同盟伺服器 Proxy 的名稱解析需求Name Resolution Requirements for Federation Server Proxies

當網際網路上的用戶端電腦嘗試存取由 Active Directory Federation Services 保護的應用程式(AD FS),他們必須先進行驗證的同盟伺服器。When client computers on the Internet attempt to access an application that is secured by Active Directory Federation Services (AD FS), they must first authenticate to the federation server. 在大部分情況下,同盟伺服器通常不是直接從網際網路存取。In most cases, the federation server is usually not directly accessible from the Internet. 因此,網際網路用戶端電腦必須重新導向至同盟伺服器 proxy 改為。Therefore, Internet client computers must be redirected to the federation server proxy instead. 您可以藉由新增適當的網域名稱系統來完成成功的重新導向(DNS)記錄到您的 DNS 區域或面對網際網路的區域。You can accomplish successful redirection by adding the appropriate Domain Name System (DNS) records to your DNS zone or zones that face the Internet.

您用來將網際網路用戶端重新導向至同盟伺服器 proxy 的方法取決於您在周邊網路中設定 DNS 區域的方式,或您在網際網路上設定 DNS 區域,您可以控制的方式。The method that you use to redirect Internet clients to the federation server proxy depends on how you configure the DNS zone in your perimeter network or how you configure a DNS zone that you control on the Internet. 同盟伺服器 proxy 是用於周邊網路。Federation server proxies are intended for use in a perimeter network. 它們網際網路用戶端將要求重新導向至同盟伺服器成功 DNS 已正確設定中的所有網際網路時,才-面向控制的區域。They redirect Internet client requests to federation servers successfully only when DNS has been configured properly in all the Internet-facing zones that you control. 因此,您的網際網路設定-面向的區域,您是否有提供服務僅對周邊網路的 DNS 區域或周邊網路和網際網路用戶端提供服務的 DNS 區域 — 很重要。Therefore, the configuration of your Internet-facing zones—whether you have a DNS zone serving only the perimeter network or a DNS zone serving both the perimeter network and Internet clients—is important.

本主題描述設定名稱解析,當您將同盟伺服器 proxy 在周邊網路時,可採取的步驟。This topic describes the steps that you can take to configure name resolution when you place a federation server proxy in your perimeter network. 若要判斷應遵循哪些步驟,請先判斷下列哪一個 DNS 案例最符合您組織的周邊網路中的 DNS 基礎結構。To determine which steps to follow, first determine which of the following DNS scenarios most closely matches the DNS infrastructure in the perimeter network of your organization. 然後,遵循該案例中的步驟。Then, follow the steps for that scenario.

僅對周邊網路提供服務的 DNS 區域DNS zone serving only the perimeter network

在此案例中,您的組織在周邊網路中有一或兩個 DNS 區域,且您的組織不會控制在網際網路上的任何 DNS 區域。In this scenario, your organization has one or two DNS zones in the perimeter network, and your organization does not control any DNS zones on the Internet. 在 DNS 區域,可僅周邊網路案例的同盟伺服器 proxy 的成功名稱解析取決於下列條件:Successful name resolution for a federation server proxy in the DNS zone that serves only the perimeter network scenario depends on the following conditions:

  • 同盟伺服器 proxy 設定必須在主機檔案中的完整的網域名稱解析(FQDN)的同盟伺服器或同盟伺服器叢集的 IP 位址的同盟伺服器端點 URL。The federation server proxy must have a setting in the hosts file to resolve the fully qualified domain name (FQDN) of the federation server endpoint URL to an IP address of a federation server or a federation server cluster.

  • 必須設定帳戶夥伴的周邊網路中的 DNS,以便同盟伺服器端點 URL 的 FQDN 解析為同盟伺服器 proxy 的 IP 位址。DNS in the perimeter network of the account partner must be configured so that the FQDN of the federation server endpoint URL resolves to the IP address of the federation server proxy.

下圖和相對應的步驟顯示如何針對指定的範例達成每一個條件。The following illustration and corresponding steps show how each of these conditions is achieved for a given example. 在此圖中,Microsoft 網路負載平衡(NLB)技術提供單一、 叢集 FQDN 和一個現有的同盟伺服器陣列的叢集 IP 位址。In this illustration, Microsoft Network Load Balancing (NLB) technology provides a single, cluster FQDN and a single, cluster IP address for an existing federation server farm.

名稱需求

如需有關設定叢集 IP 位址或叢集 FQDN 使用 NLB,請參閱指定叢集參數For more information about configuring a cluster IP address or a cluster FQDN using NLB, see Specifying the Cluster Parameters.

1.在同盟伺服器 Proxy 上設定主機檔案。1. Configure the hosts file on the federation server proxy

帳戶夥伴同盟伺服器 proxy 在周邊網路中的 DNS 設定解析帳戶同盟伺服器 proxy fs.fabrikam.com 的所有要求,因為有一個項目,在其本機主機檔案,以將 fs.fabrikam.com 的 IP 位址實際的帳戶同盟伺服器(同盟伺服器陣列的叢集 DNS 名稱或),連線到公司網路。Because DNS in the perimeter network is configured to resolve all requests for fs.fabrikam.com to the account federation server proxy, the account partner federation server proxy has an entry in its local hosts file to resolve fs.fabrikam.com to the IP address of the actual account federation server (or cluster DNS name for the federation server farm) that is connected to the corporate network. 這可讓帳戶同盟伺服器 proxy,來解析主機名稱 fs.fabrikam.com 解析帳戶同盟伺服器,而不是本身 — 如果它嘗試使用周邊 DNS 查詢 fs.fabrikam.com 就會發生如 — 以便同盟伺服器 proxy 可以與同盟伺服器通訊。This makes it possible for the account federation server proxy to resolve the host name fs.fabrikam.com to the account federation server rather than to itself—as would occur if it attempted to look up fs.fabrikam.com using perimeter DNS—so that the federation server proxy can communicate with the federation server.

2.設定周邊 DNS2. Configure perimeter DNS

因為只有單一 AD FS 主機名稱,用戶端電腦會被導向至 — 無論是在內部網路或網際網路上 — 在網際網路上使用周邊 DNS 伺服器的用戶端電腦必須解決的帳戶同盟伺服器的FQDN(fs.fabrikam.com)帳戶同盟伺服器 proxy 在周邊網路上的 IP 位址。Because there is only a single AD FS host name that client computers are directed to—whether they are on an intranet or on the Internet—client computers on the Internet that use the perimeter DNS server must resolve the FQDN for the account federation server (fs.fabrikam.com) to the IP address of the account federation server proxy on the perimeter network. 周邊網路 DNS,以便在嘗試解決 fs.fabrikam.com 時,它可以轉送至帳戶同盟伺服器 proxy 的用戶端,包含限制的 corp.fabrikam.com DNS 區域的單一主機(A) fs的資源記錄(fs.fabrikam.com)和帳戶同盟伺服器 proxy 在周邊網路上的 IP 位址。So that it can forward clients on to the account federation server proxy when they attempt to resolve fs.fabrikam.com, perimeter DNS contains a limited corp.fabrikam.com DNS zone with a single host (A) resource record for fs (fs.fabrikam.com) and the IP address of the account federation server proxy on the perimeter network.

如需如何修改主機檔案的同盟伺服器 proxy,並在周邊網路中設定 DNS 的詳細資訊,請參閱設定 DNS 區域,可僅對周邊網路中的同盟伺服器Proxy的名稱解析.For more information about how to modify the hosts file of the federation server proxy and configure DNS in the perimeter network, see Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Only the Perimeter Network.

對周邊網路和網際網路用戶端提供服務的 DNS 區域DNS zone serving both the perimeter network and Internet clients

在此案例中,您的組織控制周邊網路中的 DNS 區域,和至少一個網際網路上的 DNS 區域。In this scenario, your organization controls the DNS zone in the perimeter network and at least one DNS zone on the Internet. 在此案例中的同盟伺服器 proxy 的成功名稱解析是根據下列條件而定:Successful name resolution for a federation server proxy in this scenario depends on the following conditions:

  • 必須設定帳戶夥伴在網際網路區域中的 DNS,以便同盟伺服器主機名稱的 FQDN 解析為周邊網路中的同盟伺服器 proxy 的 IP 位址。DNS in the Internet zone of the account partner must be configured so that the FQDN of the federation server host name resolves to the IP address of the federation server proxy in the perimeter network.

  • 必須設定帳戶夥伴的周邊網路中的 DNS,以便同盟伺服器主機名稱的 FQDN 解析為公司網路中的同盟伺服器的 IP 位址。DNS in the perimeter network of the account partner must be configured so that the FQDN of the federation server host name resolves to the IP address of the federation server in the corporate network.

下圖和相對應的步驟顯示如何針對指定的範例達成每一個條件。The following illustration and corresponding steps show how each of these conditions is achieved for a given example.

名稱需求

1.設定周邊 DNS1. Configure perimeter DNS

此案例中,因為它會假設您將設定的網際網路 DNS 區域,您可以控制来解決的要求特定的端點 url(也就是 fs.fabrikam.com)中同盟伺服器 proxy周邊網路中,您也必須設定該區域中的周邊 DNS,將這些要求轉送到公司網路中的同盟伺服器。For this scenario, because it is assumed that you will configure the Internet DNS zone that you control to resolve requests that are made for a specific endpoint URL (that is, fs.fabrikam.com) to the federation server proxy in the perimeter network, you must also configure the zone in the perimeter DNS to forward these requests to the federation server in the corporate network.

周邊網路 DNS 以便用戶端可以轉送至帳戶同盟伺服器,嘗試解決 fs.fabrikam.com 時,已使用單一主機(A) fs 資源記錄(fs.fabrikam.com)與公司網路上的帳戶同盟伺服器的 IP 位址。So that clients can be forwarded to the account federation server when they attempt to resolve fs.fabrikam.com, perimeter DNS is configured with a single host (A) resource record for fs (fs.fabrikam.com) and the IP address of the account federation server on the corporate network. 這可讓帳戶同盟伺服器 proxy 帳戶同盟伺服器,而不是本身解析主機名稱 fs.fabrikam.com 解析 — 如果它嘗試使用網際網路 DNS 查詢 fs.fabrikam.com 就會發生如 — 讓同盟伺服器proxy 可以與同盟伺服器通訊。This makes it possible for the account federation server proxy to resolve the host name fs.fabrikam.com to the account federation server rather than to itself—as would occur if it attempted to look up fs.fabrikam.com using Internet DNS—so that the federation server proxy can communicate with the federation server.

2.設定網際網路 DNS2. Configure Internet DNS

若要讓此案例的名稱解析成功,來自網際網路上用戶端電腦至 fs.fabrikam.com 的所有要求,必須透過您控制的網際網路 DNS 區域進行解析。For name resolution to be successful in this scenario, all requests from client computers on the Internet to fs.fabrikam.com must be resolved by the Internet DNS zone that you control. 因此,您必須設定您的網際網路 DNS 區域轉送至帳戶同盟伺服器 proxy 在周邊網路的 IP 位址的 fs.fabrikam.com 的用戶端要求。Consequently, you must configure your Internet DNS zone to forward client requests for fs.fabrikam.com to the IP address of the account federation server proxy in the perimeter network.

如需如何修改周邊網路和網際網路 DNS 區域的詳細資訊,請參閱設定中的 DNS 區域,可同時在周邊網路和網際網路用戶端的同盟伺服器 Proxy 的名稱解析For more information about how to modify the perimeter network and Internet DNS zones, see Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Both the Perimeter Network and Internet Clients.

另請參閱See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012