ADFS WAF Policy and Rule.

Caveat: Microsoft Edge Browser will not display the images on the page, however will still work for authentication.
Solution Edited to correct Edge needing access to other paths for Style Sheet and imagery. See follow up post.

Solution Edited to correct Outlook needing access to other paths and exceptions. See follow up post.

SFOS 18.x Solution below in a different post.

Configure Protection Policy

First we need to set up the combined Microsoft ADFS STS 2012R2 Protection policy.

ADFS STS Protection Policy Configuration

1. 1. Navigate to Web Server > Protection Policies and click Add.
   2. Fill in the fields as shown below.

1. • Name: Microsoft ADFS STS 2012R2
   • Pass Outlook Anywhere: Disabled
   • Mode: Reject
   • Cookie Signing: Disabled
   • Static URL Hardening: Disabled
   • Form Hardening: Disabled
   • Antivirus: Disabled
   • Block clients with bad reputation: Disabled (edited 2018-7-31 for Bad Microsoft IPs)
   • Skip remote lookups for clients with bad reputation: Disabled
   • Common Threat Filter: Enabled (All Selected Except)
     • SQL Injection Attacks: Disable
   • Rigid Filtering: Disabled
   • Skip Filter Rules:
     • 950120
     • 981176 (edited 2018-6-8 for Outlook)
     • 981204 (edited 2018-6-8 for Outlook)
2. Click on Save.

Configure Firewall rule

ADFS - STS Access Rule

1. Navigate to Firewall.
2. Click Add Firewall Rule and select Business Application Rule from the drop down menu.
3. Select the WAF Server Protection template
4. Fill in the required details:
   • Rule Name
   • Hosted Address
   • Listening Port
   • HTTPS
   • Certificate
   • Domains
   • Protected Server
5. Check Path-Specific Routing
   Add new Path
   
   
   • Path: /adfs/ls/
   • Web Server: Select Real Web Server
   • Authentication: None
   • Allowed Client Networks: Select desired Networks to be allowed access
   • Block Client Networks: Select desired Networks to be denied access
   • Sticky session cookie: Disabled
   • Hot standby mode: Disabled
   • WebSocket passthrough: Disabled
   • Click Save
6. Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection.
7. Now select Microsoft ADFS STS 2012R2
8. Additional Options
   • Check Pass Host Header
9. Save

Update!

Some of Microsoft's IPs used for Federation authentication tokens for Autodiscover are listed on the public black lists used for Block clients with bad reputation: enabled. This can affect some or all users from authenticating to Outlook MAPI and ActiveSync protocols.

At this point, unless we can add specific IP blocks to a whitelist somewhere that over-rides  Block clients with bad reputation:, it must be disabled.

See the Policy creation post and note the policy changes marked (edited 2018-7-31 for Bad Microsoft IPs)

Update!

Some of Microsoft's IPs used for Federation authentication tokens for Autodiscover are listed on the public black lists used for Block clients with bad reputation: enabled. This can affect some or all users from authenticating to Outlook MAPI and ActiveSync protocols.

At this point, unless we can add specific IP blocks to a whitelist somewhere that over-rides  Block clients with bad reputation:, it must be disabled.

See the Policy creation post and note the policy changes marked (edited 2018-7-31 for Bad Microsoft IPs)