locked
ADFS WAP - TLS Termination before WAP and http 80 RRS feed

  • Question

  • We have and ADFS service and newly installed WAP servers.

    We wish to terminate TLS on the f5 load balancer before the WAP server. The reason is to x-forward-for the client IP's to the ADFS, or to keep logs on the load balancer etc.

    But terminating TLS on the load balancer means that the traffic gets sent to the ADFS http url (via WAP).

    Our ADFS is listening on HTTPS 443 and the WAP server gets its config from the ADFS service. 

    So do we need to get our ADFS listening on http 80? is this even possible?

    Or is there a way to get the client IP without doing this TLS termination and still using the F5 load balancer?

    Thanks for any input anyone can offer here.

    Friday, March 8, 2019 2:19 PM

All replies

  • Hello,

    F5 have configuration guides for ADFS. I have done this with multiple clients

    https://www.f5.com/services/resources/deployment-guides/microsoft-active-directory-federation-services-big-ip-v11-ltm-apm

    https://devcentral.f5.com/articles/ad-fs-proxy-replacement-on-f5-big-ip-30191


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Friday, March 8, 2019 5:31 PM
  • Thanks for your reply, i took a look at the docs but unsure of something:

    Is it possible to SSL terminate on the F5, insert the header for XFF and then re-encrypt it, so the F5 forwards the traffic to the HTTPS 443 service on the WAP?

    Saturday, March 9, 2019 3:54 PM
  • You can decrypt the traffic on F5, inject whatever you want and re-encrypt it before sending it back to the WAP.

    However, this will break TLS authentication. So if you are expecting to use certificate based authentication (for users or devices with) these scenario won't be possible.

    You cannot do that between the WAP and the ADFS farm, because the WAP authenticates against its ADFS farm using TLS.

    Ideally, you configure your F5 in such a manner it shows the actual source IP when it hits the WAP servers. All HLB have their own way to do it. I have helped customers with Netscaller HLB couple of time to do so.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 13, 2019 4:21 PM
  • Thanks for your reply, it is helpful.

    I need further assistance:

    If we re-encrypt on the F5, how do we do it, do we use the same cert as decrypting?

    I dont want to break the comms between .F5 and WAP, and we are using SNAT, so not sure how to get the request forwarded to the WAP on https 443

    Wednesday, April 3, 2019 1:02 PM
  • You do not need a certificate to encrypt. The server (here WAP) is sending the public key of its cert during the TLS Hello handshake.

    There is not a lot of value to decrypt the traffic really... What are you expecting?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, April 3, 2019 9:29 PM