Featured post

Disclaimer

The information contained in this website is for general information purposes only. The information is provided by www.office365support.ca and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of www.office365support.ca. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, www.office365support.ca takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

In the previous post we setup two WAP servers that will act as the AD FS proxy role for our internal AD FS servers. Now that the servers are setup, we need to add an end point so that the servers are accessible from the internet and we also need to load balance the end point across the two WAP servers.

 

Configure a Load Balanced End Point on the first Web Application Proxy Server

 

Open the Azure Management Portal

Select the first WAP Server

 

Select Endpoints

Click + Add

 

Select Add a Stand-Alone Endpoint

Click Next Arrow

 

Select HTTPS

Verify TCP

Verify Public Port 443

Verify Private Port 443

Select Create a Load-balanced set

Click Next Arrow

 

Name the load-balanced Set

Verify Protocol – TCP

Verify Probe Port – 443

Verify Probe Interval – 15

Verify Number of Probes – 2

Click the complete check mark

 

Load balanced endpoint is added

 

Add the Second Web Application Proxy Server to the WAP Load Balanced Set

 

Now that we have the load balanced endpoint setup on the first server, we now need to add the second server to this set.

 

Select the second WAP server

Click Endpoints

Click + Add

 

Select Add an endpoint to an existing load-balanced set

Select the load-balanced set you created in the step above

Click Next Arrow

 

Name the endpoint for this server

Verify the protocol – TCP

Click the complete checkmark

 

At this point the servers are both added to the load balanced end point and are live on the internet.

 

Collect the External IP Address of the WAP Cloud Service

 

Now that the WAP servers are load balanced, we will need to update our public DNS so that the Public Virtual IP (VIP) Address for the WAP cloud service is resolving to the AD FS farm name (in my case it’s sts.office365supportlab.com)

Click on the WAP Cloud Service – On the main page the Public Virtual IP (VIP) Address will be displayed

 

 

Update Public DNS

 

Before you complete this step, please note that this could have an impact if you are already in production. Don’t update this record if you don’t know what you are doing.

Since we all use different DNS hosts, I’ll leave this one up to you. Here is a screen shot of my GoDaddy DNS zone for reference.

 

Testing AD FS from External

 

 

Browse to the URL – https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx
Make sure to modify the hostname and domain for your own domain.

Enter credentials

Click Sign in

 

 

Testing Access from Office365

Navigate to https://portal.office.com

 

Enter your UserID

Hit Tab

 

Redirecting to the WAP servers

 

The user name should be populated with the value entered on Office365 sign-in page

Enter Password

Click Sign-in

 

Credentials are verified and you are re-directed to Office365

 

This completes the series for Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365.

 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the Second Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On

In the previous post, we created the first of two WAP servers. This is the continuation of the series.

Create the Virtual Machine

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2

Click Next arrow

 

Enter a virtual machine name, tier, size, username and password

Click Next arrow

 

Select the cloud service you created when creating the first WAP server

Verify Virtual Network

Select an Availability Set that you created when creating the first WAP server

Click Next arrow

 

Click the complete checkmark

 

 

Let the process configure the virtual machine. Once completed, log into the server and continue with the next steps.

 

 

Configure the Primary DNS Suffix

 

Open Server Manager

Click the Computer Name

 

Click Change

 

Click More…

 

 

Enter your public domain as the Primary DNS suffix of this computer

Click OK

 

Click OK

Reboot

 

 

Install the Web Application Proxy Role

 

Open Server Manager

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Remote Access

Click Next

 

Click Next

 

Click Next

 

Select Web Application Proxy

Click Next

 

Click Add Features

 

Click Next

 

Click Install

 

Installing

 

Click Close

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Edit HOSTS File

Because we need to make contact back to the AD FS servers, we need to tell the WAP servers how to get to them. The simplest way of doing this (and not opening more FW ports) is to edit the local HOSTS file on the WAP server. Keep in mind that we don’t have connectivity or the ability to route to the internal IP address, so we need to route to the external IP of the Cloud Service that holds the AD FS servers.

 

Complete in Azure

Click Cloud Services

Click the Cloud Service for your AD FS Servers

Make note of the Public Virtual IP (VIP) Address

 

Complete on WAP Server

Right Click Notepad and Run as Administrator

Navigate to c:\windows\system32\drivers\etc

Switch view to All Files

Open HOSTS

Edit HOSTS file with the AD FS Farm Name and the external IP Address of the AD FS Cloud Service

Click File -> Save

Close Notepad

 

Setup Azure ACLs to Allow the WAP Servers to Communicate with the AD FS Servers

Since we are on separate networks (from the Internal Network) we also need to make sure that we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves on the internal network. Please review this BLOG post to complete that task.

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

 

Configure the Web Application Proxy Role

 

Open Server Manager

Click More… Configuration required for Web Application Proxy

Click Open the Web Application Proxy… under the Action column

 

Click Next

 

Enter the Federation Service Name

Enter Credentials for a local administrator on the AD FS servers

Click Next

 

Select the SSL certificate that you imported earlier

Click Next

 

Click Configure

Success

Click Close

 

At this point the WAP server is functioning. Now all that remains is that we need to do is that we need to add an end point for port 443 and load balance the two servers.

Continue onto the next post in the series to finish the configuration.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On

The Web Application Proxy servers are the new way to publish AD FS to the internet. They replace the old AD FS proxy servers and are new to Windows Server 2012 R2. These servers should be deployed in a DMZ network and are non-domain joined.

Create a New Cloud Service

Because we are going to load balance one or more virtual machines, we need to create a Cloud Service to put them in. Think of it as a bucket to hold your virtual machines and to apply ACLs to secure the virtual machines. You will require one for the AD FS Servers and one for the Web Application Proxies (AD FS Proxy Servers)

 

Click New

Select Compute -> Cloud Service -> Custom Create

 

Enter a URL or Name for the Cloud Service. This name must be unique across the .cloudapp.net name space.

Select your Region or Affinity Group

Click OK

 

Create the Virtual Machine

 

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2

Click Next arrow

 

Enter a virtual machine name, tier, size, username and password

Click Next arrow

 

Select the cloud service you created above

Verify Virtual Network

Create an Availability Set

Click Next arrow

 

Click the complete checkmark

 

Let the process configure the virtual machine. Once completed, log into the server and continue with the next steps.

 

 

Configure the Primary DNS Suffix

 

Open Server Manager

Click the Computer Name

 

Click Change

 

Click More…

 

Enter your public domain as the Primary DNS suffix of this computer

Click OK

 

Click OK

Reboot

 

Install Web Application Proxy Role

 

Open Server Manager

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Remote Access

Click Next

 

Click Next

 

Click Next

 

Select Web Application Proxy

Click Next

 

Click Add Features

 

Click Next

 

Click Install

 

Installing

 

Click Close

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Edit HOSTS File

Because we need to make contact back to the AD FS servers, we need to tell the WAP servers how to get to them. The simplest way of doing this (and not opening more FW ports) is to edit the local HOSTS file on the WAP server. Keep in mind that we don’t have connectivity or the ability to route to the internal IP address, so we need to route to the external IP of the Cloud Service that holds the AD FS servers.

 

Complete in Azure

 

Click Cloud Services

Click the Cloud Service for your AD FS Servers

Make note of the Public Virtual IP (VIP) Address

 

Complete on WAP Server

 

Right Click Notepad and Run as Administrator

Navigate to c:\windows\system32\drivers\etc

Switch view to All Files

Open HOSTS

Edit HOSTS file with the AD FS Farm Name and the external IP Address of the AD FS Cloud Service

Click File -> Save

Close Notepad

 

Setup Azure ACLs to Allow the WAP Servers to Communicate with the AD FS Servers

Since we are on separate networks (from the Internal Network) we also need to make sure that we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves on the internal network. Please review this BLOG post to complete that task.

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

 

Configure the Web Application Proxy Role

 

Open Server Manager

Click More… Configuration required for Web Application Proxy

 

Click Open the Web Application Proxy… under the Action column

 

Click Next

 

Enter the Federation Service Name

Enter Credentials for a local administrator on the AD FS servers

Click Next

 

Select the SSL certificate that you imported earlier

Click Next

 

Click Configure

 

Setting up the WAP server

 

Success

Click Close

 

At this point the WAP server is functioning. To test the WAP server, you can edit your local workstation hosts file to point at the external IP of the WAP cloud service. This will allow you to test the configuration without editing global DNS.

Continue on to the rest of the series where we will add a second WAP server and then load balance the two.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

If you read the earlier posts in the series, you would have noted that there is two methods to deploy the AD FS server load balancing. Because I am in an all Azure environment, I choose to deploy with method 2, using Azure load balancing on port 443 for AD FS. The following post details how to setup Azure ACLs to allow communication from the DMZ network to the production network and then deny all others.

This post needs the cloud service for the WAP servers created along with at least one WAP server deployed to the cloud service so that we can get the Public Virtual IP. This need to be completed before we can add the WAP servers as proxies for the AD FS servers. There is no real clean way to blog this so you will have to jump back and forth between this post and Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On to complete the task.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)
  • The cloud service for the WAP servers is created.

 

The first thing that you need to do is gather the Public Virtual IP for the WAP cloud service.


 

 

Change ACLs to allow WAP access

 

Navigate to the Primary AD FS Server

Select Endpoints

Select HTTPS (or whatever you called the endpoint for AD FS)

Click Manage ACL


 

You will notice that the ACL list is not populated, which means that it’s wide open to the internet. We need to secure the AD FS load balanced set, while still giving the WAP servers access. This will allow the WAP servers to talk to the AD FS servers. We are going to create two rules; one permit and one deny.

 

The first rule will grant access from the WAP servers to the AD FS servers

Enter a description of the rule

Select Permit

Enter the IP address of the WAP cloud service in CIDR format. You will notice the /32 at the end, which will limit the rule to that one IP address.


 

Now that we have granted access on port 443 to the WAP servers, we need to deny all others. Keep in mind that this is for external traffic only. Internal users will still be able to access the AD FS servers on the domain network. This is just for the NAT address from external client access in Azure.

 

Enter a description of the rule

Select Deny

Enter the 0.0.0.0/0

This will deny all traffic


 

Click the complete checkmark

Azure will update the rule. There is no need to complete this on the other servers as the rule will apply to the load balanced endpoint.


 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On

 

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)
  • WAP servers are deployed on a differnet network than the ADFS Servers. If you are unsure, see this BLOG post.

 

Reference this TechNet Article – http://msdn.microsoft.com/en-us/library/azure/dn655055.aspx

 

 

Creating the Load Balanced Set on the Primary ADFS Server

 

Open Azure Management Portal

Click Virtual Machines

Click the Primary AD FS Server

Click Endpoints Tab

 

Click Add (+)

Select Add a Stand-alone Endpoint

Click Next

 

Configure as follows:

Name – HTTPS

Protocol – TCP

Public Port – 443

Private Port – 443

 

Select Create a Load-Balanced Set

Click Next

 

Configure as follows:

Load-Balanced Set Name – ADFS_SSL

Probe Protocol – TCP

Probe Port – 443

Probe Internal – 15

Number of Probes – 2

 

Click the complete check mark

 

The load balanced set is created

 

 

Adding the Second ADFS Server to the Load Balanced Set

 

Click the Primary AD FS Server

Click Endpoints Tab

 

Click Add (+)

Select Add an Endpoint to an Existing Load Balanced Set

Select ADFS_SSL or whatever you called it

Click Next

 

Enter Name – ADFS_SSL

Click the complete checkmark

 

The end point will be re-configured to load balance across the two ADFS servers.

 

At this point ADFS have now been load balanced. If you have more than two ADFS servers, keep adding them to the load balanced endpoint.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Load Balance the AD FS Servers in Windows Azure for Office365 Single Sign-On

Azure has two methods of load balancing services out of the box. Depending on your needs and the security requirements of your company will help decide the method that you will use. I have detailed both methods in two blog posts below. Be sure to reference the Microsoft link for the details on both and decide what method is best for your company.

 

 

Method 1 – Azure Internal Load Balancing (ILB)

 

 

Azure Internal Load Balancing (ILB) provides load balancing between virtual machines that reside inside of a cloud service or a virtual network with a regional scope

 

Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On

 

With this method you have one network with different address spaces for the internal (10.0.0.0) and DMZ (172.16.0.0) networks. This method works, because Azure allows routing between the different address spaces on the same network.

 

 

Method 2 – Azure Load Balanced Set

 

 

Azure load balanced set is layer 4 load balancing across the virtual machines of a cloud service

 

Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On

 

With this method, you have two physical networks in Azure. With this method, we rely on end points and hosts files for routing between the networks. This is the more secure way of implementing the solution since we will control access with ACLs between the networks.

 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On

 

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)
  • WAP servers are deployed on the same network, different subnet as the ADFS Servers. If you are unsure, see this BLOG post.

 

Reference this TechNet Article – http://msdn.microsoft.com/en-us/library/azure/dn690125.aspx

 

Connect to Windows Azure with PowerShell

If you are unsure how to or have never connected to Windows Azure with PowerShell, please reference the article below. This will guide you to install the tools and connect with PowerShell

http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/#Install

 

Open the Start Screen

Right Click Windows Azure PowerShell and Run as administrator

 

Click Yes to the UAC

 

Type Add-AzureAccount

Press Enter

 

Enter email address used login to your Azure account

Click Continue

 

Enter email address and password used login to your Azure account

Click Continue

 

Azure authenticates your account and then takes you back to the PowerShell window.

 

 

Create the Internal Load-Balanced Set Instance

Before we can continue, we need to gather some information. This information is used to set variables in the PowerShell command that will be used to create the ILB instance

 

Cloud Service Name – This was created prior to creating the first AD FS 3.0 Virtual Machine and can be found in the Azure Management Portal under Cloud Services

Internal Load-Balanced Instance Name – This is a name that is used to reference the ILB Set

Subnet Name – This was created when Azure Networking was created and can be found in the Azure Management Portal under Networking

IP Address for the Internal Load-Balanced Instance – This can be set or automatically generated

 

Set the variables in PowerShell

$svc=”ConceppsADFS”

$ilb=”ConceppsADFS-ILB”

$subnet=”Subnet-1″

$IP=”10.0.0.8″

 

Execute the command in PowerShell

Add-AzureInternalLoadBalancer -ServiceName $svc -InternalLoadBalancerName $ilb –SubnetName $subnet –StaticVNetIPAddress $IP

 

 

Add End Points to the Internal Load-Balanced Set

Below is a script that will set the variables, create the end points and update the Virtual Machines with the configuration.

$svc=”ConceppsADFS”

$ilb=”ConceppsADFS-ILB”

$prot=”tcp”

$locport=443

$pubport=443

$epname=”ADFS01″

$vmname=”ConceppsADFS01″

 

Get-AzureVM –ServiceName $svc –Name $vmname | Add-AzureEndpoint -Name $epname –LBSetName “ADFS-SSL” -Protocol $prot -LocalPort $locport -PublicPort $pubport –DefaultProbe -InternalLoadBalancerName $ilb | Update-AzureVM

 

$epname=”ADFS02″

$vmname=”ConceppsADFS02″

 

Get-AzureVM –ServiceName $svc –Name $vmname | Add-AzureEndpoint -Name $epname –LBSetName “ADFS-SSL” -Protocol $prot -LocalPort $locport -PublicPort $pubport –DefaultProbe -InternalLoadBalancerName $ilb | Update-AzureVM

 

 

Add DNS Record

Now that we have our farm configured and the servers are load balanced, we need to ensure that the clients can get to them using the virtual IP of the Internal Load-Balanced Set.

In the steps above we created an Internal Load-Balanced set with the IP of 10.0.0.8. We now need to create an A record in the internal DNS, with a name of STS that points to the VIP. In my case sts.office365supportlab.com points at 10.0.0.8

 

Testing AD FS Sign-On

Open IE

Browse to the URL – https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx

Click Sign in

 

 

Testing Server High Availability

Shutdown the AD FS Servers one at a time and check that you can still access AD FS with each server offline. This will test the failure of losing one of the servers in the ILB set.

 

We are now setup with a highly available AD FS solution for all internal users. Continue on with the series to setup the Web Application Proxies (AD FS Proxy) so that the external users have access.

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN