Active Directory Federation Services (AD FS) is a Microsoft identity access solution. It was an optional component of Microsoft Windows Server® 2003 R2 and is now built into Windows Server® 2008, Windows Server® 2012 and Windows Server 2012 R2. AD FS on Windows 2012 R2 is sometimes referred to as AD FS 3.0.
Kemp LoadMaster family of products provide high availability to AD FS and AD FS proxy farms (WAP). AD FS proxy servers provide termination of external traffic at DMZ and provides additional layer of protection against external threats. AD FS proxy servers also help internal AD FS servers clearly identify which authentication attempts are external. This is achieved by inserting x-ms-proxy claim in AD FS request.
AD FS administrators can configure advanced claims rules that allow granular control over user authentication restrictions such as requiring users to be a part of certain group or requiring users to authenticate from certain IP networks. When such claims rules are configured on AD FS servers, it becomes critical to identify if user is trying to authenticate from external location or is internal.
In deployments where such advanced claims rules are not in use, Kemp LoadMaster devices can be placed in DMZ and can proxy authentication requests to internal AD FS servers without requiring additional AD FS proxy (WAP) servers. This can help customers save, hardware, software and management costs associated with maintaining additional AD FS proxy servers.