Prepare your network infrastructure for configuring extranet access
Applies To: Azure, Office 365, Power BI, Windows Intune
To complete all of the tasks using the following procedures you must first be logged into the computers as a member of the Administrators group, or have been delegated equivalent permissions.
Checklist: Prepare your network infrastructure for configuring extranet access
|Deployment task||Links to topics in this section||Completed|
1. Prepare two computers running either the Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 operating system to be set up as federation server proxy. If you are using AD FS in Windows Server 2012 R2, your proxy computers must also run Windows Server 2012 R2 and you must deploy Web Application Proxy – a new Remote Access role service that can be used for configuring your AD FS for extranet access. Depending on the number of users you have, you can use existing web or proxy servers or use a dedicated computer.
2. Add the name of the Federation Service in the corporate network (the cluster DNS name you created earlier on the NLB host in the corporate network) and its associated cluster IP address to the hosts files on each federation server proxy or web application proxy computer in the perimeter network.
3. Create a new cluster DNS name and cluster IP address on the NLB host in the perimeter network and then add the federation server computers to the NLB cluster. If you are using Windows Server technology for your current NLB hosts, choose the appropriate link to the right based on your operating system version.
The cluster DNS name used for this new NLB cluster must match the name of the Federation Service in the corporate network.
This step is optional in a test deployment of this SSO solution with a single AD FS federation server.
To create and configure NLB clusters on Windows Server 2003 and Windows Server 2003 R2, see Checklist: Enabling and configuring Network Load Balancing.
To create and configure NLB clusters on Windows Server 2008, see Creating Network Load Balancing Clusters.
To create and configure NLB clusters on Windows Server 2008 R2, see Creating Network Load Balancing Clusters.
For more information about NLB in Windows Server 2012 or Windows Server 2012 R2, see Network Load Balancing Overview.
4. Create a new resource record for the NLB cluster in the perimeter network DNS that points the cluster DNS name of the NLB cluster to its cluster IP address.
5. Use the same server authentication certificate as the one used by the federation servers in the corporate network. If you are using AD FS in Windows Server 2008 or Windows Server 2012, you must install this certificate on the Default Web Site of the federation server proxy computer. If you are using AD FS in Windows Server 2012 R2, you must import this certificate to the Personal Certificates store on the computer that will function as your Web Application Proxy.
Import a server authentication certificate to the proxy computer
Add the cluster DNS name and IP address to the hosts file on the proxy computer
In order for the federation server proxy or Web Application Proxy to work as expected in the perimeter network, you must add an entry to the hosts file on each federation server proxy or Web Application Proxy computer that points to the cluster DNS name hosted by the NLB in the corporate network (for example, fs.fabrikam.com) and its IP address (for example, 172.16.1.3). Adding this entry to the hosts file enables the federation server proxy or Web Application Proxy to properly route a client-initiated call to a federation server either within the perimeter network or outside the perimeter network.
To add the cluster DNS name and IP address to the hosts file on the proxy
Navigate to the %systemroot%\Winnt\System32\Drivers directory folder and locate the hosts file.
Start Notepad, and then open the hosts file.
Add the IP address and the host name of a federation server in the hosts file, as shown in the following example:
Save and close the file.
If the cluster IP address on the NLB host in the corporate network ever changes, you must update the local hosts file on each federation server proxy or Web Application Proxy.
Add a resource record to the perimeter DNS for the cluster DNS name configured on the perimeter NLB host
To service authentication requests from clients either in the perimeter network or outside the perimeter network, AD FS requires name resolution to be configured on external-facing DNS servers that host the organization’s zone (for example, fabrikam.com).
To do this, add a Host (A) Resource Record to the external-facing DNS server that serves only the perimeter network for the cluster DNS name (for example, “fs.fabrikam.com”) to point to the external cluster IP address that has just been configured.
To add a resource record to the perimeter DNS for the cluster DNS name configured on the perimeter NLB host
On a DNS server for the perimeter network, open the DNS snap-in. Click Start, point to Administrative Tools, and then click DNS.
In the console tree, right-click the applicable forward lookup zone (for example, fabrikam.com), and then click New Host (A or AAAA).
In Name, type only the name of the cluster DNS name you specified on the NLB host in the perimeter network (this should be the same DNS name as the name of the Federation Service). For example, for the FQDN fs.fabrikam.com, type fs.
In IP address, type the IP address for the new cluster IP address you specified on the NLB host in the perimeter network. For example, 192.0.2.3.
Click Add Host.
Import a server authentication certificate to the proxy computer
After you obtain a server authentication certificate used by one of the federation servers in the corporate network, you must manually install that certificate onto either:.
The Default Web Site for each federation server proxy in your organization, if you are using AD FS in Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012
The Personal Store of each Web Application Proxy in your organization, if you are using AD FS in Windows Server 2012 R2.
Because this certificate must be trusted by clients of AD FS and Microsoft cloud services, use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte. For information about installing a certificate from a public CA, see IIS 7.0: Request an Internet Server Certificate.
The subject name of this server authentication certificate must match the FQDN of the cluster DNS name (for example, fs.fabrikam.com) you created earlier on the NLB host. If Internet Information Services (IIS) has not been installed, you must install IIS first in order to complete this task. When installing IIS for the first time, we recommend that you use the default feature options when prompted during the installation of the server role.
To import a server authentication certificate to the Default Web Site on the federation server proxy
Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click ComputerName.
In the center pane, double-click Server Certificates.
In the Actions pane, click Import.
In the Import Certificate dialog box, click the … button.
Browse to the location of the pfx certificate file, highlight it, and then click Open.
Type a password for the certificate, and then click OK.
To import a server authentication certificate to the Personal Store of the Web Application Proxy
- You can use the steps in Import a Certificate to complete this task.
Now that you have prepared your network infrastructure for either Web Application Proxies or federation server proxies, the next step is to complete the tasks in either the following topic or the following checklist, depending on what version of AD FS you want to use: