Use your F5 BIG-IP Appliance as Full-Fledged AD FS Web Application Proxy

56b6582066d71

With the release of version 13.1 of its BIG-IP software, F5 Networks enables you to make your F5 BIG-IP series appliances and F5 Virtual Edition (VE) appliances to act as ful-fledged Web Application Proxies in combination with Windows Server 2012 R2 and/or Windows Server 2016-based Active Directory Federation Services (AD FS) Servers using MS-ADFSPIP.

About MS-ADFSPIP

The Microsoft Active Directory Federation Services and Proxy Integration Protocol (MS-ADFSPIP) integrates Active Directory Federation Services (AD FS) with an authentication and application proxy to enable access to services located inside the boundaries of the corporate network for clients that are located outside of that boundary.

Version 6.0 of MS-ADFSPIP’s documentation, as defined on December 1, 2017, details the protocol documentation in terms of transport, data types, messages, events, and the conceptual data organization. This way, it describes the intended functionality of the system and how the protocols in this system interact.

Using this documentation, any organization that would like to upgrade their appliances to full-fledged AD FS Web Application Proxies, can do so.

About F5 Networks’ BIG-IP

F5 Networks help connect organizations to their customers and/or apps in a secure, always-on way. While F5 Networks offers a portfolio of products, including its BIG-IQ and Herculon products, its BIG-IP appliances, are the best-known products, available both as on-premises physical and virtual appliances, as well as cloud appliances.

BIG-IP appliances are port-based, multilayer switches that supports virtual local area network (VLAN) technology. The BIG-IP appliances’ multilayer capabilities enable them to process traffic at other OSI layers. BIG-IPs can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7.

Version 13.1 of the BIG-IP software, released on December 19, 2017, adds support for MS-ADFSPIP to F5’s Access Policy Manager (APM), as announced by Microsoft and F5 Networks during Microsoft Ignite 2017 in Orlando, Florida.

Version 13.1 of the BIG-IP software can be used to transform the following F5 appliances to full-fledged Web Application Proxies:

  • BIG-IP 6900 FIPS, 6900-NEBS (D104)
  • BIG-IP 11000 (E101)
  • BIG-IP 11050, 11050 NEBS (E102)
  • BIG-IP 2000 Series (C112)
  • BIG-IP 4000 Series (C113)
  • BIG-IP 5000 Series (C109)
  • BIG-IP 7000 Series (D110)
  • BIG-IP 10050 Series (D112)
  • BIG-IP 10000 Series (D113)
  • BIG-IP 12000 Series (D111)
  • BIG-IP i2000 Series (C117)
  • BIG-IP i4000 Series (C115)
  • BIG-IP i5000 Series (C119)
  • BIG-IP i7000 Series (C118)
  • BIG-IP i10000 Series (C116)
  • VIPRION B2100 Blade (A109)
  • VIPRION B2150 Blade (A113)
  • VIPRION B2250 Blade (A112)
  • VIPRION B4300, B4340N Blade (A108, A110)
  • VIPRION B4450 Blade (A114)
  • VIPRION C2200 Chassis (D114)
  • VIPRION C2400 Chassis (F100)
  • VIPRION C4480, C4480N Chassis (J102, J103)
  • VIPRION C4800, C4800N Chassis (S100, S101)
  • Virtual Edition (VE) (Z100)
  • vCMP Guest (Z101)

Note:
Although F5 Networks’ Azure offerings still include version 13.0.x of the BIG-IP software, you may expect to see version 13.1.x-based offerings soon.

Concluding

If your organization utilizes F5 appliances on the network edge and also run or contemplate on implementing Windows Server-based Web Application Proxies, you might benefit from this new functionality. You might be able to do away with Windows Server installations on the perimeter network, with their cumbersome patching and backup procedures.

Since the MS-ADFSPIP documentation is open, any vendor is able to create and provide the software to transform their devices into full-fledged Web Application Proxies. I guess F5 Networks is merely the first in a line of many vendors that will do so.

Further reading

F5 BIG-IP Release Notes 13.1.0
[MS-ADFSPIP]: Active Directory Federation Services and Proxy Integration Protocol

3 Responses to Use your F5 BIG-IP Appliance as Full-Fledged AD FS Web Application Proxy

  1.  

    Cool, a bit of networking news. Thanks for mentioning this.

  2.  

    This was also announced by Sam Devasahayam (@MrADFS) at Microsoft Ignite 2017. I’m curious how this is different as netscaler, that can also be a adfs proxy. Any info on this?

    • I think you nailed it in your comment.

      Indeed, you can configure a Citrix Netscaler to act as an AD FS Proxy.
      However, an F5 BIG-IP appliance is now capable to act as a Web Application Proxy, including the extra claimtypes, publishing with pre-authentication functionality and centralized revocation from the (primary server in the) AD FS farm.

       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.