Hello,
I wonder if the community might be able to provide me some guidance here. I am reaching the conclusion of a project to provide a highly available ADFS implementation between an on premises and an Azure based datacenter.
We have a site to site VPN between the on premises and Azure datacenters, with Domain Controllers hosted in both locations.
On Premises, we have 2 load balanced WAP servers in a DMZ, and 2 load balanced ADFS servers in the domain.
In Azure, we have 1 WAP in a DMZ and 1 ADFS Server in the domain.
sts.domain.org and sts1.domain.org are currently directed to the On Premises ADFS solution.
sts2.domain.org is pointing at the Azure Solution.
Once traffic manager is doing what it should do, sts.domain.org will be directed to the traffic manager CNAME which will use the Azure solution as its primary node.
Traffic Manager is using /adfs/probe to check the health of each solution, and is successfully querying this URL on port 80 for each node and reporting health as positive.
If I take the WAP server offline, traffic manager successfully identifies the node as unavailable and directs traffic to the on premises solution. This is as expected.
However, if the ADFS Server is powered off and only the WAP server is funcitonal, the probe still reports the solution as available.
I was under the impression that the WAP server's /ADFS/probe URL would provide an indication of the health of both the WAP and the ADFS Servers, but this doesn't seem to be the case.
If I change the probe to use SSL and direct the probe to the idpinitiatedsignon URL, the ADFS server is successfully queried and Traffic Manager works as expected. I would rather not need to do this because we'd need to purchase new security certificates to cover the sts1 and sts2 URLs.
Can anyone suggest a way to check the true health of the ADFS server using port 80?
Any help would be very welcome.
Thanks!