使用 WID 和 Proxy 的同盟伺服器陣列Federation Server Farm Using WID and Proxies

Active Directory Federation Services 使用此部署拓撲(AD FS)等同於同盟伺服器陣列含有 Windows Internal Database (WID)拓撲,但它將同盟伺服器 proxy若要支援外部使用者的周邊網路。This deployment topology for Active Directory Federation Services (AD FS) is identical to the federation server farm with Windows Internal Database (WID) topology, but it adds federation server proxies to the perimeter network to support external users. 同盟伺服器 proxy 重新導向至同盟伺服器陣列均來自公司網路外部的用戶端驗證要求。The federation server proxies redirect client authentication requests that come from outside your corporate network to the federation server farm.

部署考量Deployment considerations

本章節會描述相關的適用對象、 權益和限制,這種部署拓撲相關聯的各種考量。This section describes various considerations about the intended audience, benefits, and limitations that are associated with this deployment topology.

誰應該使用此拓撲?Who should use this topology?

  • 需要其內部使用者以及外部使用者所提供的 100 或更少設定的信任關係的組織(誰登入實際上位於公司網路外部的電腦)單一登-上(SSO)同盟應用程式或服務的存取權Organizations with 100 or fewer configured trust relationships that need to provide both their internal users and external users (who are logged on to computers that are physically located outside the corporate network) with single sign-on (SSO) access to federated applications or services

  • 必須提供其內部使用者以及外部使用者的 SSO 存取至 Microsoft Office 365 的組織Organizations that need to provide both their internal users and external users with SSO access to Microsoft Office 365

  • 較小的組織有外部使用者,而且需要備援、 可調整的服務Smaller organizations that have external users and require redundant, scalable services

使用此拓撲的優點有哪些?What are the benefits of using this topology?

使用此拓撲的限制有哪些?What are the limitations of using this topology?

伺服器的位置和網路配置的建議Server placement and network layout recommendations

若要部署此拓撲中的,除了新增兩個同盟伺服器 proxy,您必須確定您的周邊網路,可以同時提供存取權的網域名稱系統(DNS)伺服器和第二個網路負載平衡(NLB)主應用程式。To deploy this topology, in addition to adding two federation server proxies, you must make sure that your perimeter network can also provide access to a Domain Name System (DNS) server and to a second Network Load Balancing (NLB) host. 第二部 NLB 主機都必須設有會使用網際網路 NLB 叢集-可存取的叢集 IP 位址,而且必須使用相同的叢集 DNS 名稱設定為先前您在公司網路上設定 NLB 叢集(fs.fabrikam.com)。The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address, and it must use the same cluster DNS name setting as the previous NLB cluster that you configured on the corporate network (fs.fabrikam.com). 也必須設定同盟伺服器 proxy 與網際網路-可存取的 IP 位址。The federation server proxies should also be configured with Internet-accessible IP addresses.

下圖顯示使用先前所述的 WID 拓撲和 Fabrikam,Inc.,這家虛構公司如何提供周邊 DNS 伺服器,以存取現有的同盟伺服器陣列新增第二個 NLB 主機具有相同的叢集 DNS 名稱(fs.fabrikam.com),並將兩個同盟伺服器 proxy (fsp1 和 fsp2)至周邊網路。The following illustration shows the existing federation server farm with WID topology that was described previously and how the fictional Fabrikam, Inc., company provides access to a perimeter DNS server, adds a second NLB host with the same cluster DNS name (fs.fabrikam.com), and adds two federation server proxies (fsp1 and fsp2) to the perimeter network.

使用 WID 伺服器陣列

如需如何設定您的網路環境使用與同盟伺服器或同盟伺服器 proxy 的詳細資訊,請參閱同盟伺服器的名稱解析需求名稱同盟伺服器 Proxy 的解析度需求For more information about how to configure your networking environment for use with federation servers or federation server proxies, see either Name Resolution Requirements for Federation Servers or Name Resolution Requirements for Federation Server Proxies.

另請參閱See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012