使用 WID 與 Proxy 聯盟伺服器陣列Federation Server Farm Using WID and Proxies

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

這個 Active Directory 同盟服務 (AD FS) 部署拓撲聯盟伺服器發電廠相同的 Windows 內部資料庫 (WID) 拓撲,但加入支援外部使用者周邊網路 proxy 電腦。This deployment topology for Active Directory Federation Services (AD FS) is identical to the federation server farm with Windows Internal Database (WID) topology, but it adds proxy computers to the perimeter network to support external users. 這些 proxy 重新導向來自您的企業網路外聯盟伺服器陣列 client 驗證要求。These proxies redirect client authentication requests that come from outside your corporate network to the federation server farm. AD FS 舊版,在這些 proxy 被稱為聯盟的 proxy 伺服器。In previous versions of AD FS, these proxies were called federation server proxies.

重要

在 Active Directory 同盟服務 (AD FS) 在 Windows Server 2012 R2,聯盟 proxy 伺服器的角色被處理呼叫 Web 應用程式 Proxy 新遠端存取的角色服務。In Active Directory Federation Services (AD FS) in Windows Server 2012 R2 , the role of a federation server proxy is handled by a new Remote Access role service called Web Application Proxy. 若要可讓您的企業網路,是目的部署聯盟伺服器 proxy 在舊版 AD FS,例如 AD FS 2.0 和在 Windows Server 2012,AD FS 以外的協助工具的 AD FS 您可以將一或多個 web 應用程式 proxy AD fs 在 Windows Server 2012 R2 的部署。To enable your AD FS for accessibility from outside the corporate network, which was the purpose of deploying a federation server proxy in legacy versions of AD FS, such as AD FS 2.0 and AD FS in Windows Server 2012 , you can deploy one or more web application proxies for AD FS in Windows Server 2012 R2 .

AD FS 處在,Web 應用程式 Proxy AD FS 聯盟伺服器 proxy 功能。In the context of AD FS, Web Application Proxy functions as an AD FS federation server proxy. 除了,Web 應用程式 Proxy 提供 web 應用程式在您的企業網路,讓使用者在任何裝置上存取它們的以外的公司網路 proxy 反向功能。In addition to this, Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network to enable users on any device to access them from outside the corporate network. 如需詳細資訊,有關 Web 應用程式 Proxy 角色服務,Web 應用程式 Proxy 概觀。For more information, about the Web Application Proxy role service, see Web Application Proxy Overview.

計劃的 proxy Web 應用程式部署,您可以檢視的下列主題中的資訊:To plan the deployment of Web Application proxy, you can review the information in the following topics:

部署注意事項Deployment considerations

本節各種考量有關的目標對象、優點和這部署拓撲相關聯的限制。This section describes various considerations about the intended audience, benefits, and limitations that are associated with this deployment topology.

誰應該使用此拓撲?Who should use this topology?

  • 100 或較少設定的信任關係需要他們內部使用者和外部使用者提供的組織 \(誰登入電腦,實際上以外的公司 network\)的單一 sign\ 上 (SSO) 存取聯盟應用程式或服務Organizations with 100 or fewer configured trust relationships that need to provide both their internal users and external users (who are logged on to computers that are physically located outside the corporate network) with single sign-on (SSO) access to federated applications or services

  • 組織必須為其內部使用者和外部使用者提供 SSO 存取與 Microsoft Office 365Organizations that need to provide both their internal users and external users with SSO access to Microsoft Office 365

  • 較小的組織外部使用者且需要備援可縮放服務Smaller organizations that have external users and require redundant, scalable services

使用這個拓撲的好處為何?What are the benefits of using this topology?

使用這個拓撲限制為何?What are the limitations of using this topology?

1 -100 資源點數信任1 - 100 RP Trusts 超過 100 資源點數信任More than 100 RP Trusts
1 -30 AD FS 節點1 - 30 AD FS Nodes WID 支援WID Supported 不支援使用 WID -SQL 需要Not supported using WID - SQL Required
超過 30 AD FS 節點More than 30 AD FS Nodes 不支援使用 WID -SQL 需要Not supported using WID - SQL Required 不支援使用 WID -SQL 需要Not supported using WID - SQL Required

伺服器配置建議位置與網路Server placement and network layout recommendations

若要部署這個拓撲,除了新增兩個 web 應用程式 proxy,您必須確定周邊網路,也可以提供及存取權的網域名稱系統 (DNS) 伺服器第二個網路負載平衡 (NLB) 主機。To deploy this topology, in addition to adding two web application proxies, you must make sure that your perimeter network can also provide access to a Domain Name System (DNS) server and to a second Network Load Balancing (NLB) host. 必須設定使用 Internet\ 無障礙叢集 IP 位址,NLB 叢集 NLB 第二部主機和必須使用先前 NLB 叢集您企業網路 (fs.fabrikam.com) 上設定為相同的叢集 DNS 名稱設定。The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address, and it must use the same cluster DNS name setting as the previous NLB cluster that you configured on the corporate network (fs.fabrikam.com). Web 應用程式 proxy 也應該 Internet\ 存取 IP 位址設定。The web application proxies should also be configured with Internet-accessible IP addresses.

下圖顯示現有聯盟伺服器陣列與 WID 拓撲之前所述的方式虛構 Fabrikam,Inc.公司提供存取周邊 DNS 伺服器,將新增第二部具有相同叢集 DNS 名稱 (fs.fabrikam.com),NLB 主機,並將有兩個 web 應用程式 proxy (wap1 and wap2) 周邊網路。The following illustration shows the existing federation server farm with WID topology that was described previously and how the fictional Fabrikam, Inc., company provides access to a perimeter DNS server, adds a second NLB host with the same cluster DNS name (fs.fabrikam.com), and adds two web application proxies (wap1 and wap2) to the perimeter network.

WID 農場 Proxy

如需有關如何聯盟伺服器或網路應用程式的 proxy 設定使用您的網路環境,查看 [名稱解析需求」一節中AD FS 需求計劃 Web 應用程式 Proxy 基礎結構 (WAP)For more information about how to configure your networking environment for use with federation servers or web application proxies, see “Name Resolution Requirements” section in AD FS Requirements and Plan the Web Application Proxy Infrastructure (WAP).

也了See Also

AD FS 部署拓撲計劃Plan Your AD FS Deployment Topology
在 Windows Server 2012 R2 的 AD FS 設計指南AD FS Design Guide in Windows Server 2012 R2