Barracuda Web Application Firewall: Active Directory Federation Services

Download PDF

Authenticating Mobile and BYOD Devices

When employees access corporate web applications remotely, their mobile devices are not domain-joined, so traditional authentication mechanisms like IWA / Kerberos do not work. With today’s highly distributed workforce, many organizations need a solution to properly authorize mobile devices so employees can easily access their corporate web applications. Microsoft Active Directory Federation Services (ADFS) act as a security token service (STS) that provides authentication and SSO to mobile devices.

Best Practices

Companies looking to publish ADFS on Azure follow these best practices when opening up access to mobile devices. Deploying the Barracuda Web Application Firewall ensures their security is not compromised.

Deploy 2 VNets: VNet1 contains the proxies like WAF, and VNet2 contains the ADFS servers and the network connection back to the corporate network; VNet1 is therefore isolated from VNet2 and, in turn, from the corporate network.

Deploy a reverse proxy in the perimeter network to prevent direct exposure of ADFS to the Internet. Microsoft itself provides the Web Application Proxy (WAP) which can be used for this purpose, which receives and forwards requests to the ADFS from the DMZ.

Publishing ADFS Securely in Azure

Benefits

The Barracuda Web Application Firewall provides comprehensive security, availability, and scalability of the ADFS services, regardless of where they are deployed:

Protection AgainstWeb-based Attacks
Comprehensive security for all HTTP and HTTPS traffic, including protection against OWASP Top 10 attacks.

Application DDoS Protection
Shields the ADFS servers and other applications from sophisticated application layer DDoS attacks emanating from the Internet.

Interoperability with ADFS
Complete interoperability with ADFS as well as Azure Active Directory services using SAML.

Load Balancing and High Availability
Replaces the NLB and WAP, and consolidates load balancing, security, and high availability in a single product instance.

Network Isolation and Secure Stack
Leverages a reverse proxy to completely isolate the protected applications, ensuring security against OS and network layer vulnerabilities.

Selective Publishing of All Web Applications
Extended Match Engine allows you to create granular rules so that only specific applications and URL spaces inside them are made accessible.

Choice of Authentication

  1. Pass-through - ADFS security token is forwarded to the published applications.
  2. Authentication Offload - The security token issued by ADFS is validated on behalf of the protected application.
  3. Pre-authentication - The published application requires the user to perform additional authentication.

Streamline Identity Federation with WAF

The Barracuda Web Application Firewall supports the SAML v2 protocol for authentication and web based single sign-on (SSO), which means that it can act as a SAML Service Provider (SP) to SAML-compliant Identity Providers (IdP), saving you from the complexities of implementing SAML on your web servers. This facilitates SSO between the cloud and on-premises web applications as well as interoperability with Azure AD which supports SAML 2.0.

Why Barracuda

Barracuda Networks was the first Microsoft Azure Certified Security Solution Provider. The Microsoft Azure Certification assures that the Barracuda Solutions have been tested for readiness and compatibility with Microsoft Azure public cloud, Microsoft Cloud Platform hosted by service providers through the Cloud OS Network, and on-premises private cloud Windows Server Hyper-V deployments.