Showing results for 
Search instead for 
Did you mean: 

Health monitoring ADFS

Martyn Griffiths
New Contributor

Health monitoring ADFS



We're looking to try and provide suitable health monitoring for some ADFS and ADFS Proxy services being provided by our Brocade virtual Traffic Manager (running v11.0).


I've seen a previous post (from 2015) that failed to suggest a solution. However in "Windows Server 2012 R2 Update rollup (KB.2975719)", Microsoft in their wisdom, provide a way of monitoring ADFS using HTTP. See the following URL for details:


However as ADFS uses SSL pass-through (at least in our case) on port 443, we seem unable to using the HTTP method to monitor this HTTPS service. The stock HTTP monitor sends the requests to port 443.


My question is therefore, is it possible, using the stock health monitors, to monitor a 443 (HTTPS) service on port 80 (HTTP).

Or must we write an external monitor, using Perl or similar?


The new ADFS HTTP monitor URL's are:

http://<Web Application Proxy name>/adfs/probe

http://<ADFS server name>/adfs/probe

http://<Web Application Proxy IP address>/adfs/probe

http://<ADFS IP address>/adfs/probe


many thanks in advance


Martyn Griffiths

University of South Wales



Re: Health monitoring ADFS

Thanks Martyn - It is possible to write a custom health monitor, but I think you should be able to use the standard HTTP monitor with the “use_ssl” flag set to True. That should give HTTPS monitoring on port 443. 



> is it possible, using the stock health monitors, to monitor a 443 (HTTPS) service on port 80 (HTTP).


However, your post suggests you are looking at port 80 (HTTP), is that the case?



New Contributor

Re: Health monitoring ADFS



a standard monitor always will monitor the port configured in the node config from the pool. To monitor other ports, you need a scripted health monitor.


Here's an example HTTP/S monitor I wrote in Python, although not performance optimized, as it runs an additional subprocess. It reads additional parameters through the health monitor to specify, what port you want to monitor and what path.


Upload the script to Extra Files/Monitors, then create a new program based monitor and add the parameters below...


#!/usr/bin/env python
# HTTPS health monitor for different port than node port
# Juergen Luksch, System Engineer vADC, Brocade Communications GmbH
# 26.09.2016   v2.2

# Running: --ipaddr= --port=443 --node= --verbose --usessl --monitorport=8443 --timeout=1 --path=/ --failures_left=2

import argparse
import sys
import subprocess

parser = argparse.ArgumentParser(description="vTM HTTPS health monitor")

#standard VTM arguments
parser.add_argument("--ipaddr", dest="vtm_ipaddr", help="IP address to monitor")
parser.add_argument("--port", dest="vtm_port", type=int, help="node port")
parser.add_argument("--node", dest="vtm_node", help="node to monitor")
parser.add_argument("--verbose", dest="vtm_verbose", action="store_true", help="verbose output")
parser.add_argument("--usessl", dest="vtm_usessl", action="store_true", help="if SSL protocol used")
parser.add_argument("--failures_left", dest="vtm_failures_left", help="health monitor failures left")

#custom health monitor parameters
parser.add_argument("--monitorport", dest="monitorport", default="-1", help="tcp port to monitor")
parser.add_argument("--timeout", dest="timeout", type=int, default=1, help="timout for CURL health monitor")
parser.add_argument("--path", dest="path", default="", help="path to check in monitor")
args = parser.parse_args()

if args.vtm_usessl:

if args.monitorport == "-1":

if not args.path:
  args.path = "/"
elif args.path[0] != "/":
  args.path = "/" + args.path

devnull = open('/dev/null', 'w')["/usr/bin/curl", "--silent", "--fail", "--insecure", "--connect-timeout", str(args.timeout), 
  protocol + "://" + args.vtm_ipaddr + monitorport + args.path], stdout=devnull)

if args.vtm_verbose:
  print("/usr/bin/curl --silent --fail --insecure --connect-timeout %s %s://%s%s%s *** RESULT: %i" %
    (args.timeout, protocol, args.vtm_ipaddr, monitorport, args.path, res))

if res:
  sys.stderr.write("curl response code:"+str(res))

add 3 arguments to the monitor to specify, path, port and timeout:

monitor parameters



Martyn Griffiths
New Contributor

Re: Health monitoring ADFS

Hi Paul


Yes, we're looking to monitor an HTTPS (443) VIP with a HTTP (80) monitor.


Basically it's Microsoft ADFS (which uses 443) and the monitor that Microsoft supplies is via a HTTP URL.




Martyn Griffiths
New Contributor

Re: Health monitoring ADFS

Many thanks Jürgen


We've tested your script and it does work. However, the Microsoft documentation suggest we look for a HTTP "200" response code from the health monitor.


If it's okay with you, we'll take a look at the script and see if we can amend it to test for a suitable server response code.


We will let you know how we get on.


best regards