Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365

If we review our network diagram again, we can see that there are AD FS Proxy servers placed in a DMZ network. These severs are required for external client authentication. This is needed when you have clients that need to access Office 365 services (when SSO is enabled), while outside the internal network. Meaning the client that are working remotely. If you did not have AD FS proxy servers in place, then no external clients would be able to authenticate.

Authentication Process:

  • Internal Requests —> Intranet (sts.domain.com – 192.168.0.x) —> Resolves to the  AD FS Server —> Authenticated with the Domain Controller
  • External Requests —> Internet (sts.domain.com – 24.88.56.x) —> Resolves to the  AD FS Proxy Server —> Forwards Request to AD FS Server —> Authenticated with Domain Controller

Networking setup for these servers is very easy. We have an A record setup (sts.domain.com) in our public DNS that resolves to an internet accessible IP address. This IP address should be configured as an external interface on your firewall. You are going to want to forward requests for sts.domain.com (port 443) from the external interface on the firewall to the AD FS server. Next, you are going to want to enable bi-directional communication between the AD FS server and the AD FS Proxy Server.

Networking

  • Internal Client Requests —> Intranet (sts.domain.com – 192.168.0.x) (TCP/443) —> AD FS Server (TCP/443)
  • External Client Requests —> Internet (sts.domain.com – 24.88.56.x) (TCP/443) —> Firewall —>  AD FS Proxy Server  (TCP/443) —> Firewall —> AD FS Server (TCP/443)

 

 

Complete Series:

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Leave a Reply