locked
AD FS WAP Proxy RRS feed

  • Question

  • Topology - 1DC  - 1ADFS Server Joined to the Domain - 1 WAP - Workgroup in DMZ

    The DNS server points to adfs.mydomain.com  and is resolvable from both the internal and DMZ.

    There is also a DNS record pointing to wap.mydomain.com and is resolvable from both the internal and DMZ.

    I am able to ping and have tested both ports 80 & 443.

    WAP is successfully retrieved its configuration from the Federation Service. 

    I am able to reach adfs.mydomain.com/adfs/ls/idpinitiatedsignon.aspx and everything works correctly. 

    I am unable to reach wap.mydomain.com/adfs/ls/idpinitiatedsignon.aspx.

    I am able to reach adfs.mydomain. 

    The Federation Service Proxy blocked an illegitimate request made by a client, as there was no matching  endpoint registered at the proxy. 

    I have the endpoint /adfs/ls enabled and proxy enabled.

    The Remote Access Manager on WAP reports everything is working properly.

    For the Published Web Applications my external URL  is wap.mydomain.com - backend server adfs.mydomain.com - pre-auth Pass-through.

    Any thoughts on why I cannot access the wap.mydomain.com/adfs/ls/ipdinitiatedsignon.aspx?

    thx.

    /j.>

    Tuesday, February 16, 2016 10:06 PM

Answers

  • The WAP url should be the same as the URL of your ADFS farm.

    The trick is to use a split brain DNS to make sure external clients are resolving the URL of your ADFS to the public IP address of the WAP and internal clients to the private IP of your ADFS server. On the WAP server, if it is using an external DNS you can create a hosts file to make sure it still resolves the FQDN of the ADFS farm to the internal IP address of your ADFS server. Please refer to the section Configuring DNS in the following article:  https://technet.microsoft.com/en-US/library/dn554247.aspx


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, February 17, 2016 12:30 AM
  • For anyone else - 

    I finally got the proxy working by having the same internal and external links the 'Publishing Settings'. I could not have a different External URL / Backend Server URL.

    Even though I enabled the Translation via powershell. https://technet.microsoft.com/library/dn383995.aspx

    /j.>

    Wednesday, February 17, 2016 9:31 PM

All replies

  • The WAP url should be the same as the URL of your ADFS farm.

    The trick is to use a split brain DNS to make sure external clients are resolving the URL of your ADFS to the public IP address of the WAP and internal clients to the private IP of your ADFS server. On the WAP server, if it is using an external DNS you can create a hosts file to make sure it still resolves the FQDN of the ADFS farm to the internal IP address of your ADFS server. Please refer to the section Configuring DNS in the following article:  https://technet.microsoft.com/en-US/library/dn554247.aspx


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, February 17, 2016 12:30 AM
  • Let me see if I can restate so I grasp the concept. 

    Internal server 1st in the farm adsf1.mydomain.com  192.168.1.7

    DMZ server 1st WAP  wap.mydomain.com 10.1.1.7

    Create a DNS A recorded pointing to the farm(FederationName) adfs.mydomain.com  192.168.1.7

    Create an /etc/host entry for wap.mydomain.com 10.1.1.7 pointed to adfs.mydomain.com 192.168.1.7

    The WAP Server (Published Web Applications) should have the same external and back-end server URL.

    Internal users adfs.mydomain.com

    External users wap.mydomain.com

    Correct?

    thx.

    /j.>

    Wednesday, February 17, 2016 12:44 PM
  • For anyone else - 

    I finally got the proxy working by having the same internal and external links the 'Publishing Settings'. I could not have a different External URL / Backend Server URL.

    Even though I enabled the Translation via powershell. https://technet.microsoft.com/library/dn383995.aspx

    /j.>

    Wednesday, February 17, 2016 9:31 PM
  • The translation is for publication of apps. You don't need to publish the ADFS servers on your WAP, the ADFS pages are available by default (this is why you need ADFS when you deploy WAP).

    So yes, URL have to be the same internally and externally.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, February 18, 2016 4:44 PM