locked
ADFS Proxy in Azure RRS feed

  • Question

  • Hi,

    Im trying to understand the design requirements for the following scenario.

    We currently use Office365 with our local AD synced to Azure AD for Office365 using Dirsync - the standard setup with o365. We now want to enabled federation so we are using single identity, rather than using the azure AD for authentication to mailboxes.

    All this is currently setup in a test environment on premise and works fine.

    To avoid any disruption to users if our internal link was to fail we want to host two domain controllers and ADFS servers in Azure with a site to site vpn connection back to our office. We currently have a 2:2:2 solution with 2 AD DC, 2 AD FS Internal and 2 AD FS Proxy servers. The proxy servers communicate back to the internal FS servers through https 443 traffic.

    How would we need to implement this in Azure. Would we need to create a separate cloud for the AD DS and AD FS internal servers, which contains the site to site vpn back to our head office, and then a separate cloud service for the proxy servers? But would this then not prevent them connecting to the AD FS servers?

    Thanks


    Denis Cooper MCITP EA - MCT

    Wednesday, February 13, 2013 11:57 AM

Answers

  • Hi Denis,

    We have recently published guidance to enable this scenario. The guidance is published here:

    http://www.microsoft.com/en-us/download/details.aspx?id=38845 (Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure)

    In addition to architectural recommendations, this whitepaper provide guidelines to assist you determine whether or not hosting part of your authentication infrastructure on Azure VMs is the right thing to do for your business.

    As a side note, we recommend deploying not only the AD FS components, but also Domain Controllers to reduce possible latency effects, and to provide continued user authentication even if connectivity to your on-premises environment is temporarily unavailable - which seems to be one of your objectives.

    Regards,

    Yann

    Wednesday, May 29, 2013 8:42 AM

All replies

  • I have seen a couple of requests for this type of setup and so far as I can tell, it's not supported.

    And even if it was, if your link is down, your users will be having other issues as well! ;-) And even if you could, would you really want to put your entire AD in the cloud? From purely a security perspective, that seems like a sub-optimal solution.

    One suggestion is, rather than put these 4 VMs into the cloud, and pay for running them and for the synchonisation traffic between the cloud and On-Prem DCs (i.e. the normal everyday DC replication traffic), why not get your datacoms supplier to provide you with a fault tolerant link so that that link is, well, fault tolerant. I'd have thought that this might be a cheaper option, but as we know costs and services vary wisely so, as they say, your mileage may vary. And if not cheaper, it would give your users more robust access in/out of your intranet and might more secure.

    Sorry if that's not quite the answer you wanted.


    Thomas Lee <DoctorDNS@Gmail.Com>

    Thursday, March 28, 2013 5:37 PM
  • I'd love to revisit this topic, because I have customers asking me about this as well.  So I'm very interested in people's opinions...

    Which of these scenarios would be preferable?:

    1. Local AD site-to-site replication with DCs in Azure, and then using the Azure machines for ADFS for Office 365
    2. Local AD with load balanced ADFS Proxies on VMs in Azure (opening just the ports and endpoints required to support the connection from AD to the proxy servers)
    3. Local AD and Azure VMS running AD LDS and ADFS

    I'd love to hear what you'd recommend, and why.

    Thanks,

    Kevin


    Kevin Remde US DPE - IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde http://twitter.com/kevinremde

    Wednesday, May 15, 2013 1:23 PM
  • hi,

    I've been doing a lot of work on this recently - im doing some final testing.

    once done i'll post something in my blog...


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, May 15, 2013 9:09 PM
  • posted part 1 today - should get the next parts up this week

    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, May 22, 2013 10:20 AM
  • Hi Denis,

    We have recently published guidance to enable this scenario. The guidance is published here:

    http://www.microsoft.com/en-us/download/details.aspx?id=38845 (Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure)

    In addition to architectural recommendations, this whitepaper provide guidelines to assist you determine whether or not hosting part of your authentication infrastructure on Azure VMs is the right thing to do for your business.

    As a side note, we recommend deploying not only the AD FS components, but also Domain Controllers to reduce possible latency effects, and to provide continued user authentication even if connectivity to your on-premises environment is temporarily unavailable - which seems to be one of your objectives.

    Regards,

    Yann

    Wednesday, May 29, 2013 8:42 AM