Sharing of thoughts and information is what blogging is all about. This way we can learn from each other. Post A Comment!These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.
Anthony Bartolo Twitter | LinkedIn
Pierre Roman Twitter | LinkedIn
The AD FS Proxy role is deployed in the DMZ and is used for external client authentication.
People always ask me, do I really need an AD FS Proxy server? The answer is yes for one huge reason.
Security –It is possible to forward TCP 443 right from the internet to the AD FS server, but this would not be very smart security choice. Networking setup for these servers is very easy. We have an A record setup (sts.domain.com) in our public DNS that resolves to an internet accessible IP address. This IP address should be configured as an external interface on your firewall. You are going to want to forward requests for sts.domain.com (port 443) from the external interface on the firewall to the AD FS server. Next, you are going to want to enable bi-directional communication between the AD FS server and the AD FS Proxy Server.
Do not domain join the server since the AD FS Proxy server is in the DMZ. It functions just fine without being domain joined and you will needlessly open firewall ports from the DMZ to the internal network.
Set the External Domain
Since the server is not domain joined and is technically a web server, it's recommended that you set the internal domain name.
Install AD FS Proxy Server Role
Install Sign-in Assistant
Install the Windows Azure Active Directory Module for Windows PowerShell
This completes setting up all the pre-required software for the AD FS Proxy server.
Just like the AD FS server, we need a third party certificate on the AD FS Proxy server. The AD FS Proxy server will need to have the same SSL certificate as we used on the AD FS server. The best way to do this is to export the certificate from the AD FS server and then import is on the AD FS proxy server. Once it's on the AD FS Proxy server, we can assign it to the default website, the same way we did on the AD FS server.
Export the AD FS Certificate from the AD FS Server
Import the AD FS Certificate to the AD FS Proxy Server
Assign the Imported Certificate
Now that we have the third party certificate imported on the server, we need to assign and bind it to the default website (HTTPS port 443).
Now that our certificates are taken care of, we can continue to the last step; completing the AD FS Proxy server setup.
With all the required software is installed on the server, we can verify name resolution for the AD FS Server and the AD FS Proxy Server. After that is completed, then we configure the local AD FS Proxy Server.
Verify Name Resolution
Since the AD FS Proxy server is not domain joined, it will not have access to the domain based DNS. We need to add some entries to the local hosts file so that the ADFS Proxy Server can resolve the internal IP for sts.domain.com and the AD FS Server.
Domain Based Name Resolution
Internet Based Name Resolution
AD FS Proxy Server Name Resolution
Configure Local AD FS Proxy Server
Now that our AD FS server and AD FS Proxy server are setup, we now need to setup Directory Synchronization
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.
Don't deploy ADFS Proxy, use TMG. Why TMG instead of ADFS Proxy? If the user is marked to reset their password on next log on, they cannot access Office 365 until they log on to a domain joined PC and reset the password. From my testing though, if you are on a mobile device using Activesync and your account is marked for reset, you can still receive email on the mobile device.
I guess there are trade offs. Some companies don't want to deploy another firewall solution and AD FS Proxy servers can be setup very quickly. The good news is that both work really well.