This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ADFS 3.0 and WAF? Is it even possible?

Hi Guys,

Just curious as to whether anyone has had any experience with publishing the ADFS Login page (either directly or from an ADFS Proxy)?

I have ADFS 3.0 on 2012 R2 and I have tried publishing the ADFS Server directly, but when I browse to the site, all I get is:

Proxy Error

The proxy server received an invalid response from an upstream server.
 The proxy server could not handle the request GET /adfs/ls/.

Reason: Error reading from remote server


I get the following in the Live Log:

2014:05:20-16:56:51 portal reverseproxy: [Tue May 20 16:56:51.365610 2014] [proxy_http:error] [pid 7074:tid 4080589680] (103)Software caused connection abort: [client EXT CLIENT IP:28898] AH01102: error reading status line from remote server INT IP:443

2014:05:20-16:56:51 portal reverseproxy: [Tue May 20 16:56:51.365639 2014] [proxy:error] [pid 7074:tid 4080589680] [client EXT CLIENT IP:28898] AH00898: Error reading from remote server returned by /adfs/ls/

2014:05:20-16:56:51 portal reverseproxy: srcip="EXT CLIENT IP" localip="EXT SERVER IP" size="395" user="-" host="EXT CLIENT IP" method="GET" statuscode="502" reason="-" extra="-" exceptions="-" time="3077" url="/adfs/ls/" server="EXT FS URL" referer="-" cookie="-" set-cookie="-"


I would really like to prove that ADFS can be published via the UTM WAF feature.

Thanks in advance

Adam


This thread was automatically locked due to age.
Parents
  • Hi Tim,

    I am having almost the same problem. ADFS 3.0 works ok inside the corporate network but I need to make it work from outside too. Same thing for the Work Folders. Any advice?

    many thanks,

    Ste
  • Let me share what I have configured. I'm using Sophos version 9.203-3 and 2012 R2 for my ADFS server. If we get this working, we can collaborate on a doc and post it up.

    --------------
    Virtual Server:
    Interface: External WAN
    Type: Encrypted (HTTPS)
    Port: 443
    Certificate: (My ADFS cert)
    Firewall Profile: STS
    Advanced: Pass Host Header

    Real Web Server:
    Host: (ADFS Server)
    Type: Encrypted
    Port: 443
    Advanced: Enable HTTP Keepalives

    Firewall Profile:
    Name: STS
    Mode: Monitor
    URL Hardening (Checked)
    - Specified Manually
    - /adfs
    Block clients with bad reputation (Checked)

    Exceptions
    Name: Exc_STS
    Skip These Checks:
    - Cookie Signing
    - URL Hardening
    - Form Hardening
    Skip These Categories
    - SQL Injection Attacks
    - XSS Attacks

    For All Requests:
    Web Requests Matching This Path:
    - /adfs/*
    - /FederationMetadata/*

    ------------------------------------

    That's how mine is configured and its working well. Going to enable O365 federation during my next ASI.
  • Thanks so much for your help! It works now! My mistake was to set "drop" instead of "monitor" on the firewall mode.
  • Good deal!

    See if you can nail down the warning events in your WAF log. You might be able to tighten down your rule a bit to be able to set it to drop vs. warn.
  • Hi Tim,

    here I am again...

    I installed the 9.2 version and restore the settings from the 9.111 machine.
    Everything is working fine but adfs and owa. Rules have been imported correctly.

    Any suggestions?

    many thanks,

    Ste
  • Thank you for sharing this configuration. :-)

    It helped me a lot and saved me a lot of time figuring it out.

    Everything is working now as expected - configured on UTM 9.405

  • Hi, Christian, and welcome to the UTM Community!

    Good job of finding this information and of leaving a kind word for Tim.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi I have just tried this, and cannot get it working, I have configured the settings as you have, except that I have and "in error" with the virtual webserver.

    Then while I was trying to find out what the route cause was, I ldeft it all in place overnight, I found I had 15 emails stating the following;

    ---------

    Web Application Firewall not running - restarted

    System Uptime      : 4 days 16 hours 36 minutes

    System Load        : 0.25

    System Version     : Sophos UTM 9.408-4

    Please refer to the manual for detailed instructions

    ---------

    I am thinking that this is to do with the fact that IIS is no longer required to install and run ADFS, and although it uses the services, it does not use the IIS for serving HTTPS web pages, instead it uses the internal http.sys (is this a service?).

    For a fact finding exercise, I did install IIS to run along side ADFS, which in all the guides they say that this is possible. I have configured another virtual webserver on the UTM, with just HTTP (non-encrypted), and this works fine.

    any help with this would be very appreciated.

    Version of UTM: 9.408-4

    Jason

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • I figured out what was wrong, it does work as expected, and full marks to steska77 who provided the required info, as it is now working.

     

    what I forgot about was the user portal listening address, once I changed that all is working as expected.

     

    thanks again.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • Hi There,

    Has anyone had issues with publishing ADFS when the server is in Azure?

    I've followed the suggestion here but no dice.

    Regards

     

  • Big thanks!!! for posting this

     

    I was able to get the get the Firewall Profile to reject as opposed to monitor

     

    I added the following Paths to Exc_sts to make this work

    /adfs/ls/*
    /adfs/services/trust/2005/usernamemixed/*

     

    I discovered later on that office installs would not activate and added the following path as well

    /adfs/services/trust/mex

     

    Not ideal but it seems to function

Reply
  • Big thanks!!! for posting this

     

    I was able to get the get the Firewall Profile to reject as opposed to monitor

     

    I added the following Paths to Exc_sts to make this work

    /adfs/ls/*
    /adfs/services/trust/2005/usernamemixed/*

     

    I discovered later on that office installs would not activate and added the following path as well

    /adfs/services/trust/mex

     

    Not ideal but it seems to function

Children
No Data