I thought I would fill in some information the
f5 deployment guide leaves out:
if you are deploying ADFS 2.0 on Server 2012 and the ADFS proxy role: microsoft-adfs-dg.pdf
In Windows 2012 R2 ADFS, you don’t have the ADFS proxy role any more,
you use the Web Application Proxy (WAP) role service component of
the Remote Access role.
If you follow the F5 guide with Windows Server 2012 R2,
your ADFS and WAP pools will fail their health checks (monitors)
and the virtual server will not be brought online because the F5
will mistakenly believe that your pool servers are down.
In Windows Server 2012 R2, IIS and the Web server engine has a new
architecture that supports the SNI extension to TLS.
The connecting machine tells it what host name it’s trying to
connect to as part of the HTTPS session setup so that one IP address
can be used host multiple HTTPS sites with different certificates
The fact that Windows 2012 R2 uses SNI gets in the way of the HTTPS
health checks that the F5 ADFS 2.0 deployment guide has you configure.
1. You can work around it by replacing the HTTPS health checks with TCP
Half Open checks, which connect to the pool servers on the target TCP port and wait for the ACK. If they receive it, the server is marked up.
2. For long-term use, the HTTPS health checks are better; they allow
you to configure the health check to probe a specific URL and get
a specific response back before it declares a server in the pool is
healthy. This is better than ICMP or TCP checks which only check for
ping responses or TCP port responses. It’s totally possible for a
machine to be up on the network and IIS answering connections but
something is misconfigured with WAP or ADFS so it’s not actually a
viable service. Good health checks save debugging time.
The Best Way:
3. the right way is to read and follow this F5 DevCentral blog post
(https://devcentral.f5.com/articles/big-ip-and-adfs-part-5-working-with-adfs-30-and-sni) to configure your BIG-IP device with a new SNI-aware monitor; you’re going to want it for all of the Windows Server 2012 R2 Web servers you deploy over the next several years.
This process is a little convoluted – you have to upload a script to the F5 and pass in custom parameters. At the end of the day, you will have a properly configured monitor that not only supports SNI connections to the correct hostname, but uses the specific URI to ensure that the ADFS federation XML is returned by your servers.
As a side note, almost everyone seems to be calling the ADFS flavor on Windows Server 2012 R2 “ADFS 3.0.” Everyone, that is, except for Microsoft. It’s not a 3.0; as I understand it the biggest differences have to do with the underlying server architecture, not the ADFS functionality on top of it per se. So don’t call it that, but recognize most other people will. It’s just AD FS 2012 R2.