Recently I set up a Load Balanced AD FS 3.0 for a customer. Below I will try to outline the steps needed to accomplish this.
Prerequisites
- Citrix Netscaler with basic configuration (connected to DMZ and and Server Network)
- Two domain joined servers with Windows Server 2012 R2 in server network for AD FS Role
- Two workgroup servers with Windows Server 2012 R2 in DMZ for WAP Role
- Active Directory Domain
High level steps
- Install and configure two AD FS Servers
- Load Balance AD FS Servers with Netscaler
- Install and configure two WAP Servers
- Load Balance WAP Servers with Netscaler
Install and configure two AD FS Servers
I will not cover installation and configuration of the AD FS service in this post. There are several posts on other blogs and on Microsoft pages, covering this procedure.
The one thing I want to mention for AD FS configuration, is that you must be aware of the SNI-functionality. I did not get this to work on Netscaler, and the AD FS service was already in production, so I had to work around the problem. This post covers adding a listener for 0.0.0.0:443. Before I did this, I could not get the proxy trust to work (successful config WAP, unauthorized in event log).
Load Balance AD FS Servers with Netscaler
Add two servers under Load Balance -> Servers (SRV_ADFS1:443 & SRV:_ADFS2:443)
Add service group under Load Balance -> Service Groups (SSL_Bridge)
Add load balance virtual server under Load Balance -> Virtual Servers (SSL_Bridge)
Install and configure two WAP Servers
I will not cover installation and configuration of the WAP servers. There are several other sources for this information.
Load Balance WAP Servers with Netscaler
Add two servers under Load Balance -> Servers (DMZ_INT_WAP1:443 & DMZ_INT_WAP2:443)
Add service group under Load Balance -> Service Groups (SSL_Bridge)
Add load balance virtual server under Load Balance -> Virtual Servers (SSL_Bridge).
DNS
You have to point the public DNS A-Record to the IP you dedicated for load balancing WAP servers.
You have to point the internal DNS A-Record to the IP you dedicated for load balancing AD FS servers.
Internal clients will contact AD FS directly; external clients will contact AD FS via Web Application Proxy.