As we started building out our infrastructure to allow authentication for 3rd party external apps such as Box.com and Office365 the dependency on ADFS became much greater. The original single server/single site setup that we had built out originally was not enough to support the uptime requirements any longer. So we started by building redundancy into our Primary ADFS site in New Jersey (NJ). This article will guide you thru our implementation.
Step 1 -Adding additional ADFS Proxy servers to our NJ Primary site
I generally like to work from the outside in, or external facing to internal facing, so we started with the proxy servers. Our NJ site originally consisted of a single ADFS Proxy server named ADFSNJProxy1 (10.10.50.51). We added in a second ADFS proxy named ADFSNJProxy2 (10.10.50.52) and created a load balancer profile on our F5 systems (VIF=10.10.50.50) that pointed to both private addresses on the 2 Proxy servers (10.10.50.51/52). Then we changed the nat’d public address to point to (for this blog we’ll use 22.214.171.124 as the example IP) to the VIF on the F5 (10.10.50.50) instead of the IP address on ADFSNJProxy1. Now all external traffic to the proxies flows thru the F5 load balancer to either of the 2 ADFS Proxies. Port 443 had to be opened on the firewall as well. The Public FQDN for this example is adfs.pipe2textcom and it points to 126.96.36.199
For details on how to add additional ADFS Proxies to your environment use the following link:
So now our ADFS proxies in the NJ site are HA. See the example below.
Step 2 -Adding additional ADFS servers to our NJ Primary site
Now we had to make the ADFS servers in this site HA. To do this we added a second ADFS server named ADFSNJSrv2 to the NJ site and created a load balancer profile on our F5 systems (VIF-10.10.50.60) that pointed to both private addresses on the 2 ADFS servers (10.10.50.61/62). The internal FQDN we used for this was also adfs.pipe2text.com. All the certificates are the same; we simply exported them from the existing servers and imported them to the new ones.
We changed our internal DNS entry to point to the load balancer address (VIF-10.10.50.60) instead of ADFSNJSrv1 (10.10.50.61). We then added the following entry to the host files on both the NJ Proxy Servers so they could perform DNS lookups independent of what we configure in internal DNS when we eventually build out the DR site in NY.
For details on how to add additional ADFS Servers to your environment use the following link:
So now our ADFS servers in our NJ site are HA. See the example below.
The overall NJ ADFS Infrastructure now looks like the following:
Below is an additional resource for using an F5 Load Balancer for ADFS and ADFS Proxies. The article from F5 goes also goes into the details of the F5 Load Balancer config.
Other ADFS related articles you may be interested in