Application Note. Active Directory Federation Services deployment guide



Similar documents
ALOHA Load-Balancer. Microsoft Exchange 2010 deployment guide. Document version: v1.4. ALOHA version concerned: v4.2 and above

Application Note. Lync 2010 deployment guide. Document version: v1.2 Last update: 12th December 2013 Lync server: 2010 ALOHA version: 5.

Exchange 2013 deployment guide

HAProxy. Ryan O'Hara Principal Software Engineer, Red Hat September 17, HAProxy

ALOHA LOAD BALANCER MANAGING SSL ON THE BACKEND & FRONTEND

Load Balancing Microsoft AD FS. Deployment Guide

How To Use Netscaler As An Afs Proxy

Secure Web Appliance. Reverse Proxy

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure

Deployment Guide AX Series with Active Directory Federation Services 2.0 and Office 365

OVERVIEW. DIGIPASS Authentication for Office 365

TESTING & INTEGRATION GROUP SOLUTION GUIDE

Load Balancing Microsoft Sharepoint 2010 Load Balancing Microsoft Sharepoint Deployment Guide

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Remote Desktop Services Overview. Prerequisites. Additional References

CNS-200-1I Basic Administration for Citrix NetScaler 9.0

Deploying F5 with Microsoft Remote Desktop Services

Load Balancing VMware Horizon View. Deployment Guide

Implementing Microsoft Office Communications Server 2007 With Coyote Point Systems Equalizer Load Balancing

Ignify ecommerce. Item Requirements Notes

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

Basic Administration for Citrix NetScaler 9.0

Guide to Deploying Microsoft Exchange 2013 with Citrix NetScaler

Microsoft Lync 2010 Deployment Guide

SSL Inspection Step-by-Step Guide. June 6, 2016

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Load Balancing Trend Micro InterScan Web Gateway

Oracle Collaboration Suite

Load Balancing VMware Horizon View. Deployment Guide

Deploying Microsoft SharePoint Services with Stingray Traffic Manager DEPLOYMENT GUIDE

Introduction to the EIS Guide

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH MICROSOFT WINDOWS SERVER 2008 TERMINAL SERVICES

Background. Industry: Challenges: Solution: Benefits: APV SERIES CASE STUDY Fuel Card Web Portal

Load Balancing Microsoft Lync 2010 Load Balancing Microsoft Lync Deployment Guide

Load Balancing Microsoft 2012 DirectAccess. Deployment Guide

Networking and High Availability

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Server configuration for layer 4 DSR mode

SharePoint 2013 Logical Architecture

DEPLOYMENT GUIDE. Deploying the BIG-IP LTM v9.x with Microsoft Windows Server 2008 Terminal Services

Microsoft Lync Server Overview

Flexible Identity Federation

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Microsoft Windows Server 2008 R2 Remote Desktop Services

Deploying F5 with Microsoft Active Directory Federation Services

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Microsoft SharePoint 2010 Deployment with Coyote Point Equalizer

VERITAS Cluster Server Traffic Director Option. Product Overview

Application Delivery Controller (ADC) Implementation Load Balancing Microsoft SharePoint Servers Solution Guide

Microsoft SharePoint 2013 with Citrix NetScaler

Networking and High Availability

Load Balancing McAfee Web Gateway. Deployment Guide

CNS-208 Citrix NetScaler 10 Essentials for ACE Migration

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Deployment Guide Microsoft IIS 7.0

Configuration Guide BES12. Version 12.1

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Load balancing MySQL with HaProxy. Peter Boros Percona 4/23/13 Santa Clara, CA

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

NEFSIS DEDICATED SERVER

Deployment Guide July-2015 rev. A. Deploying Array Networks APV Series Application Delivery Controllers with VMware Horizon View

CS312 Solutions #6. March 13, 2015

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Deployment Guide Sept-2014 rev. a. Load Balancing Windows Terminal Server with Session Directory Using Array APV Series ADCs

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Microsoft Exchange Server 2007

Deploying F5 to Replace Microsoft TMG or ISA Server

Strategies for Getting Started with IPv6

1. Barracuda Load Balancer - Overview What's New in the Barracuda Load Balancer Barracuda Load Balancer Release Notes

Brocade Virtual Traffic Manager and Microsoft Skype for Business 2015 Deployment Guide

Strategies for Getting Started with IPv6

EE Easy CramBible Lab DEMO ONLY VERSION EE F5 Big-Ip v9 Local Traffic Management

Load Balancing Bloxx Web Filter. Deployment Guide

Availability Digest. Redundant Load Balancing for High Availability July 2013

Deploying the BIG-IP System for Microsoft Application Virtualization

Introductions. Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP

Load Balancing Microsoft Remote Desktop Services. Deployment Guide

Configuration Guide BES12. Version 12.3

Native SSL support was implemented in HAProxy 1.5.x, which was released as a stable version in June 2014.

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Deployment Guide May-2015 rev. a. APV Oracle PeopleSoft Enterprise 9 Deployment Guide

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

Load Balancing Microsoft Lync Deployment Guide

NetScaler: A comprehensive replacement for Microsoft Forefront Threat Management Gateway

KEMP LoadMaster Support for Windows Terminal Services

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

Deploying the BIG-IP System v10 with Oracle Application Server 10g R2

Configuration Guide BES12. Version 12.2

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Deployment Guide AX Series with Citrix XenApp 6.5

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

FortiOS Handbook - Load Balancing VERSION 5.2.2

Deployment Guide MobileIron Sentry

White Paper. ThinRDP Load Balancing

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007

Deploying F5 for Microsoft Office Web Apps Server 2013

Application Note. Onsight Connect Network Requirements v6.3

WHITE PAPER Citrix Secure Gateway Startup Guide

Transcription:

Application Note Active Directory Federation Services deployment guide Document version: v1.1 Last update: 20th January 2014

Purpose ALOHA Load-Balancer deployment guide for Microsoft ADFS and ADFS proxy services. Complexity ALOHA Versions concerned Aloha 4.2 and above Changelog 2014-01-20: improved health checks 2013-11-05: Initial Version Page 2 of 9

Introduction About Exceliance Exceliance is a software company, editing the Application Delivery Controller named ALOHA LoadBalancer. Headquartered in Jouy-en-Josas (Yvelines), Exceliance teams (including R&D and technical support) are based in France. Exceliance has currently around 100 customers in the banking, retail groups, energy and e-commerce industries and the public sector. Exceliance solutions are also used by many hosting providers. The ALOHA Load-balancer is designed to improve performance, guarantee quality of service and ensure the availability of critical business applications, by dynamically balancing flows and queries on the company s various servers. About ALOHA Application Delivery Controller The ALOHA Load-Balancer is designed to load-balance at layer 4 and control application delivery at layer 7. It is designed to integrate simply and quickly into any environment or architecture. The main ALOHA benefits: 1. Guarantee high availability of your applications and services as well as improve web application performance 2. Makes infrastructures scalable and reliable 3. Simplifies architecture: IPv6 frontend, SSL offloading, layer 7 routing Developed using HAProxy open source load balancing software, Exceliance solutions are known for their processing performance, reliability and wealth of features. Offered at more affordable price than other commercial solutions, they are easy to deploy and administer. ALOHA Load-balancer is available either as a physical appliance or as a Virtual Appliance. The Virtual appliance can run on top of the most popular hypervisors available on the market. About this guide This guide first explains in the main lines how Microsoft ADFS services is designed and what benefits an ADC can bring. The guide also provides with configuration templates to setup the ALOHA Load-Balancer for Microsoft ADFS and ADFS proxy for the two most common architectures. The lastest version of this guide can be downloaded from Exceliance website: http://www.exceliance. fr/en/. Appliance supported All ALOHA Load-Balancers appliances, both physical and virtual, can be used with Microsoft ADFS and ADFS proxy. Page 3 of 9

Microsoft ADFS version supported ALOHA load-balancer can be used with the following versions of Microsoft ADFS protocol: ADFS v2.1 (windows 2012) ADFS v2.0 (windows 2008r2) Disclaimer The ADFS configuration tips provided in this guide are purely informational. For more information about Microsoft ADFS tools and how to use them, please refer to Microsoft web site which is fully and properly documented. This guide does not provide information on how to install and setup an ADFS services. Page 4 of 9

Introduction to Microsoft Active Directory Federation Service ADFS is Microsoft solution to provide simplified, secured identity federation and Web Single Sign-On (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud. It is a software component that can be installed on Microsoft Windows Server operating system. It provides the following accesses: Company s employees or customers with a web-based SSO when accessing internal applications Company s employees or customers with a web-based SSO when accessing resources in any federation partner organization Company s employees or customers with a Web-based SSO when accessing internal applications from remote locations Company s employees or customers with a web-based SSO when accessing resources or services in the cloud ADFS server roles There are two types of server roles in an ADFS architecture: 1. ADFS server 2. ADFS proxy server ADFS server role This is the main component and it is mandatory. It is responsible for delivering user authentication. It must be part of the domain and able to connect to the Domain Controller. It authenticates users from multiple domains via Windows Trust. ADFS proxy server role It brokers a connection between external users and internal ADFS servers. It acts as a reverse proxy and resides in organization s perimeter network (aka DMZ) and does not need to be a member of the domain. This role is optional but recommended when opening the ADFS infrastructure to users based outside organization s trusted network: it improve security. Page 5 of 9

ADFS infrastructure The picture below shows where the different ADFS server roles are installed and how they interract together. Flow for Internal users When an internal user wants to access a claims aware application, the following flow happens: 1. The internal user accesses the claims aware application 2. The application redirects the user to the LAN ADFS server 3. The ADFS server authenticates the internal user 4. The ADFS server performs an HTTP post to the application where the user gains access The redirects and posts are performed using a standard HTTP 302 Redirect and HTTP POST respectively. Flow for External users When an external user wants to access a claims aware application, the following flow happens: 1. The external user accesses the claims aware application 2. The application redirects the external user to the ADFS proxy server 3. The ADFS proxy server connects to the LAN ADFS server and forwards it the authentication request 4. The LAN ADFS server authenticates the user and forward the response to the ADFS proxy server 5. The ADFS proxy server performs an HTTP post to the application where the user gains access Page 6 of 9

ADFS ports and protocols The table below summarizes the ports and protocol involved in an ADFS infrastructure: Role Port Protocol ADFS server TCP/443 HTTPS ADFS proxy TCP/443 HTTPS Server affinity ADFS is a web service and does not require server affinity! Why using a load-balancer with ADFS services First of all, even if ADFS provides service arrays, to ensure high-availability, it does not provide any load balancing mechanism. This means we need a third party appliance to balance traffic amongst ADFS Servers and Proxies. A hardware load-balancer brings the following benefits to Microsoft ADFS infrastructure: Fast Transparent failover Nobody will notice a server has failed since the Load-Balancer is able to quickly and transparently redirect users to a healthy server. Application aware health checking A load-balancer provides application layer health check which provides the status of the service itself and are more efficient than a simple ping. SSL bridging A load-balancer can inspect ciphered traffic between a client and an ADFS server or Proxy to improve protection, reporting servers and URLs response time, etc... Scale up Building an architecture with a load-balancer allows scale up: adding new servers can be done easily without production outage. Page 7 of 9

Load-Balancing ADFS servers The configuration template provided below below is the simplest way to load-balance ADFS servers. For more complex scenarios, such as brute force protection, please contact Exceliance team. This configuration is to be deployed on an ALOHA Load-Balancer deployed in the LAN zone. frontend ft_adfs bind 10.0.0.90:443 name adfs mode tcp log global option tcplog maxconn 1000 default_backend bk_adfs backend bk_adfs balance roundrobin mode tcp log global option tcplog default-server inter 3s rise 2 fall 3 option httpchk GET /adfs/ls/idpinitiatedsignon.aspx HTTP/1.0\r\nHost:\ adfs.domain.com http-check expect string Sign-In\ Page server adfs1 10.0.0.101:443 maxconn 1000 weight 10 check check-ssl server adfs2 10.0.0.102:443 maxconn 1000 weight 10 check check-ssl Don t forget to update the following information: bind s IP address servers IP addresses adfs host name for health check Page 8 of 9

Load-Balancing ADFS proxy servers The configuration template provided below below is the simplest way to load-balance ADFS proxy servers. For more complex scenarios, such as brute force protection, please contact Exceliance team. This configuration is to be deployed on an ALOHA Load-Balancer deployed in the DMZ zone. frontend ft_adfs_proxy bind 192.168.100.90:443 name adfs_proxy mode tcp log global option tcplog maxconn 1000 default_backend bk_adfs_proxy backend bk_adfs_proxy balance roundrobin mode tcp log global option tcplog default-server inter 3s rise 2 fall 3 option httpchk GET /adfs/ls/idpinitiatedsignon.aspx HTTP/1.0\r\nHost:\ adfs.domain.com http-check expect string Sign-In\ Page server adfs_proxy1 192.168.100.101:443 maxconn 1000 weight 10 check check-ssl server adfs_proxy2 192.168.100.102:443 maxconn 1000 weight 10 check check-ssl Don t forget to update the following information: bind s IP address servers IP addresses Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information