Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 664 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ADFS Proxy (Server 2016) in DMZ - Publish to WAN and LAN

Lanky Doodle

Hi,

We have ADFS Proxy Server in DMZ zone (basically for Office 365 login), which currently has the following setup in Sophos XG:

  1. published to WAN alias using a Web Server Protection (Reverse Proxy) rather than 'normal' rule. This works for external users using the ADFS Forms Authentication login page
  2. Firewall rule from LAN zone to DMZ zone to allow LAN users to login also using the ADFS Forms Based Authentication login page, using HTTPS as the Service
  3. there are no NAT/DNAT rules in place
  4. the endpoint configured in Office 365 is cloud.domainname.com which externally resolves to the WAN alias used in the reverse proxy rule
  5. cloud.domainname.com zone is on internal DNS and has the IP for the ADFS Proxy Server in the DMZ zone
  6. ADFS Proxy Server is not domain joined
  7. ADFS Server is domain joined

So from a topology point of view, both external and internal users get directed to the Proxy Server IP in DMZ zone, which then bounces back to the ADFS service running on the LAN zone. This is so all logins are consistent by using FBA login page; if I have the cloud.domainname.com zone pointing to the LAN-based ADFS Server instead users get a more traditional Windows dialog popup in the browser.

Although this is working, there are some quirks:

  1. Point 2 above was never needed until I recently upgraded to Firmware XG230 (SFOS 18.0.5 MR-5-Build586). Previously, direction to FBA login page to ADFS Proxy Server in DMZ zone from LAN zone during Office 365 login 'just worked'. Has the firmware upgrade changed something which was allowing this to work; the Reverse Proxy rule for example was also accepting traffic from LAN zone?
  2. Although login is working OK, I cannot access https://cloud.domainname.com/adfs/fs/federationserverservice.asmx page from anywhere except the DMZ zone or localhost on ADFS Server directly (https://localhost/adfs/fs/federationserverservice.asmx); I get 503 Service Unavailable, so it seems the route of WAN or LAN -> DMZ -> back to LAN is breaking something

Questions:

  1. Can the Reverse Proxy rule be set to listen on multiple things for 'Hosted Server', for example WAN alias and LAN/DMZ zones; is this where DNAT is used? Essentially I want all access destined for ADFS Proxy to follow the same route
  2. Am I missing anything else?

Thanks



This thread was automatically locked due to age.