When to Create a Federation Server Proxy

Applies To: Windows Server 2008

Creating a federation server proxy in your organization adds additional security layers to your Active Directory Federation Services (AD FS) deployment. Consider deploying a federation server proxy in your organization's perimeter network when you want to:

  • Prevent external clients from directly accessing your federation servers. By deploying a federation server proxy in your perimeter network, you effectively isolate your federation servers so that they can be accessed only by clients that are logged in to the corporate network and through federation server proxies, which they act on behalf of external clients. Federation server proxies do not have access to the keys that are used to produce tokens.

  • Provide a convenient way to differentiate the sign-in experience for users who are coming from the Internet as opposed to users who are coming from your corporate network (using Windows Integrated authentication). A federation server proxy collects credentials or home realm details from Internet clients by using the logon (clientlogon.aspx), logout (signout.aspx), and account partner discovery (discoverclientrealm.aspx) pages that are stored on the federation server proxy.

    In contrast, clients coming from the corporate network encounter a different experience, based on the configuration of the federation server. The corporate network federation server is often configured for Windows Integrated authentication, which provides a seamless sign-in experience for users on the corporate network.

The role that a federation server proxy plays in your organization depends on whether you place the federation server proxy in the account partner organization or in the resource partner organization. For example, when a federation server proxy is placed in the perimeter network of the account partner, its role is to collect the user credential information from browser clients. When a federation server proxy is placed in the perimeter network of the resource partner, it relays security token requests to the resource Federation Service and produces organizational security tokens in response to the security tokens that are provided by its account partners.