Load Balance AFDS and ADFS Proxy in Windows Azure with KEMP


This article will show you how to load balance ADFS and ADFS proxy servers in Windows Azure using my favourite Load Balancer “KEMP”.

KEMP are one of the first vendors to release a layer 7 load balancer on the Windows Azure Platform. You can check out the Azure VLM Specs at http://kemptechnologies.com/uk/load-balancer-for-azure

At the time of writing this article: the Azure VLM is free with free email support.

My Lab consists of:

2x ADFS Servers
2x ADFS Proxy Servers
1x DC
1x DirSync
2X Azure VLM’s

Office 365 VLM

Before I go into the configuration side of things, I wanted to explain the diagram.

I have a site to site VPN linking my Windows Azure platform to my on premise datacentre. I have a DC in Windows Azure which replicates to and from the on premise DC. The big question … Why deploy Office 365 federation services to Windows Azure ? There are pros and cons for deploying ADFS to Windows Azure. A Popular answer:  If you have a on premise outage, your external users will not be able to sign into Office 365 as there will be no access to the Federated services. Windows Azure provides the ability for users to still sign in if there is a outage on premise.

Dirsync has been configured and is a crucial part of the configuration, all user accounts need to be synced with Windows Azure’s Active Directory for ADFS to work.

I have used two KEMP Azure VLM’s because you can only have one IP address per Azure VLM. Only one  HTTPS 443 Endpoint per cloud service is possible so I had to create a seperate cloud service for the internal Azure VLM. This allows you to load balance both ADFS and ADFS proxy Services.

The ADFS Proxy Servers are none Domain Joined and will be public facing.

The configuration:

  • Deploy two Azure VLM’S, one in the office 365 cloud service and one in a separate cloud ensure both VLM’S have HTTPS endpoints configured. I configured the internal VLM to be in a separate cloud. For details on how to deploy the Azure VLM’s please see the following link https://ryanmangansitblog.wordpress.com/2013/08/24/kemp-loadmaster-in-windows-azure/
  • Import the ADFS Certificate to both VLM’s.
  • Once you have created the VLM’s add the internal VLM’s IP address to both ADFS Proxy Servers.

Host File

  • My DNS is a split brain configuration so I added the internal ADFS Farm IP to the systechitdemo.info zone.
  • Copy the ADFS Proxy Cloud DNS name and create a CName on your external DNS pointing towards “sts.domain.com”

VLM ext DNS

The DNS name is located in the virtual machine’s dashboard under quick glance.

Configuring the ADFS VLM

Create a new Virtual Service:

ADFSVLM1

Basic properties:

Give it a service Name: “ADFS Internal”

Enable SSL

Standard options:

Persistance options:

Mode: Supper HTTP

Timeout: 1hour

Scheduling method: least connection

SSL Properties:

SSL Acceleration: Reencrypt

Add the certificate to the service

Real Servers:

ADFSVLM2

Under Real Server Check Parameters:

add the following URL and click set URL: /federationmetadata/2007-06/federationmetadata.xml

tick the Use HTTP/1.1

and change the HTTP Method to GET

Then add the ADFS server IP address’s

ADFS Service

Test access to the AD FS Internal Farm by navigating to https://”sts.domain.com”/ADFS/ls/idpininitiatedsignon.aspx and following the instructions to log in.

Configuring the ADFS Proxy FARM:

The ADFS Proxy Configuration is the same as ADFS but with a few differences.

AFDSPRosettings

Enable Caching and set the usage to 25%

Enable Compression

AFDSPRosettings2

Set the URL to /adfs/ls/idpInitiatedSignon.aspx and click set URL.

Set the HTTP Method to GET.

Final test:

ADFS final1

ADFS final2

ADFS final4

17 thoughts on “Load Balance AFDS and ADFS Proxy in Windows Azure with KEMP

  1. Hello Ryan,

    I have a couple of question actually.

    I would like to deploy LoadMaster as an internal Load Balancer solution. We also have a Site-to Site VPN connection between Azure and On-Premises and we have set our DNS records to point directly to the ADFS Servers over VPN Connection. We don’t have a split brain DNS configuration. We don’t like the additional Log In when we are using the Corporate Network. Because of that we are using just DNS Round Robin and I am not happy with that. But till not I have understand that there is no way to use LoadMaster to balance the traffic from the internal side over VPN, because it always uses the Cloud Service DNS and Endpoint to listen the traffic. Have you got an idea about that? How can we configure it ?

    And also as a security issue, am not a fan to create an endpoint on ADFS Servers.

    1. Dear Can,

      Just so I can build a picture on what you are trying to achieve.

      You have an on premise and azure site connected via VPN . You are using your domain DNS records for on perm and the azure cloud. What servers are running in windows azure ? Can you extend on the comment “We don’t like the additional Log In when we are using the Corporate Network.” Are you referring to the office 365 federated login ? I will need to check with kemp but you may be able to use the geo master features http://kemptechnologies.com/server-load-balancing-appliances/geo-loadmaster. Do you host your own external DNS ?

      I can see problems with trying to load balance cloud servers using a on prem load balancer.

      ” also as a security issue, am not a fan to create an endpoint on ADFS Servers.”
      Create the endpoints on the azure Kemp loadmasters, if you want to tie down security, only create a internal endpoint on your cloud subnet. This way only the adfs proxy servers will be exposed.

      Can you provide a more In depth overview so I can fully understand what you want to achieve.

      Best regards

      I would like to deploy LoadMaster as an internal Load Balancer solution. We also have a Site-to Site VPN connection between Azure and On-Premises and we have set our DNS records to point directly to the ADFS Servers over VPN Connection. We don’t have a split brain DNS configuration. We don’t like the additional Log In when we are using the Corporate Network. Because of that we are using just DNS Round Robin and I am not happy with that. But till not I have understand that there is no way to use LoadMaster to balance the traffic from the internal side over VPN, because it always uses the Cloud Service DNS and Endpoint to listen the traffic. Have you got an idea about that? How can we configure it ?

      And also as a security issue, am not a fan to create an endpoint on ADFS Servers.

      1. Hello Ryan,

        I will try to help you to build a picture about our environment.

        We have the following servers in Windows Azure a Single Sign On solution for O365:

        – 2 x ADFS
        – 2 x ADFS Proxy
        – Domain Controller
        – DirSync Server

        The additional login means; We are using our domain DNS records in internal network to point directly our ADFS servers. With this way the connection takes places over site-to site VPN and 0365 login happens without an additional password prompt(directly with saved domain credentials). But we have set our external DNS records to point to ADFS Proxy servers and if anyone connects externally then the ADFS Server asks for the credentials. Actually MS recommends to route all the authentication request directly to Proxy Servers otherwise the VPN connection would be a single point of failure but right now we are routing our internal users over VPN directly to ADFS, because it is more comfortable 🙂

        I would like to set a KEMP Load balancer for Azure for our ADFS servers. For proxy servers we are using the Windows Azure Load Balancer feature, it is ok actually, but I realized that in Windows Azure there is no way to set a load balancer just for the internal endpoints or for the internal resources at all. Because of that I wanted to set KEMP Loadmaster first for the internal ADFS Servers. I configured it just as you explained in your article but sadly I could not bring it to working state, I also have no idea how to set the domain DNS records to point to Load balancer and then over load balancer to ADFS servers for the authentication. it is normally not domain joined, I tried to give its IP as a domain DNS record for the ADFS service name and etc. No way. After the KEMP installation and configuration I also started to get error codes in the event viewer on ADFS Server that says : The /federationmetadata/2007-06/federationmetadata.xml is not available and reachable, the SSO started not functioning. That has happened after I added the 2 ADFS Server on KEMP Virtual Service as you explained in your article. And it started working after I removed the servers from the virtual service on KEMP LoadMaster.

        Do you have any idea how can I make it working?

      2. Hi Can,

        Firstly you can set up access control lists in windows azure to isolate traffic, I would recommend you configure ACLs to prevent external traffic on the ADFS public endpoint.

        Please see the attached link:http://www.windowsazure.com/en-us/manage/windows/how-to-guides/setup-endpoints/

        Internal users directly connecting to ADFS is fine and I have seen many installations where adfs proxy is only used for external access. I used the cloud service IP address in a CName on the external DNS. This allowed me to use STS.company.co.uk on windows azure.

        Are you using to KEMP Azure LoadMasters ? one for ADFS and one for Proxy, Are they in separate cloud services. If you have configured everything correctly, you will most likely have a DNS issue. Can you ping the Public IP addresses. I would check that you can ping the VIP’s and ensure that you can communicate with both azure VLMS first to establish where the problem lies.

        I recall you mentioning that you do not have a split brain DNS, how are your internal and external DNS’s configured. You may need a SAN cert as you will be using Different names for internal and external access.
        Both Cloud Services will need to use the same cloud subnet so they can communicate (internally).
        DNS record (Cname) will need to be created for the ADFS proxy cloud service. Azure Public IP.

        Best Regards,

  2. Hi Ryan,

    ACL is a good idea , I will have a look at that.

    I also used the cloud service IP Address in an A Record points to sts.company.com

    I want to use KEMP Azure Load Master just for the ADFS Servers, not for the proxy. %80 of our users connection from internal/corporate network so for the external users is the Windows Azure Load Balancer enough.

    Intern and external access has the same domain name, I also installed the SSL Certificate. My problem was not with the networking, after the installation I could ping (intern/extern IPs), I added server, I have seen that the have communicated (were green on Real Servers Tab on VLM). But the DNS side of the problem and authentication problem I could not solve.

    Is it actually possible, the thing I have tried, could you help me with the configuration or should I contact directly KEMP.

    Thank you and best regards.

    1. Hi Can,

      I can help you, It has nothing to do with the configuration of KEMP. If you followed my instructions, then you will be following KEMP’s best practices. Have you tried to remove the azure load balancer and tested the KEMP Azure VLM on the proxies. I would recommend using the VLM as it has health checks (layer 7 support).

      The issue is around DNS which is causing authentication issues. Can you confirm that the ADFS and ADFS proxies are in separate cloud services. I would use Cnames and use the cloud service DNS name rather than A records.

      Best regards,

      1. Hello Ryan,

        I have followed your instructions Step-by step, but it didn’t work actually. We are using ADFS and Proxy naturally on different cloud services, otherwise it would be senseless 🙂

      2. what errors are shown ? can you ping the KEMP VLM’S and the ADFS servers. Make sure your real servers are using HTTPS (443) as this is a common mistake.

  3. Ryan

    We currently operate Office365 and host our ADFS/ADFS Proxy/DirSync on-Premise. We are looking at moving this infrastructure over to Azure. Our IT folks spoke with some MS consults that recommends establishing these infrastructure be hosted both on-premise and on Azure simultaneously while using round robin DNS to direct traffic so that if either site went down you would not lose connectivity to your Office365 accounts. I was wanting to know if this is a standard practice that anyone has heard of?

  4. Ryan,

    It would seem to me that Traffic Manager can provide load balancing for the Proxies, so I’m trying to understand the need for two load balancers as you have suggested. However, on the ADFS Farm for the internal ADFS Servers, I see the KEMP as a single point of failure. Are you somehow using one load balancer as a failover for the other? Or is there an HA Active/Passive option for the KEMP that you aren’t showing?

    Thanks,

    Jonathan

    1. Are you referring to the number of load balancers or the reasoning around using Kemp. This post was created before the time of traffic manager and this separates adfs and adfs proxy services. It is also important to note that you can only have one virtual service IP address per azure load master. The use of Kemp allows layer 7 functionality.

      1. Ah! I didn’t realize that Traffic Master was that recent of a development – my question was actually both, but you cleared it up. Thanks for the clarification.

        So, now my question about the KEMP being a single point of failure. Microsoft recommends best practice of having two ADFS servers and two ADFS Proxies. Lets focus on the ADFS Servers – This isn’t possible in Azure unless you expose your ADFS Servers to the Internet, which is not a best practice, so that knocks you down to one ADFS server unless you can utilize a third party load balancer such as KEMP. So, if you implement a KEMP in front of your two ADFS Servers, that’s great, but unless there is a way to have active/Passive failover with a second KEMP, then you still have a single point of failure, right? Is it possible to have a second KEMP tied to the primary in a active/passive configuration, or are we still restricted by Azure’s limitations of not being able to load balance on the private network?

        Thanks!

      2. Yes I do agree with what you are saying. The Likelihood of an azure outage is low. What you can do is take config backups of the azure load masters which will allow you to spin a new one up via a script. Kemp also have power shell support now, you can minimise risk as it were.

      3. For anyone who is interested….Microsoft now supports Internal Load Balancing inside of Azure. I just set it up to front-end my ADFS servers. It requires your network to be the new Regional Virtual Network, but it does work. If you created your virtual network a while back, you’ll have to rip it up and rebuild it. If you have not built your virtual network yet, then any new network you build will be regional. The ILB is not in the GUI yet, but that functionality is coming. You have to build everything inside of PowerShell.

        http://msdn.microsoft.com/en-us/library/azure/dn690121.aspx

        http://azure.microsoft.com/blog/2014/05/14/regional-virtual-networks/

        Hope you find this helpful.

        Jonathan

      4. KEMP’s VLM for Azure offers, GEO load balancing Layer 7 health checks. Microsoft cannot offer this in their solution so i would recommend you look at KEMP’s Azure VLM.

  5. Great article. Thanks Ryan.
    Have you ever come across a problem with this whereby Chrome gives me the ADFS login page, and IE gives me a Windows log in page when accessing the same SP site using ADFS? Very strange.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s