Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

If you read the earlier posts in the series, you would have noted that there is two methods to deploy the AD FS server load balancing. Because I am in an all Azure environment, I choose to deploy with method 2, using Azure load balancing on port 443 for AD FS. The following post details how to setup Azure ACLs to allow communication from the DMZ network to the production network and then deny all others.

This post needs the cloud service for the WAP servers created along with at least one WAP server deployed to the cloud service so that we can get the Public Virtual IP. This need to be completed before we can add the WAP servers as proxies for the AD FS servers. There is no real clean way to blog this so you will have to jump back and forth between this post and Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On to complete the task.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)
  • The cloud service for the WAP servers is created.

 

The first thing that you need to do is gather the Public Virtual IP for the WAP cloud service.


 

 

Change ACLs to allow WAP access

 

Navigate to the Primary AD FS Server

Select Endpoints

Select HTTPS (or whatever you called the endpoint for AD FS)

Click Manage ACL


 

You will notice that the ACL list is not populated, which means that it’s wide open to the internet. We need to secure the AD FS load balanced set, while still giving the WAP servers access. This will allow the WAP servers to talk to the AD FS servers. We are going to create two rules; one permit and one deny.

 

The first rule will grant access from the WAP servers to the AD FS servers

Enter a description of the rule

Select Permit

Enter the IP address of the WAP cloud service in CIDR format. You will notice the /32 at the end, which will limit the rule to that one IP address.


 

Now that we have granted access on port 443 to the WAP servers, we need to deny all others. Keep in mind that this is for external traffic only. Internal users will still be able to access the AD FS servers on the domain network. This is just for the NAT address from external client access in Azure.

 

Enter a description of the rule

Select Deny

Enter the 0.0.0.0/0

This will deny all traffic


 

Click the complete checkmark

Azure will update the rule. There is no need to complete this on the other servers as the rule will apply to the load balanced endpoint.


 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

3 thoughts on “Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

  1. John Howell

    Kelsey, these blogs on ADFS 3.0 are really great – they have helped me out a great deal, thank you for your efforts. Very clear, concise and accurate.

    Reply
  2. win2000b

    Thanks for these guides. They are great. With the ACL’s they seemed to have removed the load balancers from appearing in the GUI in Azure Classic. You can see them on the VMs in portal but you cannot edit them. Is there any way to do these in the GUI or is powershell the only way now?

    Reply

Leave a Reply