Where to Place an AD FS-Enabled Web Server

Applies To: Windows Server 2008

As is typical with perimeter networks, an intranet-facing firewall is established between the perimeter network and the corporate network, and an Internet-facing firewall is often established between the perimeter network and the Internet. In this situation, an Active Directory Federation Services (AD FS)–enabled Web server is placed between both of these firewalls on the perimeter network so that users coming from the Internet can access it.

In contrast, federation servers are typically placed inside the corporate network for security purposes. In scenarios in which you want to reduce the number of servers or public certificates in your AD FS deployment, you can make your AD FS-enabled Web server a federation server or federation server proxy by installing either the Federation Service or Federation Service Proxy component. However, placing a federation server on the perimeter network exposes that server to Internet clients, and this is not a security best practice. For more information, see Where to Place a Federation Server.

Configuring your firewall servers for an AD FS-enabled Web server

So that AD FS-enabled Web servers can communicate directly with federation servers, both the intranet-facing firewall server and the Internet-facing firewall server must be configured to allow Secure Hypertext Transfer Protocol (HTTPS) traffic, usually over port 443. HTTPS configuration is required because AD FS-enabled Web servers communicate with federation servers—and with clients—over HTTPS. AD FS relies on HTTPS to provide channel security.

In addition, intranet-facing and Internet-facing firewall servers, such as servers running Microsoft Internet Security and Acceleration (ISA) Server, use a process known as server publishing to distribute Internet client requests to the appropriate corporate federation servers and AD FS-enabled Web servers. Consequently, you must manually create a server publishing rule on any intranet and Internet ISA Server computers that publish the AD FS-enabled Web server URL (for example, http://ws.treyresearch.net).

For general information about how to configure ISA Server to publish a server, see Create a secure Web publishing rule (http://go.microsoft.com/fwlink/?LinkId=74605).

Joining an AD FS-enabled Web server to a domain

When they host a Windows NT token–based application, AD FS-enabled Web servers must be joined to the same domain that the resource federation server belongs to. Because claims-aware applications do not require a Windows NT token for authorization, servers that host only claims-aware applications do not have to be joined to any domain.