使用 WID 與 Proxy 聯盟伺服器陣列Federation Server Farm Using WID and Proxies

適用於:Windows Server 2012Applies To: Windows Server 2012

這個 Active Directory 同盟服務 (AD FS) 部署拓撲聯盟伺服器發電廠相同的 Windows 內部資料庫 (WID) 拓撲,但加入周邊網路支援外部使用者聯盟的 proxy 伺服器。This deployment topology for Active Directory Federation Services (AD FS) is identical to the federation server farm with Windows Internal Database (WID) topology, but it adds federation server proxies to the perimeter network to support external users. 聯盟伺服器 proxy 重新導向來自您的企業網路外聯盟伺服器陣列 client 驗證要求。The federation server proxies redirect client authentication requests that come from outside your corporate network to the federation server farm.

部署注意事項Deployment considerations

本節各種考量有關的目標對象、優點和這部署拓撲相關聯的限制。This section describes various considerations about the intended audience, benefits, and limitations that are associated with this deployment topology.

誰應該使用此拓撲?Who should use this topology?

  • 100 或較少設定的信任關係需要他們內部使用者和外部使用者提供的組織 \(誰登入電腦,實際上以外的公司 network\)的單一 sign\ 上 (SSO) 存取聯盟應用程式或服務Organizations with 100 or fewer configured trust relationships that need to provide both their internal users and external users (who are logged on to computers that are physically located outside the corporate network) with single sign-on (SSO) access to federated applications or services

  • 組織必須為其內部使用者和外部使用者提供 SSO 存取與 Microsoft Office 365Organizations that need to provide both their internal users and external users with SSO access to Microsoft Office 365

  • 較小的組織外部使用者且需要備援可縮放服務Smaller organizations that have external users and require redundant, scalable services

使用這個拓撲的好處為何?What are the benefits of using this topology?

使用這個拓撲限制為何?What are the limitations of using this topology?

伺服器配置建議位置與網路Server placement and network layout recommendations

若要部署這個拓撲,除了新增兩個聯盟伺服器 proxy,您必須確定周邊網路,也可以提供及存取權的網域名稱系統 (DNS) 伺服器第二個網路負載平衡 (NLB) 主機。To deploy this topology, in addition to adding two federation server proxies, you must make sure that your perimeter network can also provide access to a Domain Name System (DNS) server and to a second Network Load Balancing (NLB) host. 必須設定使用 Internet\ 無障礙叢集 IP 位址,NLB 叢集 NLB 第二部主機和必須使用先前 NLB 叢集您企業網路 (fs.fabrikam.com) 上設定為相同的叢集 DNS 名稱設定。The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address, and it must use the same cluster DNS name setting as the previous NLB cluster that you configured on the corporate network (fs.fabrikam.com). 聯盟伺服器 proxy 也應該 Internet\ 存取 IP 位址設定。The federation server proxies should also be configured with Internet-accessible IP addresses.

下圖顯示現有聯盟伺服器陣列與 WID 拓撲之前所述的方式虛構 Fabrikam,Inc.公司提供存取周邊 DNS 伺服器,將新增第二個 NLB 主機的相同叢集 DNS 名稱 (fs.fabrikam.com),並將有兩個聯盟伺服器 proxy (fsp1 and fsp2) 周邊網路。The following illustration shows the existing federation server farm with WID topology that was described previously and how the fictional Fabrikam, Inc., company provides access to a perimeter DNS server, adds a second NLB host with the same cluster DNS name (fs.fabrikam.com), and adds two federation server proxies (fsp1 and fsp2) to the perimeter network.

使用 WID 伺服器陣列

如需有關如何使用您的網路環境設定聯盟伺服器或聯盟的 proxy 伺服器,查看任一個聯盟伺服器的名稱解析需求聯盟的 Proxy 伺服器的名稱解析需求For more information about how to configure your networking environment for use with federation servers or federation server proxies, see either Name Resolution Requirements for Federation Servers or Name Resolution Requirements for Federation Server Proxies.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012