locked
Installation Requirements for AD FS and WAP RRS feed

  • Question

  • I've been reading requirements for AD FS and WAP and am trying to confirm which roles can and can't be installed on servers together.

    We are looking to add AD FS so that we can use WAP and note that there is a requirement for WAP to be installed on a different server than AD FS.

    The ultimate goal is to utilise Remote Desktop Services, VPN and OWA externally.

    We have a DC, Exchange Server, App Server, plus RDS Server with Routing and Remote access (VPN). Should we install AD FS or WAP on the RDS server?

    If WAP could we install AD FS on the Server hosting Exchange or is this not recommended?

    If AD FS, can we install WAP on Exchange?

    Thanks!

    Friday, June 9, 2017 3:14 AM

Answers

  • You can use OWA for port 443 from one server.. 

    You can use 443 from multiple servers but will need more than one public IP address, and use a NAT on your firewall to direct traffic from one server to one IP and the other to the other IP.. than configure your public DNS and setup your ports to access the servers you need access to.. 

    You can alternately use WAP/ADFS to direct traffic 

    You can also use Port forwarding and run a different public port for RDS and have it forward a certain type of traffic to server 4 and keep web traffic flowing to server 2

    Or.. 

    You can use OWA and setup a custom port of say 4343 and just give that to the folks in your office.. 

    I.E. https://Mail.MyServer.Owa:4343

    Or.. 

    You can use a hardware VPN for remote access into your network, and use OWA for your mail.. 

    In the long run it would be cheaper to use the hardware VPN, as you will maintain security, and you don't have to run multiple servers to use it.. you can also lock it down.. 

    Lastly.. 

    You can open port 5589 and use your firewall to direct all traffic on that port to go to a jump box, or desktop in workgroup mode, then use your firewall policy to lock down routes from that machine to only allow RDP and only allow it to certain machines.. Use local policy on the desktop to not remember any past login's, or details typed into the RDP box.. also allow only RDP no ping, no network shares, no UNC.. This will keep you secure to the point that when someone tries to access the desktop, and gains access to it, they will only have access to it.. 

    For what you are trying to do.. Best practise is STILL to have a hardware VPN be it a Juniper Pulse, or Cisco VPN.. they are Way more secure than trying to do what you are doing.. 

    Doing things right are not always the cheapest up front, but they will save you money and time in the long run. 


    Rob

    Wednesday, June 14, 2017 5:10 PM

All replies

  • ADFS should be on a different server than Exchange.

    WAP should be on a different server than Exchange and ADFS.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 12, 2017 9:42 PM
  • Sorry, i read over your question.. 

    What are you trying to do? 

    Because you can use OWA with outlook anywhere services installed through Exchange from Exchange 2000 - current and not need ADFS/WAP to do it.. If you are going to use VPN services to connect to your network, you really don't need a WAP/ADFS to do that.. and publishing RDS to the outside to RDP into your system's from the public side of the network regardless of WAP or ADFS is a REALLY BAD idea.. You'll end up with a constant issue of people trying to gain access.. 

    Not to mention, after doing multiple installations of WAP and ADFS, it is best avoided if you can.. 

    WAP and ADFS are great for people who want to set up website's like Sharepoint or Dynamics to pass cred's to the website using SSO from the Domain.. I don't suggest using it for what you are trying to do here.. 


    Rob



    Monday, June 12, 2017 9:58 PM
  • Thanks!
    Monday, June 12, 2017 10:37 PM
  • We are currently able to use OWA with no issue.

    However, OWA uses Port 443 to Server 2.

    We need to be able to use VPN to local resources which also requires Port 443 to Server 4.

    We can only direct inward Port 443 traffic to one server or the other.

    WAP has been suggested as a solution to allow us to continue to use OWA and add VPN to use RDS.

    Monday, June 12, 2017 10:40 PM
  • You can use OWA for port 443 from one server.. 

    You can use 443 from multiple servers but will need more than one public IP address, and use a NAT on your firewall to direct traffic from one server to one IP and the other to the other IP.. than configure your public DNS and setup your ports to access the servers you need access to.. 

    You can alternately use WAP/ADFS to direct traffic 

    You can also use Port forwarding and run a different public port for RDS and have it forward a certain type of traffic to server 4 and keep web traffic flowing to server 2

    Or.. 

    You can use OWA and setup a custom port of say 4343 and just give that to the folks in your office.. 

    I.E. https://Mail.MyServer.Owa:4343

    Or.. 

    You can use a hardware VPN for remote access into your network, and use OWA for your mail.. 

    In the long run it would be cheaper to use the hardware VPN, as you will maintain security, and you don't have to run multiple servers to use it.. you can also lock it down.. 

    Lastly.. 

    You can open port 5589 and use your firewall to direct all traffic on that port to go to a jump box, or desktop in workgroup mode, then use your firewall policy to lock down routes from that machine to only allow RDP and only allow it to certain machines.. Use local policy on the desktop to not remember any past login's, or details typed into the RDP box.. also allow only RDP no ping, no network shares, no UNC.. This will keep you secure to the point that when someone tries to access the desktop, and gains access to it, they will only have access to it.. 

    For what you are trying to do.. Best practise is STILL to have a hardware VPN be it a Juniper Pulse, or Cisco VPN.. they are Way more secure than trying to do what you are doing.. 

    Doing things right are not always the cheapest up front, but they will save you money and time in the long run. 


    Rob

    Wednesday, June 14, 2017 5:10 PM
  • Thanks for the detailed response!

    I'm looking into VPN hardware, and options to give us flexibility (such as dual WAN) in the future.

    http://www.linksys.com/us/p/P-LRT224/

    http://www.tp-link.com/us/products/details/cat-4909_TL-ER6020.html

    http://www.cisco.com/c/en/us/products/routers/rv042g-dual-gigabit-wan-vpn-router/index.html

    It also seems AD FS will be of use to as also so am continuing to investigate installation; most likely on the server currently with RDS installed.

    Friday, June 16, 2017 5:13 AM