Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 52478 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ADFS 3.0 and WAF? Is it even possible?

adamings
Hi Guys,

Just curious as to whether anyone has had any experience with publishing the ADFS Login page (either directly or from an ADFS Proxy)?

I have ADFS 3.0 on 2012 R2 and I have tried publishing the ADFS Server directly, but when I browse to the site, all I get is:

Proxy Error

The proxy server received an invalid response from an upstream server.
 The proxy server could not handle the request GET /adfs/ls/.

Reason: Error reading from remote server


I get the following in the Live Log:

2014:05:20-16:56:51 portal reverseproxy: [Tue May 20 16:56:51.365610 2014] [proxy_http:error] [pid 7074:tid 4080589680] (103)Software caused connection abort: [client EXT CLIENT IP:28898] AH01102: error reading status line from remote server INT IP:443

2014:05:20-16:56:51 portal reverseproxy: [Tue May 20 16:56:51.365639 2014] [proxy:error] [pid 7074:tid 4080589680] [client EXT CLIENT IP:28898] AH00898: Error reading from remote server returned by /adfs/ls/

2014:05:20-16:56:51 portal reverseproxy: srcip="EXT CLIENT IP" localip="EXT SERVER IP" size="395" user="-" host="EXT CLIENT IP" method="GET" statuscode="502" reason="-" extra="-" exceptions="-" time="3077" url="/adfs/ls/" server="EXT FS URL" referer="-" cookie="-" set-cookie="-"


I would really like to prove that ADFS can be published via the UTM WAF feature.

Thanks in advance

Adam


This thread was automatically locked due to age.
Parents
  • 0
    Hi Tim,

    I am having almost the same problem. ADFS 3.0 works ok inside the corporate network but I need to make it work from outside too. Same thing for the Work Folders. Any advice?

    many thanks,

    Ste
  • +1 in reply to steska77
    Let me share what I have configured. I'm using Sophos version 9.203-3 and 2012 R2 for my ADFS server. If we get this working, we can collaborate on a doc and post it up.

    --------------
    Virtual Server:
    Interface: External WAN
    Type: Encrypted (HTTPS)
    Port: 443
    Certificate: (My ADFS cert)
    Firewall Profile: STS
    Advanced: Pass Host Header

    Real Web Server:
    Host: (ADFS Server)
    Type: Encrypted
    Port: 443
    Advanced: Enable HTTP Keepalives

    Firewall Profile:
    Name: STS
    Mode: Monitor
    URL Hardening (Checked)
    - Specified Manually
    - /adfs
    Block clients with bad reputation (Checked)

    Exceptions
    Name: Exc_STS
    Skip These Checks:
    - Cookie Signing
    - URL Hardening
    - Form Hardening
    Skip These Categories
    - SQL Injection Attacks
    - XSS Attacks

    For All Requests:
    Web Requests Matching This Path:
    - /adfs/*
    - /FederationMetadata/*

    ------------------------------------

    That's how mine is configured and its working well. Going to enable O365 federation during my next ASI.
  • 0 in reply to tsull360
    Thanks so much for your help! It works now! My mistake was to set "drop" instead of "monitor" on the firewall mode.
Reply Children
  • 0 in reply to steska77
    Good deal!

    See if you can nail down the warning events in your WAF log. You might be able to tighten down your rule a bit to be able to set it to drop vs. warn.
  • 0 in reply to tsull360
    Hi Tim,

    here I am again...

    I installed the 9.2 version and restore the settings from the 9.111 machine.
    Everything is working fine but adfs and owa. Rules have been imported correctly.

    Any suggestions?

    many thanks,

    Ste
  • 0 in reply to tsull360

    Big thanks!!! for posting this

     

    I was able to get the get the Firewall Profile to reject as opposed to monitor

     

    I added the following Paths to Exc_sts to make this work

    /adfs/ls/*
    /adfs/services/trust/2005/usernamemixed/*

     

    I discovered later on that office installs would not activate and added the following path as well

    /adfs/services/trust/mex

     

    Not ideal but it seems to function

Unfiltered HTML