Deploying Federation Server Proxies

Applies To: Windows Server 2008

To deploy federation server proxies, complete each of the tasks in Checklist: Installing a Federation Server Proxy.


When you use this checklist, we recommend that you first read the references to federation server proxy planning guidance in the AD FS Design Guide before you begin the procedures for configuring the servers. Following the checklist in this way provides a better understanding of the design and deployment process for federation server proxies.

About federation server proxies

Federation server proxies are computers running Windows Server 2008 that are configured to host the Federation Service Proxy role service of Active Directory Federation Services (AD FS). You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on the corporate network.


Although the Federation Service and the Federation Service Proxy role services cannot be installed on the same computer, a federation server can perform federation server proxy functionality. For more information, see When to Create a Federation Server.

The act of installing the Federation Service Proxy on a computer makes that computer a federation server proxy. It also makes the Active Directory Federation Services snap-in available on that computer on the Administrative Tools menu so that you can specify the following:

  • Which Federation Service the federation server proxy should route authentication requests to. You specify this location by typing the path for the Federation Service URL.

  • The client authentication certificate that makes it possible for the federation server proxy to authenticate to the Federation Service. You can configure which client authentication certificates will be accepted by the Federation Service on the FSP Certificates tab in the properties of the Trust Policy Folder.

    After you specify the Federation Service URL and the correct client authentication certificate, the federation server proxy is bound to that Federation Service. As part of this binding, a federation server proxy is trusted by the Federation Service so that the federation server can hand out certain privileged security tokens that originate from the Federation Service.

  • Locations of customized ASP.NET Web pages for client logon, logoff, and account partner discovery that enable interaction with a client. These pages provide a convenient way to differentiate the sign-in experience for users in your intranet, as opposed to users on the Internet.


You can also configure these settings in the web.config file on each federation server proxy.

Federation server proxies also send cookies to external clients when necessary to facilitate the single-sign-on (SSO) process. These cookies include authentication cookies, account partner cookies, and sign-out cookies.

A federation server proxy implements the sign-on and sign-out messages that are described in the WS-Federation Passive Requestor Profile (WS-F PRP) protocol specification.