Going beyond specification

A little while ago I wrote about impersonating Web Application Proxy to AD FS with KEMP’s simple header modification.

Since writing the blog in LinkedIn, I’ve received some queries whether this works when you wan’t to process advanced AD FS claim rules, for example based on the forwarded client IP?

While documentation available don’t state it’s possible, you can actually do it, by going bit beyond the normal specification with header injections.

Behind the scenes

AD FS host is expecting ’X-MS-Forwarded-Client-IP’ header from KEMP. If this header is not present in the request, and ’X-MS-PROXY’ is it will just assume client is from extranet – In this scenario you can’t use any advanced claim rules in AD FS, that would use the Public forwarded from client.

As you all might know, its pretty standard stuff to include the ’X-Forwarded-For’ header to requests terminated in the edge, then re-encrypted to back-end. Well… 🙂 we are going to use the same logic here, just apply it in a bit different way.

The trick

  1. Ask KEMP to add ’X-Forwarded-For (+ Via)’ in ’Add HTTP Headers’
  2. Ask KEMP to Copy ’X-Forwarded-For (+ Via)’ to header ’X-MS-Forwarded-Client-IP’

The result

Now forwarded Client IP’s are part of the requests, and can be applied in advanced claim rules.

In the example, I’ve set AD FS to bypass MFA for Partner IP, if Partner user terminates from certain Public IP . This all works now courtesy of header modification provided by KEMP

Hope this helps somebody substituting WAP with KEMP

Br, Joosua

1 comment on “Going beyond specification

  1. Paluuviite: Cheat sheet: AD FS and Azure AD Hybrid Conditional Access | SecureCloudBlog


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: