The LoadMaster family of products provide high availability to AD FS and AD FS proxy farms (WAP). AD FS proxy servers (Web Application Proxy(WAP)) provide termination of external traffic at the DMZ and provide an additional layer of protection against external threats. AD FS proxy servers also help internal AD FS servers clearly identify which authentication attempts are external. This is achieved by inserting x-ms-proxy claims in AD FS requests.

AD FS administrators can configure advanced claim rules that allow granular control over user authentication restrictions such as requiring users to be a part of a certain group or requiring users to authenticate from certain IP networks. When such claims rules are configured on AD FS servers, it becomes critical to identify if the user is trying to authenticate from an external or internal location.

In deployments where select advanced claim rules such as IP network and trust levels for instance are not in use, LoadMaster devices can be placed in the DMZ and can proxy authentication requests to internal AD FS servers without requiring additional AD FS Proxy (WAP) servers. This can help customers save on hardware, software, and management costs associated with maintaining additional AD FS proxy servers.