Fault Tolerant ADFS Setup Using Azure Traffic Manager or AWS Route 53

The client wanted to migrate an existing ADFS 2.0 setup to a new redundant ADFS setup. A design was made to span Azure and AWS with two backend ADFS servers and two frontend WAP ADFS servers, and having fault tolerance using Azure Traffic Manager. With a twist!

As you may have seen in various places the suggested approach on this setup will not provide complete redundancy. Configuring the default WAP probe in Traffic Manager will not initiate a failover when the backend ADFS server is down but the WAP component is healthy. So it’s basically useless.

Fortunately I figured out a way to fix this:

Instead of using the default port 80 probe on the ADFS WAP server you should use a custom port, e.g. port 81. You then configure the WAP server to forward the port 81 request to the probe (port 80) of the backend ADFS server. Using this approach will ensure that Azure Traffic Manager (or AWS Route 53 if using that) will failover anytime the WAP frontend or the ADFS backend fails.

I have not seen anybody else use this approach but I have tested it thoroughly and the failover works very smooth no matter if the WAP or the ADFS backend fails.

The configuration of the WAP server is seen below (it includes the probe forwarding rules of both WAP servers since the configuration is replicated between the WAP servers):

The Traffic Manager configuration is seen here:

The setup also works well with AWS Route 53. A sample configuration of Route 53/Hosted Zone/Record Set/Health Check is seen here: