Microsoft Windows AD FS Deployment
Follow the steps in this guide to deploy the Barracuda Load Balancer ADC to increase the scalability and reliability of your Microsoft Active Directory Federation Services (AD FS) deployment. The Barracuda Load Balancer ADC also improves the performance of AD FS by balancing the authentication requests that are sent to your AD FS servers.
Terminology
Term | Definition |
|---|---|
Fully Qualified Domain Name (FQDN) | The unique name for a specific computer or host that can resolve to an IP address (for example, www.example.com). |
VIP | Virtual IP address. In the Barracuda Load Balancer ADC deployment, the VIP is added to the service on the Barracuda Load Balancer ADC. |
Service | A combination of a virtual IP address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC listens on. Traffic arriving on the specified port(s) is directed to one of the real servers associated with a service. |
Deployment Scenario
Product Versions and Prerequisites
You must have:
Barracuda Load Balancer ADC version 5.1 or 5.2.
Active Directory Federation Services ( AD FS) 2.0 or above (Windows Server 2012 R2). It is strongly recommended that you use Windows Server 2012 R2 and AD FS 3.0.
A fully configured AD FS farm with at least two servers.
Installed your Barracuda Load Balancer ADC(s), connected to the web interface, and activated your subscription(s).
If you want to deploy AD FS with high availability, cluster your Barracuda Load Balancer ADCs. For more information, see High Availability.
Configuring Clustered Barracuda Load Balancer ADCs
If your Barracuda Load Balancer ADCs are clustered, the configuration between the active and passive units is synchronized so you only need to configure the active Barracuda Load Balancer ADC.
Step 1. Set Up and Deploy the AD FS Farm
Configure at least two separate servers with the AD FS service that you want to load balance. Test the login page on each AD FS server to ensure that AD FS is working. The URL is usually something like:
https://<fqdn of adfs>/adfs/ls/IdpInitiatedSignon.aspx
For example: https://adfs-1/adfs/ls/IdpInitiatedSignon.aspx
Complete the test by logging in with an Active Directory account.
Figure 1. Default AD FS Login Page
Step 2. Create Services on the Barracuda Load Balancer ADC
Log into the Barracuda Load Balancer ADC as the administrator.
Go to the BASIC > Certificates page, and create or import the required certificate. If you import a certificate, ensure that it is the same certificate that you configured AD FS with.
Go to the BASIC > Services page, and create the service listed in the following table. To add a real server, click Add Server.
Enable Server Name Identification (SNI) by scrolling to SSL Settings and opening the Advanced Options. Enable SNI and then add each SNI domain by clicking Add SNI Domain. Enter the domain name and the associated certificate (the same certificate you configured AD FS with). Complete this step for each SNI domain. Client requests for domains that are not associated with any certificate will get the default certificate.
Step 3. Configure the DNS
Create an A record to point the VIP address that you set on the Barracuda Load Balancer ADC for the AD FS service.
For example, if you want to use the name sso and your domain is barracuda.com, your A record would look something like this:
Name | IP Address |
|---|---|
sso.barracuda.com | 10.5.7.193 |
Use of DNS Name when Deploying Applications with AD FS
When you deploy applications with AD FS to provide single sign-on authentication, use the DNS name that you created in this step.
Step 4. Test your Load Balanced AD FS Setup
Go to the AD FS login page using the name that you set in the A record and verify that the page displays correctly. The URL is usually something like:
https://<fqdn of adfs>/adfs/ls/IdpInitiatedSignon.aspx
For e xample, if you set sso as the new name, go to:
https://sso.barracuda.com/adfs/ls/IdpInitiatedSignon.aspx
Contact Us
Barracuda Campus
Barracuda Support