locked
High Availability ADFS and WAP Networking Requirements RRS feed

  • Question

  • Good day,

    I am in the process of proposing a WAP solution and have followed the design using MS best practices as detailed below:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#standard-deployment-topology

    The above article talks of External IP Addresses being in front of each Load Balancer (ADFS and WAP Load Balancers)

    *

    I have further read on the topology for server placement and network layout detailed here:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-wid-and-proxies#server-placement-and-network-layout-recommendations

    However, the above article specifies External IP Addresses as a requirement for each WAP server and its NLB Cluster IP. That suggests 3 External Ip Addresses for the internet facing WAP servers only (and not the ADFS servers).

    *

    My Question:

    My deployment is 2 x WAP servers running NLB , and 2 x ADFS servers running NLB as depicted in the diagram below. My Internet Firewall is capable of network address translation for requests to reach the WAP NLB. Please provide clarity on how many External IP Addresses are required in this best practice scenario and exactly where they should be placed (Internet Firewall, WAP External NICs, Virtual Cluster IP, etc ? ? )

    AD FS Standard topology

    I can understand not using External IPs for ADFS as it is not going to be exposed to the internet, but do the WAP servers need external IP or can I have my firewall nic configured with External IP and NAT to the WAP NLB Cluster IP (private address)?

    Guidance on the above will be appreciated.

    Thank you,

    Tuesday, October 23, 2018 10:46 AM

All replies

  • Recommendation would be to just have 1 public IP, that is an IP connected to the external interface of your internet facing firewall. That public IP will also have a corresponding DNS record. 
    Behind your internet firewall you should translate to internal addresses, so the only public IP you need is the one that will route to your external firewall.

    All internal NLB, WAP & ADFS-servers will have private addresses.

    Wednesday, October 24, 2018 6:08 AM
  • Thanks for your feedback Jorrk, I'll take that into consideration.  Is the above a typical approach for successful deployment of a WAP/ADFS solution?
    Wednesday, October 24, 2018 6:16 AM