It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Load Balancer ADC

Microsoft Windows AD FS Deployment

  • Last updated on

Follow the steps in this guide to deploy the Barracuda Load Balancer ADC to increase the scalability and reliability of your Microsoft Active Directory Federation Services (AD FS) deployment. The Barracuda Load Balancer ADC also improves the performance of AD FS by balancing the authentication requests that are sent to your AD FS servers.

Terminology

TermDefinition
Fully Qualified Domain Name (FQDN)

The unique name for a specific computer or host that can resolve to an IP address (for example, www.example.com).

VIPVirtual IP address. In the Barracuda Load Balancer ADC deployment, the VIP is added to the service on the Barracuda Load Balancer ADC.
ServiceA combination of a virtual IP address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC listens on. Traffic arriving on the specified port(s) is directed to one of the real servers associated with a service.

Deployment Scenario

ADFS_deployment_new.png

Product Versions and Prerequisites

You must have:

  • Barracuda Load Balancer ADC version 5.1 or 5.2.
  • Active Directory Federation Services ( AD FS) 2.0 or above (Windows Server 2012 R2). It is strongly recommended that you use Windows Server 2012 R2 and AD FS 3.0.
  • A fully configured AD FS farm with at least two servers.
  • Installed your Barracuda Load Balancer ADC(s), connected to the web interface, and activated your subscription(s). 
  • If you want to deploy AD FS with high availability, cluster your Barracuda Load Balancer ADCs. For more information, see High Availability.

Configuring Clustered Barracuda Load Balancer ADCs

If your Barracuda Load Balancer ADCs are clustered, the configuration between the active and passive units is synchronized so you only need to configure the active Barracuda Load Balancer ADC.

Step 1. Set Up and Deploy the AD FS Farm

Configure at least two separate servers with the AD FS service that you want to load balance. Test the login page on each AD FS server to ensure that AD FS is working. The URL is usually something like:

https://<fqdn of adfs>/adfs/ls/IdpInitiatedSignon.aspx

For example: https://adfs-1/adfs/ls/IdpInitiatedSignon.aspx

Complete the test by logging in with an Active Directory account.

Figure 1. Default AD FS Login Page

IC666077.png

Step 2. Create Services on the Barracuda Load Balancer ADC

  1. Log into the Barracuda Load Balancer ADC as the administrator.
  2. Go to the BASIC > Certificates page, and create or import the required certificate. If you import a certificate, ensure that it is the same certificate that you configured AD FS with.
  3. Go to the BASIC > Services  page, and create the service listed in the following table. To add a real server, click  Add Server 

    NameTypeIP AddressPortSession TimeoutPersistenceReal Servers
    ADFS_HTTPSHTTPSThe VIP address for the AD FS service. For example: 10.5.7.193443600
    • Type : Source IP 
    • Time: 1200 seconds
    • IP addresses of the AD FS servers 
    • Port: 443
    • Enable SSL on both servers
    • Upload or select the certificate you configured the AD FS service with
  4. Enable Server Name Identification (SNI) by scrolling to SSL Settings and opening the Advanced Options. Enable SNI and then add each SNI domain by clicking Add SNI Domain. Enter the domain name and the associated certificate (the same certificate you configured AD FS with). Complete this step for each SNI domain. Client requests for domains that are not associated with any certificate will get the default certificate.

    For wild card certificates, all of the possible hostnames must be configured in SNI. Although SNI is enabled by default on the servers, it might be necessary to enable SNI at the back-end as well.

Step 3. Configure the DNS

Create an A record to point the VIP address that you set on the Barracuda Load Balancer ADC for the AD FS service.

For example, if you want to use the name sso and your domain is barracuda.com, your A record would look something like this:

NameIP Address
sso.barracuda.com10.5.7.193

 When you deploy applications with AD FS to provide single sign-on authentication, use the DNS name that you created in this step.

Step 4. Test your Load Balanced AD FS Setup

Go to the AD FS login page using the name that you set in the A record and verify that the page displays correctly. The URL is usually something like:

https://<fqdn of adfs>/adfs/ls/IdpInitiatedSignon.aspx  

For e xample, if you set sso as the new name, go to: 

https://sso.barracuda.com/adfs/ls/IdpInitiatedSignon.aspx