联合服务器的放置位置Where to Place a Federation Server

作为最佳安全方案,请将 Active Directory 联合身份验证服务 ( AD FS ) 在防火墙后面的联合服务器,并将它们连接到企业网络以防止从 Internet 暴露。As a security best practice, place Active Directory Federation Services (AD FS)federation servers behind a firewall and connect them to your corporate network to prevent exposure from the Internet. 这一点很重要,因为联合服务器具有授予安全令牌的完全授权。This is important because federation servers have full authorization to grant security tokens. 因此,它们应具有与域控制器相同的保护。Therefore, they should have the same protection as a domain controller. 如果联合服务器受到威胁,则恶意用户能够向所有 Web 应用程序以及 ( ) 在所有资源伙伴组织中 Active Directory 联合身份验证服务 AD FS 保护的联合服务器颁发完全访问令牌。If a federation server is compromised, a malicious user has the ability to issue full access tokens to all Web applications and to federation servers that are protected by Active Directory Federation Services (AD FS) in all resource partner organizations.

备注

作为安全方面的最佳做法,请避免在 Internet 上直接访问联合服务器。As a security best practice, avoid having your federation servers directly accessible on the Internet. 请考虑仅当设置测试实验室环境或组织没有外围网络时,为联合服务器提供直接 Internet 访问权限。Consider giving your federation servers direct Internet access only when you are setting up a test lab environment or when your organization does not have a perimeter network.

对于典型的企业网络, - 企业网络和外围网络之间建立了面向 intranet 的防火墙,并且 - 通常在外围网络和 Internet 之间建立面向 Internet 的防火墙。For typical corporate networks, an intranet-facing firewall is established between the corporate network and the perimeter network, and an Internet-facing firewall is often established between the perimeter network and the Internet. 在这种情况下,联合服务器位于企业网络内部,Internet 客户端不能直接对其进行访问。In this situation, the federation server sits inside the corporate network, and it is not directly accessible by Internet clients.

备注

连接到企业网络的客户端计算机可以通过 Windows 集成身份验证直接与联合服务器通信。Client computers that are connected to the corporate network can communicate directly with the federation server through Windows Integrated Authentication.

在配置防火墙服务器以与 AD FS 一起使用之前,联合服务器代理应放置在外围网络中。A federation server proxy should be placed in the perimeter network before you configure your firewall servers for use with AD FS. 有关详细信息,请参阅放置联合服务器代理的位置For more information, see Where to Place a Federation Server Proxy.

为联合服务器配置防火墙服务器Configuring your firewall servers for a federation server

为了使联合服务器可以直接与联合服务器代理进行通信,intranet 防火墙服务器必须配置为允许将安全超文本传输协议 ( HTTPS ) 流量从联合服务器代理发送到联合服务器。So that the federation servers can communicate directly with federation server proxies, the intranet firewall server must be configured to allow Secure Hypertext Transfer Protocol (HTTPS) traffic from the federation server proxy to the federation server. 这是一项要求,因为 intranet 防火墙服务器必须使用端口443发布联合服务器,以便外围网络中的联合服务器代理可以访问联合服务器。This is a requirement because the intranet firewall server must publish the federation server using port 443 so that the federation server proxy in the perimeter network can access the federation server.

此外,面向 intranet 的 - 防火墙服务器(例如运行 Internet 安全和加速 ISA 服务器的服务器 ( ) ) 使用称为服务器发布的过程将 Internet 客户端请求分发到适当的企业联合服务器。In addition, the intranet-facing firewall server, such as a server running Internet Security and Acceleration (ISA) Server, uses a process known as server publishing to distribute Internet client requests to the appropriate corporate federation servers. 这意味着必须在运行 ISA 服务器的 intranet 服务器上手动创建发布群集联合服务器 URL 的服务器发布规则,例如 http: / / fs.fabrikam.com。This means that you must manually create a server publishing rule on the intranet server running ISA Server that publishes the clustered federation server URL, for example, http://fs.fabrikam.com.

有关如何在外围网络中配置服务器发布的详细信息,请参阅 Where to Place a Federation Server ProxyFor more information about how to configure server publishing in a perimeter network, see Where to Place a Federation Server Proxy. 有关如何配置 ISA 服务器以发布服务器的信息,请参阅创建安全的 Web 发布规则For information about how to configure ISA Server to publish a server, see Create a secure Web publishing rule.

另请参阅See Also

Windows Server 2012 中的 AD FS 设计指南AD FS Design Guide in Windows Server 2012