ISP -> Synology NAS (reverse proxy) -> PFSense -> HAProxy -> ADFS
-
Hello all! Hope everyone is doing fine!
I have a question I hope to get some help with. For many years now I'm a happy customer when it comes to PFSense. As such, I have a lab running with 2 forests, with amongst others 2x ADFS farms with WAP. These are exposed via PFSense to the outside world, and the HAProxy plugin is using SNI to determine which farm to address. All works well.
Now, I noticed that Synology NAS nowadays supports reverse proxy, also based on hostname. Since I also host a few HTTPS sites on my NAS, I'm always switching the ISP Router port 443 forwarding to point either to my NAS (for https websites) or my PFSense (for ADFS).
Then I figured, what if I can forward all traffic to my NAS on 443, and using its reversed proxy, send traffic for my ADFS farms (ADFS1.DOMAIN.COM and ADFS2.DOMAIN.COM) to my PFSense. This way I can keep my websites hosted as they listen to another hostname, and push traffic destined for ADFS to the PFSense appliance.On the Synology, i've set the certificates corresponding to the ADFS domains and configured the Reverse proxy as such:
I see the traffic land on my PFSense and being blocked by the firewall:
This is the reason it's blocked, as the traffic comes from a private IP range:
After disabling that setting (so allowing private networks), I hoped it would start to work. But, nothing... It directly responds with a Synology message saying the page cannot be loaded (or better; there is no such endpoint).
When I do a telnet on 443 towards the ADFS endpoint, I see I land on the Synology and not the ADFS server.Since it was moving to the PFSense before, I feel I need to configure something else to get this to work, but am at a loss at the moment.
I tried disabling the HAProxy / SNI just as a test, but to no prevail. In the end I still need it though, since I need to route traffic towards the correct ADFS farm (which are all behind the PFSense appliance). I rather keep the PFSense as the router for my ADFS lab, instead of placing the WAP servers directly behind the Synology NAS.Hopefully someone can push me in the right direction!
Thanks again in advance,
Kami.
-
I managed to get it to work, that is, when taking out the PFSense appliance.
So, nothing wrong on the Synology side of things.
For those interested:
I've added an additional NIC to my Web Application Proxy servers (ADFS proxies), and routed the traffic from the Synology reversed proxy to this new address.
Don't forget to remove the gateway from the 2nd NIC inside the WAP's, as a machine is not allowed to have 2 gateways (or set a static route for the traffic).
Finally, enable / start the Routing and Remote Access Service to make sure the machine can reroute the traffic between the 2 NICs which are on different networks.
Disclaimer: This is NOT recommended nor supported for production environments, just for a lab.
Now for phase 2: Getting that PFSense in between and making it work (without additional NIC's on separate networks). I think the biggest issue here is the double SNI / Hostname routing... any tips are welcome!
-
Success! Got it working, with the PFSense / HAProxy in the middle.
The trick is to enable SSL Offloading on HAProxy and importing the required certificates.Disclaimer: SSL Offloading is NOT supported for AD FS; Only use this in your lab, not in production environments:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#x-ms-forwarded-client-ip-does-not-contain-the-ip-of-the-client-but-contains-ip-of-the-firewall-in-front-of-the-proxy-where-can-i-get-the-right-ip-of-the-clientThis thread can be closed.
Kami.