Checklist: Installing a federation server proxy

Applies To: Windows Server 2003 R2

This checklist includes the deployment tasks for preparing a server running Windows Server 2003 R2, Enterprise Edition, for the federation server proxy role.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

	Task	Reference
	Review information in the Active Directory Federation Services Design Guide about where to place federation server proxies in your organization.	Planning Federation Server Proxy Placement Where to place a federation server proxy
	Use the information in the Active Directory Federation Services Design Guide to determine whether a single federation server proxy or federation server proxy farm is necessary. Note Federation servers also perform federation service proxy responsibilities.	When to create a federation server proxy When to create a federation server proxy farm
	Use the information in the Active Directory Federation Services Design Guide to determine whether this new federation server proxy will be created in the perimeter network of the account partner organization or the resource partner organization.	Review the role of the federation server proxy in the account partner organization Review the role of the federation server proxy in the resource partner organization
	Before you install the Federation Service Proxy component on a computer that will become a federation server proxy, read about the importance of obtaining a server authentication certificate and a client authentication certificate and—for federation server proxy farms—adding or sharing certificates across all the servers in a farm.	Certificate requirements for federation server proxies
	Review information in the Active Directory Federation Services Design Guide about how to update the perimeter Domain Name System (DNS) so that successful name resolution for federation servers and federation server proxies can occur.	Name resolution requirements for federation server proxies
	Determine if the federation server proxy must be joined to a domain. Although federation server proxies do not have to be joined to a domain, they are easier to manage with remote administration and Group Policy features when they are joined to a domain.	Join a computer to a domain
	Depending on how the DNS infrastructure in your perimeter network is configured, complete one of the procedures on the right before you deploy a federation server proxy in your organization. Note Do not perform both procedures. Read Name resolution requirements for federation server proxies to determine which procedure best suits the requirements of your organization.	Configure name resolution for a federation server proxy in a DNS zone serving only the perimeter network Configure name resolution for a federation server proxy in a DNS zone serving both the perimeter network and Internet clients
	(Optional) If you will be adding a federation server proxy to a federation server proxy farm, you may have to first export the private key of the existing server authentication certificate (on the first federation server proxy in the farm) so that you have a file of the certificate ready when other federation server proxies have to import the same certificate. This task is not required in scenarios in which your issued server authentication certificate can be reused by multiple computers (without the need to export) or you obtain unique server authentication certificates for each federation server proxy in the farm.	Export the private key portion of a server authentication certificate
	You must install the public key portion of the Federation Service Proxy client authentication certificate on the federation server so that the federation server can authenticate the federation server proxy. Use the following procedure to export the public key portion of the Federation Service Proxy client authentication certificate.	Export the public key portion of a client authentication certificate
	After you obtain a server authentication certificate, you must install it in Internet Information Services (IIS) on the default Web site of the federation server proxy.	Import a server authentication certificate to the default Web site
	After you export the certificate of the federation server proxy, you can use the following procedure to import the certificate into the trust policy of the Federation Service that the proxy will be servicing.	Add a Federation Service Proxy certificate to the trust policy
	(Optional) As an alternative to obtaining a server authentication certificate from a certification authority (CA), you can use SelfSSL.exe to acquire a sample certificate for your federation server proxy. Because the SelfSSL tool generates a self-signed certificate that does not originate from a trusted source, use the SelfSSL tool only in the following scenarios: When you have to create a Secure Sockets Layer (SSL) channel between your server and a limited, known group of users When you have to troubleshoot third-party certificate problems Warning It is not a security best practice to deploy a federation server proxy in a production environment using a self-signed server authentication certificate.	Internet Information Services (IIS) 6.0 Resource Kit Tools (https://go.microsoft.com/fwlink/?LinkId=36285)
	Install prerequisite applications such as ASP.NET, IIS, and Microsoft .NET Framework 2.0 on the computer that will become the federation server proxy.	Install prerequisite applications
	Install the Federation Service Proxy component on the computer that will become the federation server proxy.	Install the Federation Service Proxy component of ADFS
	To ensure successfully tracking of issues that may occur with this federation server proxy, configure event logging.	Configure event logging on a federation server proxy
	From a client computer, verify that the federation server proxy is operational.	Verify that a federation server proxy is operational