联合服务器代理安装位置Where to Place a Federation Server Proxy

你可以将 Active Directory 联合身份验证服务 ( AD FS ) 联合服务器代理放在外围网络中,以提供针对可能来自 Internet 的恶意用户的保护层。You can place Active Directory Federation Services (AD FS)federation server proxies in a perimeter network to provide a protection layer against malicious users that may be coming from the Internet. 联合服务器代理不能访问用于创建令牌的私钥,因此非常适合外围网络环境。Federation server proxies are ideal for the perimeter network environment because they do not have access to the private keys that are used to create tokens. 但是,联合服务器代理可以将传入请求高效路由到有权生成这些令牌的联合服务器。However, federation server proxies can efficiently route incoming requests to federation servers that are authorized to produce those tokens.

不需要将联合服务器代理放在帐户伙伴或资源伙伴的企业网络内,因为连接到企业网络的客户端计算机可以与联合服务器直接通信。It is not necessary to place a federation server proxy inside the corporate network for either the account partner or the resource partner because client computers that are connected to the corporate network can communicate directly with the federation server. 在此方案中,联合服务器还为来自企业网络的客户端计算机提供联合服务器代理功能。In this scenario, the federation server also provides federation server proxy functionality for client computers that are coming from the corporate network.

通常在外围网络中,外围 - 网络和企业网络之间建立了面向 intranet 的防火墙, - 外围网络与 internet 之间经常建立面向 Internet 的防火墙。As is typical with perimeter networks, an intranet-facing firewall is established between the perimeter network and the corporate network, and an Internet-facing firewall is often established between the perimeter network and the Internet. 在此方案中,联合服务器代理位于外围网络中的这两个防火墙之间。In this scenario, the federation server proxy sits between both of these firewalls on the perimeter network.

配置联合服务器代理的防火墙服务器Configuring your firewall servers for a federation server proxy

为了使联合服务器代理重定向过程成功,必须将所有防火墙服务器配置为允许安全超文本传输协议 ( HTTPS ) 通信。For the federation server proxy redirection process to be successful, all firewall servers must be configured to allow Secure Hypertext Transfer Protocol (HTTPS) traffic. 需要使用 HTTPS,因为防火墙服务器必须使用端口443发布联合服务器代理,以便外围网络中的联合服务器代理可以访问企业网络中的联合服务器。The use of HTTPS is required because the firewall servers must publish the federation server proxy, using port 443, so that the federation server proxy in the perimeter network can access the federation server in the corporate network.

备注

与客户端计算机之间的所有通信往来也通过 HTTPS 进行。All communications to and from client computers also occur over HTTPS.

此外,面向 Internet 的 - 防火墙服务器(例如运行 Microsoft Internet 安全和加速 ISA 服务器的计算机 ( ) )使用称为服务器发布的过程将 Internet 客户端请求分发到适当的外围网络服务器和企业网络服务器(例如联合服务器代理或联合服务器)。In addition, the Internet-facing firewall server, such as a computer running Microsoft Internet Security and Acceleration (ISA) Server, uses a process known as server publishing to distribute Internet client requests to the appropriate perimeter and corporate network servers, such as federation server proxies or federation servers.

服务器发布规则用于确定服务器发布的工作原理,即筛选通过 ISA 服务器计算机的所有传入和传出请求。Server publishing rules determine how server publishing works—essentially, filtering all incoming and outgoing requests through the ISA Server computer. 服务器发布规则将传入客户端请求映射到 ISA 服务器计算机后的相应服务器。Server publishing rules map incoming client requests to the appropriate servers behind the ISA Server computer. 有关如何配置 ISA 服务器以发布服务器的信息,请参阅创建安全的 Web 发布规则For information about how to configure ISA Server to publish a server, see Create a Secure Web Publishing Rule.

在 AD FS 的联合世界中,通常会向特定 URL (例如,http:/fs.fabrikam.com 等联合服务器标识符 URL)发出这些客户端请求 / 。In the federated world of AD FS, these client requests are typically made to a specific URL, for example, a federation server identifier URL such as http://fs.fabrikam.com. 因为这些客户端请求来自 Internet,所以面向 Internet 的 - 防火墙服务器必须配置为发布外围网络中部署的每个联合服务器代理的联合服务器标识符 URL。Because these client requests come in from the Internet, the Internet-facing firewall server must be configured to publish the federation server identifier URL for each federation server proxy that is deployed in the perimeter network.

配置 ISA 服务器为允许使用 SSLConfiguring ISA Server to allow SSL

为了便于安全 AD FS 通信,必须配置 ISA 服务器以允许在以下各项之间进行安全套接字层 ( SSL ) 通信:To facilitate secure AD FS communications, you must configure ISA Server to allow Secure Sockets Layer (SSL) communications between the following:

  • 联合服务器和联合服务器代理。Federation servers and federation server proxies. 联合服务器和联合服务器代理之间的所有通信都需要 SSL 通道。An SSL channel is required for all communications between federation servers and federation server proxies. 因此,必须配置 ISA 服务器为允许在企业网络和外围网络之间建立 SSL 连接。Therefore, you must configure ISA Server to allow an SSL connection between the corporate network and the perimeter network.

  • 客户端计算机、联合服务器和联合服务器代理。Client computers, federation servers, and federation server proxies. 为了在客户端计算机与联合服务器之间或客户端计算机与联合服务器代理之间进行通信,你可以将运行 ISA 服务器的计算机放在联合服务器或联合服务器代理的前面。So that communications can occur between client computers and federation servers or between client computers and federation server proxies, you can place a computer running ISA Server in front of the federation server or federation server proxy.

    如果你的组织在联合服务器或联合服务器代理上执行 SSL 客户端身份验证,则将运行 ISA 服务器的计算机放在联合服务器或联合服务器代理的前面时,必须将该服务器配置为经过 - ssl 连接,因为 ssl 连接必须在联合服务器或联合服务器代理上终止。If your organization performs SSL client authentication on the federation server or federation server proxy, when you place a computer running ISA Server in front of the federation server or federation server proxy, the server must be configured for pass-through of the SSL connection because the SSL connection must terminate at the federation server or federation server proxy.

    如果你的组织不在联合服务器或联合服务器代理上执行 SSL 客户端身份验证,另一个选项是在运行 ISA Server 的计算机上终止 SSL 连接,然后重新 - 建立与联合服务器或联合服务器代理的 ssl 连接。If your organization does not perform SSL client authentication on the federation server or federation server proxy, an additional option is to terminate the SSL connection at the computer running ISA Server and then re-establish an SSL connection to the federation server or federation server proxy.

备注

联合服务器或联合服务器代理要求连接受 SSL 保护,以保护安全令牌的内容。The federation server or federation server proxy requires that the connection be secured by SSL to protect the contents of the security token.

另请参阅See Also

Windows Server 2012 中的 AD FS 设计指南AD FS Design Guide in Windows Server 2012