ADFS MFA Firewall rules for outbound communication

[derSchweiger]

Hi,

we've tried to install this plugin on an isolated ADFS environment (servers are not allowed to communicate with the internet) and have experienced some issues:

• MMC doesn't work and is loading forever
• PowerShell cmdlets are partially very slow
• Plugin might not work correctly (haven't tested that in detail)

After allowing outbound communication for this environment, the plugin works as expected. This raises the question of which endpoints the plugin utilizes. While crawling through the source code I've found the following URLs:

• https://mds3.certinfra.fidoalliance.org/getEndpoints
• https://mds.fidoalliance.org/
• https://www.spamhaus.org/drop/drop.txt
• https://pfd.phonefactor.net/pfd/pfd.pl
• https://pfd2.phonefactor.net/pfd/pfd.pl

My followup questions are:

• Is there any statement on whether it is supported to use this plugin in such an isolated environment (maybe with restricted 2FA settings)? If so, do we need to configure anything special?
• If an outbound connection is mandatory: Is it possible to restrict access to certain IPs?

Thank you in advance!

[redhook62]

Hi,

The plugin can work without the ADFS servers having access to the internet.
The slowness problems you are experiencing do not come from the URLs you indicate.
Make sure that your servers do not have name resolution issues (DNS), particularly to access your domain controllers with ldap(s) or use the servers' host file.

Regarding the URLs indicated:

• https://mds3.fido.tools/getEndpoints is not used on our side (conformance testing)
• https://mds.fidoalliance.org/ is the download of the WebAuthN biometrics metadata file (file versioned and regularly updated by FIDO alliance. Contains the descriptions of all biometric devices compliant to date), this download can be disabled in configuration or MMC : ConstrainedMetadataRepository
• https://www.spamhaus.org/drop/drop.txt contains the IPs that will be blacklisted if you activate (ADFS 2019+): Threat Detection System.
• As for the phone factors urls, these are old, obsolete examples that are not used.

regards

[derSchweiger]

Hi,

thanks for the clarification. I'm pretty sure that the DNS resolution and the communication between domain members haven't had any problems. ADFS and DCs are in the same subnet and the Windows Firewall is disabled.

While opening the MFA MMC i received the following error message:

Isn't this indicating a request to an internet source?

[redhook62]

ConstrainedMetadataRepository

• False Metadata Payloads are downloaded automatically from https://mds.fidoalliance.org/
• True if your adfs's servers don't have access to internet, you must regulary download the blob
  and deploy this file on your servers in \ProgramFiles\MFA\Config rename the downloaded file as blob.db

and then
restart-service mfanotifhub

[derSchweiger]

@redhook62 thank you! To sum it up: The best solution in such an environment is to create restricted outbound firewall rules to allow the blob file to be downloaded.