Hello,

I've tried to setup the new ADFS version with TMG 2010 since it was perfectly working with ADFS 2.0 and I ran into a lot of troubles with it, here is basically what was my problem:

http://blogs.blackmarble.co.uk/blogs/adawson/post/2014/07/08/Publishing-ADFS-using-Web-Application-Proxy-behind-TMG.aspx

Does anyone have any official information about compatibility issues with TMG? I would rather not use a WAP but if Microsoft officially states that it is not possible to publish it through TMG then I guess I'd have no choice.

Thanks!

Hi,

you need to follow the instructions in http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx

Perform the steps on your ADFS server.

I assume you have seen http://social.technet.microsoft.com/wiki/contents/articles/11185.adfs-publishing-rule-in-tmg.aspx as well.

Yes that is exactly what I have followed.

After reading the sni article, it shouldn't be applying to my case since we are using SNI capable clients. Thanks for the input, I didn't know this problem.

I find it weird to have so few information between ADFS 3 and TMG since it's been a while it's available now.

Hi,

In your case, TMG is the client that is not SNI capable.

TMG terminates the connection to inspect it before forwarding the traffic making TMG the client.

In other wordks, you do need to implement the change for non-SNI capable client.

having a real issue with TMG publishing ADFS 2012 R2 certificate authentication. I have successfully published NLB WAP servers and everything works fine to the ADFS NLB servers internally. But when I try to publish 49443 (certificate authentication) it hits the WAP servers with no issues, then gets blocked from the WAP servers to the ADFS servers as unidentified TCP traffic. I have created a separate access rule for this as I can see ti creates a new connection. Just unsure as to how it sees 49443 as definied traffic in one rule and blocked the next! 

TMG is behind a firewall so internet trafficis NAT'd to TMFG external non-web rule allows access to WAP server NLB address. WAP servers are single NIC and send traffic from TMG DMZ to TGM Internal to hit internal ADFS servers.

any help appreciated, I know this is a non-standard install but I am lacking choices from the client.

You don't mention how your TMG servers are configured but I'd use a server publishing rule instead of an access rule. As I understand it, this is inbound traffic and access rules are not meant for inbound traffic.

Furthermore, you need the server publishing rule in order to prevent TMG to look into the packet and see what's in it. Cert auth may have issues with this.

Thanks for the input, I will try to implement it and see if it works.

hi thanks, yep I did miss that out. It is a server publishing rule I have implemented to publish the WAP server VIP. So I publish the VIP address of the WAP servers. The requests are configured to appear to come from the original client, the traffic allowed is 443 and 49443. I can see in the logs the 49443 is allowed, then one of the WAP nodes sends  further 49443 to the VIP of the internal ADFS servers and is blocked by the Deafult Rule as unidentified traffic. Althought this traffic is allowed via an access rule further down I can now see that it is trying to utilise a network rule further up and failing.

If it fails on a network rule, you need to sort that first.

If you haven't seen this already, have a look at the following thread.

https://social.technet.microsoft.com/Forums/forefront/en-US/4424cf2c-12a9-477f-a3f5-6cad57265a54/how-to-publish-a-web-site-which-requires-ssl-client-certificate-authentication-with-tmg?forum=Forefrontedgegeneral