Hello all! We have a multi-server ADFS deployment with WAP nodes distributed globally for Geo load balancing purposes via AWS and Route53. We also have two firewall NLB clusters at HQ for internal and external operations. We are looking to upgrade from 2012R2
to 2016 to take advantage of some of the new features. The problem is that the Web Application Proxy starts with all 2016 nodes having the IDP page disabled and there does not seem to be a way to enable it from 2012R2. Our Geo load balance monitors work off
of this as do certain legacy SSO sites.
It seems that moving all 12 nodes into production, retiring the old nodes, upgrading the farm to ADFS 4, and then enabling IDP is the only way to move forward. This seems like a large amount of risk to assume in one change mgmt. Is there any better approach
for this?
Total side question on ADFS but it has always bothered me - So we have our two internal ADFS servers set us as an NLB. Our previous CIO stood up several nodes in other geographic reasons, but with DNS always pointing to the nodes at HQ, do these nodes actually
do anything? Or is there magic sauce going on in the background I'm unaware of? (yeah too lazy to wireshark)
