locked
ADFS 3.0 - Switching external users to Azure based service RRS feed

  • Question

  • Currently our ADFS setup is as follows:
    - 2 (on premise) ADFS 3 servers
    - 2 (on premise) WAP servers
    - Split DNS
    - Internally fs.domain.com points to NLB cluster IP 
    - Externally fs.domain.com points to WAN IP which is NAT'd to the WAP cluster

    The plan is to add another ADFS server in which lives in Azure, which will service external users.

    The question is, with current configuration considered, what is the best way to go about this addition?
    - Add a single standalone WAP in Azure and mimic the on premise configuration in Azure?
    - Some other way? 

    ** We do also have Azure AD Application Proxy available.


    Thursday, October 20, 2016 1:53 AM

All replies

  • Do you want it to be an active-active kind of configuration?

    What backend are you using? WID or SQL?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 21, 2016 5:01 AM
  • You can look at using an Azure S2S VPN between your Azure tenant and on-prem configuration for synchronizing domain traffic. A more robust approach is to configure an ExpressRoute network connection between the two.

    Bear in mind that domain traffic will flow from the Azure-based host towards your domain controllers so if you are planning on implementing an IaaS-based AD FS solution, domain controllers in Azure are also worth considering. Additionally, you'll need to look at some sort of geo-load balancing for your Azure and on-premise configurations... something like Azure Traffic Manager... Post back if you need more info...


    http://blog.auth360.net

    Sunday, October 23, 2016 7:32 PM
  • Do you want it to be an active-active kind of configuration?

    What backend are you using? WID or SQL?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Yes, the preference is active-active.

    Currently WID.

    Sunday, October 23, 2016 10:27 PM
  • You can look at using an Azure S2S VPN between your Azure tenant and on-prem configuration for synchronizing domain traffic. A more robust approach is to configure an ExpressRoute network connection between the two.

    Bear in mind that domain traffic will flow from the Azure-based host towards your domain controllers so if you are planning on implementing an IaaS-based AD FS solution, domain controllers in Azure are also worth considering. Additionally, you'll need to look at some sort of geo-load balancing for your Azure and on-premise configurations... something like Azure Traffic Manager... Post back if you need more info...


    http://blog.auth360.net


    There is already an IPsec tunnel between Azure and our primary site.
    There are already 2 DCs in Azure.

    I would love more info, as the part I don't really understand, nor can I find much documentation on, is ADFS configurations in conjunction with split DNS and Azure.

    You say I would need some sort of geo-load balancing, but the way I wish to split traffic is simply internal on premise traffic, and external traffic.

    The ultimate goal is to allow users external to our network to still have ADFS available if our on premise network has in some way failed.
    Sunday, October 23, 2016 10:36 PM
  • Bump
    Monday, November 21, 2016 4:09 AM
  • As long as ADFS can talk to DCs, you are good.

    Note that the Extranet Lockout Policy as well as the Password Update features both require connectivity to the ePDC of the user's domain. So you might want to consider that in the event your VPN is down (and since you don't want your ePDCs in the cloud).

    For the geographic load balancing of your farm, you can have a look there: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f7f43c62-2765-473d-978b-6e01e29ab93b/is-adfs-and-azure-traffic-manager-a-supported-scenario-dns-cname?forum=winserverDS


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, December 14, 2016 8:02 PM