If we review our network diagram again, we can see that there are AD FS Proxy servers placed in a DMZ network. These severs are required for external client authentication. This is needed when you have clients that need to access Office 365 services (when SSO is enabled), while outside the internal network. Meaning the client that are working remotely. If you did not have AD FS proxy servers in place, then no external clients would be able to authenticate.
- Internal Requests —> Intranet (sts.domain.com – 192.168.0.x) —> Resolves to the AD FS Server —> Authenticated with the Domain Controller
- External Requests —> Internet (sts.domain.com – 24.88.56.x) —> Resolves to the AD FS Proxy Server —> Forwards Request to AD FS Server —> Authenticated with Domain Controller
Networking setup for these servers is very easy. We have an A record setup (sts.domain.com) in our public DNS that resolves to an internet accessible IP address. This IP address should be configured as an external interface on your firewall. You are going to want to forward requests for sts.domain.com (port 443) from the external interface on the firewall to the AD FS server. Next, you are going to want to enable bi-directional communication between the AD FS server and the AD FS Proxy Server.
- Internal Client Requests —> Intranet (sts.domain.com – 192.168.0.x) (TCP/443) —> AD FS Server (TCP/443)
- External Client Requests —> Internet (sts.domain.com – 24.88.56.x) (TCP/443) —> Firewall —> AD FS Proxy Server (TCP/443) —> Firewall —> AD FS Server (TCP/443)
- Does Microsoft have FREE training for the NEW Office 365?
- Signing up for the NEW Office 365
- Adding and Verifying a Domain for the NEW Office 365
- Creating Cloud Users for the NEW Office 365
- Configuring Desktops for the NEW Office 365
- Exchange 2003 Cutover Migration to the NEW Office 365
- Exchange 2007 Cutover Migration to the NEW Office 365
- Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
- Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
- Setting up Directory Synchronization with the NEW Office 365
- Activating and Licensing a Synchronized User in the NEW Office 365
- Testing Single Sign-on to the NEW Office 365
- Making the Single Sign-On Solution Highly Available
- Exchange Hybrid Deployment with the NEW Office 365
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.
Office 365 MVP