High Availability ADFS and WAP Networking Requirements
Question
-
Good day,
I am in the process of proposing a WAP solution and have followed the design using MS best practices as detailed below:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#standard-deployment-topology
The above article talks of External IP Addresses being in front of each Load Balancer (ADFS and WAP Load Balancers)
*
I have further read on the topology for server placement and network layout detailed here:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-wid-and-proxies#server-placement-and-network-layout-recommendations
However, the above article specifies External IP Addresses as a requirement for each WAP server and its NLB Cluster IP. That suggests 3 External Ip Addresses for the internet facing WAP servers only (and not the ADFS servers).
*
My Question:
My deployment is 2 x WAP servers running NLB , and 2 x ADFS servers running NLB as depicted in the diagram below. My Internet Firewall is capable of network address translation for requests to reach the WAP NLB. Please provide clarity on how many External IP Addresses are required in this best practice scenario and exactly where they should be placed (Internet Firewall, WAP External NICs, Virtual Cluster IP, etc ? ? )
I can understand not using External IPs for ADFS as it is not going to be exposed to the internet, but do the WAP servers need external IP or can I have my firewall nic configured with External IP and NAT to the WAP NLB Cluster IP (private address)?
Guidance on the above will be appreciated.
Thank you,
