If you read the earlier posts in the series, you would have noted that there is two methods to deploy the AD FS server load balancing. Because I am in an all Azure environment, I choose to deploy with method 2, using Azure load balancing on port 443 for AD FS. The following post details how to setup Azure ACLs to allow communication from the DMZ network to the production network and then deny all others.
This post needs the cloud service for the WAP servers created along with at least one WAP server deployed to the cloud service so that we can get the Public Virtual IP. This need to be completed before we can add the WAP servers as proxies for the AD FS servers. There is no real clean way to blog this so you will have to jump back and forth between this post and Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On to complete the task.
- Azure account is setup
- Directory Sync is activated, setup and running
- VPN connection setup from Azure to your on-premise network
- Primary and Secondary AD FS servers are setup (see previous posts in this series)
- The cloud service for the WAP servers is created.
The first thing that you need to do is gather the Public Virtual IP for the WAP cloud service.
Change ACLs to allow WAP access
Navigate to the Primary AD FS Server
Select HTTPS (or whatever you called the endpoint for AD FS)
Click Manage ACL
You will notice that the ACL list is not populated, which means that it’s wide open to the internet. We need to secure the AD FS load balanced set, while still giving the WAP servers access. This will allow the WAP servers to talk to the AD FS servers. We are going to create two rules; one permit and one deny.
The first rule will grant access from the WAP servers to the AD FS servers
Enter a description of the rule
Enter the IP address of the WAP cloud service in CIDR format. You will notice the /32 at the end, which will limit the rule to that one IP address.
Now that we have granted access on port 443 to the WAP servers, we need to deny all others. Keep in mind that this is for external traffic only. Internal users will still be able to access the AD FS servers on the domain network. This is just for the NAT address from external client access in Azure.
Enter a description of the rule
Enter the 0.0.0.0/0
This will deny all traffic
Click the complete checkmark
Azure will update the rule. There is no need to complete this on the other servers as the rule will apply to the load balanced endpoint.
My BLOG Series
- Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
- Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
- Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
- Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
- Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
- Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.
Kelsey Epps Office365 MVP