locked
F5 as WAP server RRS feed

  • Question

  • Hi Team,

    In our design, we have 4 adfs server in 2 different GEO and it is load balanced by 2 F5's and 1 F5 in DMZ which load balances the other 2 f5 in each GEO. what I want to know what is the disadvantage on eliminating WAP server and introducing F5 to perform the proxy role.

                                                                                                     

    Thursday, August 4, 2016 7:02 PM

Answers

  • Regardless of the third party device you want to replace WAP with, it need to be sticking to the following specs:

    If it doesn't, you are loosing functionality. For example, the possibility to use authentication policies based on the location of the user Extranet/Intranet. Using a third party device in a front of ADFS, ADFS will see all authentication as internal and try to play SSO. Because it comes from outside, it will not work. So you will have to eventually enable form based authentication to fit with those external clients. But then you are loosing the SSO for internal clients. The extranet lockout feature is also based on connections coming from the WAP, if you don't have WAP, you won't have this either. Some conditional access scenarios are based assuming you have a WAP server, without a WAP server, it might just not be possible to apply some of these documented scenario.

    Note that nothing prevents you from using WAP between F5 (as load balancer) and internal ADFS servers.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 5, 2016 1:40 PM