In the AD FS Proxy videos, we explaining why servers are placed in the DMZ and are not domain joined. Additional requirements including certificate (with private key) must be imported and network load balancing is required since more than one AD FS server is being used. DNS host records should be configured for both the internal and external AD FS servers.
- In remote work environments, users need to be able to connect from locations other than that physical office. To leverage the functionality of AD FS for these external users, proxy servers need to be deployed, protecting our internal servers. The AD FS Proxy is a layer of security between the on premise network and the internet. The proxy server passes tokens between the client and the AD FS servers, therefore when an external client request access, the AD FS proxy is the intermediary.
The client never has access to the internal servers. The proxy server is not a requirement of the AD FS implementation but it is strongly recommended as we do not want to expose our internal AD FS servers to the internet. You would use a proxy server or as it is now referred to in Server 2012 R2, Web Application Proxy, if your external clients require access to your network. AD FS servers are not domain joined and are located in the perimeter or DMZ network.
These servers need the SSL certificate with the private key imported and to the local certificate store. These servers must be able to resolve to the address of the internal AD FS server. Adding proxy servers offers the best of both worlds providing security, yet still allowing the external users the single sign on experience and the flexibility to work from anywhere.
Here, system admins will learn how to implement and manage federated identities for single sign-on in Office 365. Microsoft Certified Trainer Sharon Bennett shows how to plan for an Active Directory Federation Services (AD FS), install the AD FS role on Windows Server 2012 R2, and install and manage AD FS proxy servers.
Note: This training course maps to the Implement and Manage Federated Identities for SSO domain for Microsoft Certification exam 70-346.
- Planning for AD FS
- Sizing your infrastructure
- Configuring clients
- Installing the AD FS role
- Managing your servers
- Installing and configuring the AD FS proxy
- Tips for taking Microsoft Certification exam 70-346