When to Create a Federation Server Proxy Farm

Updated: January 31, 2008

Applies To: Windows Server 2008

Consider installing additional federation server proxies when you have a large Active Directory Federation Services (AD FS) deployment and you want to provide fault tolerance, load-balancing, and scalability for the Federation Service Proxy. The act of creating two or more federation server proxies in the same perimeter network—configuring each of them to protect the same Federation Service—and then adding each of the servers' client authentication certificates to the trust policy creates a federation server proxy farm.

Before all the federation server proxies can function together as a farm, you must first cluster them under one IP address and one Domain Name System (DNS) fully qualified domain name (FQDN). You can cluster the servers by deploying Microsoft Network Load Balancing (NLB) inside the perimeter network. The tasks in the following table require NLB to be configured appropriately to cluster the federation server proxies in the farm.

For more information about how to configure an FQDN for a cluster using Microsoft NLB technology, see Specifying the Cluster Parameters (http://go.microsoft.com/fwlink/?linkid=74651).

Configuring federation server proxies for a farm

The following table describes the tasks that must be completed so that each federation server proxy can participate in a farm.

Task Description

Point to the Federation Services URL

When you create the federation server proxies, you must type the same Federation Service DNS host name in the Federation Services URL field for all the federation server proxies that participate in the farm. The federation server proxy uses the URL that makes up this DNS host name to determine which Federation Service it contacts.

For more information, see Install the Federation Service Proxy Role Service.

Obtain and share certificates

You can obtain a server authentication certificate from a public certification authority (CA)—for example, VeriSign—and then configure the certificate so that all federation server proxies share the same private key portion of the same certificate on the default Web site for each federation server proxy. To share the certificate, you must install the same server authentication certificate on the default Web site for each federation server proxy. For more information, see Import a Server Authentication Certificate to the Default Web Site.

When you obtain a client authentication certificate for a federation server proxy, you can share that certificate across all federation server proxies in the farm or you can obtain separate certificates for each of the federation server proxies in the farm.

The Trust Policy user interface (UI) in the Active Directory Federation Services snap-in refers to client authentication certificates as Federation Service Proxy (FSP) certificates.

For more information, see Certificate Requirements for Federation Server Proxies.

Add the federation server proxy certificate to the trust policy

You must add the public key portion of the client authentication certificate for the federation server proxy to the trust policy on a federation server with which the federation server proxy communicates so that the Federation Service can authenticate the federation server proxy.

For more information, see Add a Federation Service Proxy Certificate to the Trust Policy.

For more information about adding new federation server proxies to create a federation server proxy farm, see Checklist: Installing a Federation Server Proxy.