ADFS WAF Policy and Rule.

Caveat: Microsoft Edge Browser will not display the images on the page, however will still work for authentication.
Solution Edited to correct Edge needing access to other paths for Style Sheet and imagery. See follow up post.

Solution Edited to correct Outlook needing access to other paths and exceptions. See follow up post.

SFOS 18.x Solution below in a different post.

Configure Protection Policy

First we need to set up the combined Microsoft ADFS STS 2012R2 Protection policy.

ADFS STS Protection Policy Configuration

1. 1. Navigate to Web Server > Protection Policies and click Add.
   2. Fill in the fields as shown below.

1. • Name: Microsoft ADFS STS 2012R2
   • Pass Outlook Anywhere: Disabled
   • Mode: Reject
   • Cookie Signing: Disabled
   • Static URL Hardening: Disabled
   • Form Hardening: Disabled
   • Antivirus: Disabled
   • Block clients with bad reputation: Disabled (edited 2018-7-31 for Bad Microsoft IPs)
   • Skip remote lookups for clients with bad reputation: Disabled
   • Common Threat Filter: Enabled (All Selected Except)
     • SQL Injection Attacks: Disable
   • Rigid Filtering: Disabled
   • Skip Filter Rules:
     • 950120
     • 981176 (edited 2018-6-8 for Outlook)
     • 981204 (edited 2018-6-8 for Outlook)
2. Click on Save.

Configure Firewall rule

ADFS - STS Access Rule

1. Navigate to Firewall.
2. Click Add Firewall Rule and select Business Application Rule from the drop down menu.
3. Select the WAF Server Protection template
4. Fill in the required details:
   • Rule Name
   • Hosted Address
   • Listening Port
   • HTTPS
   • Certificate
   • Domains
   • Protected Server
5. Check Path-Specific Routing
   Add new Path
   
   
   • Path: /adfs/ls/
   • Web Server: Select Real Web Server
   • Authentication: None
   • Allowed Client Networks: Select desired Networks to be allowed access
   • Block Client Networks: Select desired Networks to be denied access
   • Sticky session cookie: Disabled
   • Hot standby mode: Disabled
   • WebSocket passthrough: Disabled
   • Click Save
6. Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection.
7. Now select Microsoft ADFS STS 2012R2
8. Additional Options
   • Check Pass Host Header
9. Save

Edge requires an additional Path-specific routing entry.

Add new Path

• Path: /adfs/portal/
• Web Server: Select Real Web Server
• Authentication: None
• Allowed Client Networks: Select desired Networks to be allowed access
• Block Client Networks: Select desired Networks to be denied access
• Sticky session cookie: Disabled
• Hot standby mode: Disabled
• WebSocket passthrough: Disabled
• Click Save

Hi AADD,

I just wanted to thank you for going through this and posting potential fixes.

I will be trying these against 2016 as that has been the issue.  I'm crossing my fingers these all work on 2016 and I can go back to using WAF for these scenarios.

Thanks,

John

Outlook also requires special exemptions.

See the Policy creation post and note the policy changes marked (edited 2018-6-8 for Outlook) 

Make the following additions to the WAF Business Rule

Add new Path

• Path: /adfs/services/
• Web Server: Select Real Web Server
• Authentication: None
• Allowed Client Networks: Select desired Networks to be allowed access
• Block Client Networks: Select desired Networks to be denied access
• Sticky session cookie: Disabled
• Hot standby mode: Disabled
• WebSocket passthrough: Disabled
• Click Save

Add new Exception

• Paths: /adfs/services/*
• Set Sources
• Check Protocol Anomalies
• Click Save

Axsom1,

Have you had a chance to test the settings for Windows 2016?

If so, what were the results for you, and please note: There have been some updates to my WAF policy post.

Axsom1,

Have you had a chance to test the settings for Windows 2016?

If so, what were the results for you, and please note: There have been some updates to my WAF policy post.