locked
Active directory federation service with proxy for external portal site RRS feed

  • Question

  • Hi,

    We need to implement ADFS server and extent SSO for portal server which is connecting through internet. So I saw the article as its is mandatory to use proxy server with public IP to extend the ADFS services through internet. But didnt find any proper article as how to configure ADFS using proxy. So kindly help me to complete this task.

    1. Do we need to enable ADFS on local domain controller or need to install this roles in Proxy or any other server required to configure for the same.

    2. How can we do proxy configuration?

    Kindly provide clear picture for the same. 

    Thanks & regards,

    Libish A

    Tuesday, May 16, 2017 3:33 PM

All replies

  • Hi,

    It's not recommended to expose ADFS or any Internal System on Internet directly hence as Admins, we try to leverage Reverse Proxy solutions\Servers that act as Brokers between the Client on Internet and the ADFS Server hosted on Production\Intranet Segment.

    1. ADFS 2.0 has IIS and hence we shouldn't run it on Domain Controllers. ADFS 3.0 doesn't run IIS however I would still personally suggest you to have it hosted on a dedicated Server.  

    2. With Windows 2012 R2, you setup a ADFS 3.0 server hosted on Intranet and Web Application Proxy server Role in DMZ. Only WAP is open to Internet. You will need to configure a ADFS Trust on the WAP. This is pretty straight forward.

    FW Rules without Client Certificate Authentication.

    Any to WAP:- 443

    WAP to ADFS:- 443

    Article to help setting up Trust on WAP.

    https://technet.microsoft.com/en-us/library/gg188612.aspx

    https://technet.microsoft.com/en-us/library/dn383662(v=ws.11).aspx

    Regards,

    Ashele

    Wednesday, May 17, 2017 7:26 AM