Part 2 – Configuring Azure Application Gateways with AD FS

In Part 1 of Configuring Azure Application Gateway with AD FS  we covered the existing architecture AD FS and the target AD FS architecture.  Finally we deployed an Application Gateway with a basic configuration.

So lets have a look at the logical configuration of what AD FS with a Application Gateway running a Web Application Firewall will look like.

Azure AD FS WAF Logical v0.1

Now we are ready to get cracking with some configuration work!

Backend Pools

This is where the Application Gateway will be delivering interesting traffic too.  In this case it will be the following virtual machines:

  • VMF-WE-WAP01
  • VMF-WE-WAP02

Select Application Gateway > Backend Pool and then add in your virtual machines.  It should look something like this.

WAF 03

Frontend Listener

This is the external port that the Application Gateway listens for interesting traffic.  In Part 1, we chose HTTP, the reason for this is so that we can configure HTTPS and go through the steps in more detail.  Plus we get to use our own naming convention rather than Microsoft’s!

Select Application Gateway > Frontend Listeners and enter out configuration details, which are:

  • Name 443_Listener
  • Front End Port Name 443_Port
  • Port 443
  • Protocol HTTPS

We now need our certificate in PFX format, so time to grab that before we move on.

The screenshot below shows the deployed configuration.

WAF 04

HTTP Settings

To ensure that we receive end to end SSL, we need to use a HTTPS setting under HTTP settings (I’m sure Microsoft could come up with a better name).   The HTTP setting which is the backend needs to be trusted by the Frontend, to do this we need to take our original certificate which was .pfx and make sure it’s .cer format.

Select Application Gateway > HTTP Settings and enter out configuration details, which are:

  • Name 443_Setting
  • Request Timeout: 30
  • Cookie Based Affinity: Enabled
  • Port 443

The configuration should look something like the screenshot below.

WAF 05


Next we are going to configure a Rule (which we are going to change, but we have to do things in a certain order).

Select Application Gateway > Rules and enter out configuration details, which are:

  • Name 443_Rule
  • Listener 443_Listener
  • HTTP Setting 443_Setting

WAF 06

Now we are cooking on gas and we can remove the default settings.

Remove Default Settings

Lets start with Rules, select ‘Rule1’ and click delete.  Once that has gone, select Listeners and then AppGatewayHTTPListener and click delete.  You will be prompted to confirm that it will make changes to the FrontEndIP and Port, which makes sense as it will no longer listen on Port 80.

Then last of all select HTTP Settings and then appGatewayBackendHttpSettings and click delete.

Sense Check

Right before we go any further we are going to perform a Backend Health Check to see what is occurring.

WAF 07

Man down, I repeat man down!  The reason for this is that the Application Gateway requires specific ports to be opened up for the Health Check API to work which are 65503-65534

I usually apply NSG to subnets as it makes all resources placed within the subnet then inherit the security rules.

As you can see I have created two rules, the first allows HTTPS traffic from the internet and the second allows the Health Check API inbound ports.


If this was a production rollout of a WAF with AD FS I would strongly suggest you create some specific rules to limit traffic flow between subnets within the vNET.  As this is a lab environment which is only up temporarily I shall move on!

Time again for another sense check, lets verify the Backend Health.  Argh, we are still in a man down scenario.

WAF 07

The reason for this is the built-in Application Gateway probes our Web Application Proxies on ports they don’t respond on.  We need to create a Custom Health Probe.

Health Probe

So lets get Backend Health working.  Select Application Gateway > Health Probes > Add.  The configuration details we are going to use are as follows:

  • Name Probe_ADFS
  • Host
  • Procotol HTTPS
  • Path /adfs/ls/idpinitiatedsignon.htm
  • Interval 30 Seconds
  • Timeout 30 Seconds
  • Unhealth Threshold 3

It should look like the picture below.


Finally we need to apply the Custom Health Prove to our HTTP Setting.  Select HTTP Setting > 443_Setting and Tick ‘Use Custom Probe’ > Select Probe_ADFS.


Now lets check the Backend Health one last time.


Excellent the Application Gateway will now be passing traffic correctly to our Web Application Proxies.  All we need to do now is update DNS to point to the Public IP Address of the Application Gateway.


One thought on “Part 2 – Configuring Azure Application Gateways with AD FS

  1. Great article!
    My question is around affinity. Isn’t it a Microsoft recommendation to steer clear of affinity/stickiness for AD FS?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s