasters and the LoadMasters will proxy that connection directly to a healthy AD FS server. The deployment contains the following:

  • Two AD FS 3.0 servers
  • Two Exchange 2013 Multi-Role servers
  • LoadMaster HA cluster “acting” as the AD FS Proxy (WAP)
  • LoadMaster HA cluster for internal traffic (optional)

A name space of owa.Kempdemo.com is used for access to the Microsoft Exchange environment. A name space of adfs.Kempdemo.com is used for access to the AD FS environment. Split DNS is implemented, which allows these name spaces to be used both internally and externally in the environment.

  1. The external client accesses the workloadat https://owa.kempdemo.com/owa.
  2. The client is directed to the AD FS url, https://adfs.kempdemo.com, which is a VS on the DMZ LoadMasters “acting” as the AD FS Proxy (WAP).
  3. The LoadMaster sends traffic to the healthy AD FS server based on the scheduling method.
  4. The AD FS server authenticates the user against Active Directory.
  5. The AD FS server returns a SAML token to the LoadMaster “acting” as the AD FS Proxy (WAP).
  6. The LoadMaster returns a SAML token to the client for authentication.
  7. The client connects to Microsoft Exchange 2013 with a SAML token for authentication and accesses the workload.