locked
configure Netscaler load-balancers for ADFS RRS feed

  • Question

  • We are planning to implement  Netscaler load-balancers for ADFS & proxy servers . So looking for some guidance before we plan

    Current Setup :

    2 ADFS servers internal network with 1 primary & 1 secondary in windows 2012 ADFS version : 2.1

    2 ADFS proxy servers in DMZ both having second IP in multicast which is natted to public facing IP 

    1. does the Netscaler support the requirement

    2. any know issues of implementation 

    3. Any other advise or documents for the referral .

    we are planning to implement the change tomorrow night , so would be utterly grateful if can get a response sooner .

    Tuesday, December 12, 2017 10:29 AM

Answers

  • 1. Yes.

    2. Yes. I am pretty sure that Netscaler still does not support SNI for health-probing. So you might have to use a different endpoint to probe the ADFS nodes. It is explained here: https://blogs.technet.microsoft.com/applicationproxyblog/2014/10/17/hardware-load-balancer-health-checks-and-web-application-proxy-ad-fs-2012-r2/

    3. As tempting as it could be reading some blogs, do not replace the WAP by Netscaler. But load-balancer the WAP with Netscaler. Netscaler are not supported replacement for WAPs. But it is perfectly fine to load balancer them. Also, do you terminate the TLS tunnel in the front of the Netscaler if you want to use certificate based authentication (terminating the tunnel before the WAP will break TLS authentication). If you have a load-balancer between the WAPs and the ADFS nodes, do not terminate the TLS tunnel between them (the WAP is using TLS authentication to authenticate against the ADFS servers, so it will break your WAP).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, December 12, 2017 3:17 PM

All replies

  • 1. Yes.

    2. Yes. I am pretty sure that Netscaler still does not support SNI for health-probing. So you might have to use a different endpoint to probe the ADFS nodes. It is explained here: https://blogs.technet.microsoft.com/applicationproxyblog/2014/10/17/hardware-load-balancer-health-checks-and-web-application-proxy-ad-fs-2012-r2/

    3. As tempting as it could be reading some blogs, do not replace the WAP by Netscaler. But load-balancer the WAP with Netscaler. Netscaler are not supported replacement for WAPs. But it is perfectly fine to load balancer them. Also, do you terminate the TLS tunnel in the front of the Netscaler if you want to use certificate based authentication (terminating the tunnel before the WAP will break TLS authentication). If you have a load-balancer between the WAPs and the ADFS nodes, do not terminate the TLS tunnel between them (the WAP is using TLS authentication to authenticate against the ADFS servers, so it will break your WAP).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, December 12, 2017 3:17 PM
  • hi Pierre ,

    Thanks a lot for the advise on this .

    much appreciated .

    Thanks & Regards

    Surya Mohanty

    Thursday, December 21, 2017 7:31 AM