聯盟的 Proxy 伺服器的名稱解析需求Name Resolution Requirements for Federation Server Proxies

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

時 client 網際網路上的電腦嘗試存取 Active Directory 同盟服務 (AD FS) 受保護的應用程式,就必須先驗證聯盟伺服器。When client computers on the Internet attempt to access an application that is secured by Active Directory Federation Services (AD FS), they must first authenticate to the federation server. 在大部分案例中,聯盟伺服器通常不是從網際網路直接存取。In most cases, the federation server is usually not directly accessible from the Internet. 因此,client 網際網路的電腦必須重新導向至聯盟 proxy 伺服器改為。Therefore, Internet client computers must be redirected to the federation server proxy instead. 您可以完成成功重新導向適當的網域名稱系統 (DNS) 記錄新增到您的 DNS 區域或面臨網際網路的區域。You can accomplish successful redirection by adding the appropriate Domain Name System (DNS) records to your DNS zone or zones that face the Internet.

您將網際網路戶端聯盟 proxy 伺服器使用方法您如何設定 DNS 區域周邊網路,或您在網際網路上設定,您可以控制 DNS 區域的方式而定。The method that you use to redirect Internet clients to the federation server proxy depends on how you configure the DNS zone in your perimeter network or how you configure a DNS zone that you control on the Internet. 聯盟伺服器 proxy 是針對使用周邊網路。Federation server proxies are intended for use in a perimeter network. 他們將網際網路 client 要求聯盟伺服器成功僅時 DNS 已正確設定所有的 Internet\ 面向區域中,您可以控制。They redirect Internet client requests to federation servers successfully only when DNS has been configured properly in all the Internet-facing zones that you control. 因此,您的 Internet\ 面向區域的設定,您有 DNS 波周邊網路或 DNS 區域波周邊網路和網際網路戶端-很重要。Therefore, the configuration of your Internet-facing zones—whether you have a DNS zone serving only the perimeter network or a DNS zone serving both the perimeter network and Internet clients—is important.

本主題描述您可能需要設定時聯盟 proxy 伺服器置於周邊網路的名稱解析步驟。This topic describes the steps that you can take to configure name resolution when you place a federation server proxy in your perimeter network. 若要判斷要遵循的步驟,第一次判斷其中一項下列的 DNS 案例最符合您的組織的周邊網路的 DNS 基礎結構。To determine which steps to follow, first determine which of the following DNS scenarios most closely matches the DNS infrastructure in the perimeter network of your organization. 然後,依照該案例。Then, follow the steps for that scenario.

波周邊網路的 DNS 區域DNS zone serving only the perimeter network

在本案例中,您的組織有一或兩個 DNS 區域中周邊網路和網際網路上的任何 DNS 區域無法控制您的組織。In this scenario, your organization has one or two DNS zones in the perimeter network, and your organization does not control any DNS zones on the Internet. 聯盟伺服器 proxy 做只周邊網路案例 DNS 區域中的成功名稱解析而定下列條件:Successful name resolution for a federation server proxy in the DNS zone that serves only the perimeter network scenario depends on the following conditions:

  • 聯盟 proxy 伺服器設定必須在主機檔案解析完整的網域名稱,(FQDN) 的聯盟伺服器端點 URL 聯盟伺服器叢集聯盟伺服器的 IP 位址。The federation server proxy must have a setting in the hosts file to resolve the fully qualified domain name (FQDN) of the federation server endpoint URL to an IP address of a federation server or a federation server cluster.

  • Account 協力廠商周邊網路的 DNS 必須使聯盟伺服器端點 URL 的 FQDN 解析為聯盟 proxy 伺服器的 IP 位址設定。DNS in the perimeter network of the account partner must be configured so that the FQDN of the federation server endpoint URL resolves to the IP address of the federation server proxy.

下圖和對應步驟顯示如何針對特定範例實現每個條件。The following illustration and corresponding steps show how each of these conditions is achieved for a given example. 在此範例中,Microsoft 網路負載平衡 (NLB) 技術使用現有的聯盟伺服器陣列提供單一、叢集 FQDN 和單一、叢集 IP 位址。In this illustration, Microsoft Network Load Balancing (NLB) technology provides a single, cluster FQDN and a single, cluster IP address for an existing federation server farm.

名稱需求

查看更多有關如何設定叢集 IP 位址或叢集 FQDN 使用 NLB,指定叢集參數For more information about configuring a cluster IP address or a cluster FQDN using NLB, see Specifying the Cluster Parameters.

1.主機上的檔案聯盟 proxy 伺服器設定1. Configure the hosts file on the federation server proxy

Account 合作夥伴聯盟伺服器 proxy 解析所有要求 fs.fabrikam.com account 聯盟伺服器 proxy 設定 DNS 周邊網路中的,因為有解析實際 account 聯盟伺服器的 IP 位址 fs.fabrikam.com 其主機本機檔案中的項目 \(或聯盟伺服器 farm\ 叢集 DNS 名稱),已連接到企業網路。Because DNS in the perimeter network is configured to resolve all requests for fs.fabrikam.com to the account federation server proxy, the account partner federation server proxy has an entry in its local hosts file to resolve fs.fabrikam.com to the IP address of the actual account federation server (or cluster DNS name for the federation server farm) that is connected to the corporate network. 這樣可以 account 聯盟伺服器 proxy 解析主機名稱 fs.fabrikam.com account 聯盟伺服器,而對其本身 — 如果您嘗試使用周邊 DNS fs.fabrikam.com 上看起來就會發生在以便聯盟 proxy 伺服器可以與聯盟伺服器通訊。This makes it possible for the account federation server proxy to resolve the host name fs.fabrikam.com to the account federation server rather than to itself—as would occur if it attempted to look up fs.fabrikam.com using perimeter DNS—so that the federation server proxy can communicate with the federation server.

2.周邊 DNS 設定2. Configure perimeter DNS

因為只能在單一 AD FS 主機名稱 client 電腦的指示來-無論是在企業網路或網際網路上 — client 在網際網路上的電腦使用周邊 DNS 伺服器必須解析 account 聯盟伺服器 proxy 周邊網路上的 IP 位址 account 聯盟伺服器 (fs.fabrikam.com) 的 FQDN。Because there is only a single AD FS host name that client computers are directed to—whether they are on an intranet or on the Internet—client computers on the Internet that use the perimeter DNS server must resolve the FQDN for the account federation server (fs.fabrikam.com) to the IP address of the account federation server proxy on the perimeter network. 它可以嘗試解析 fs.fabrikam.com 時,向前戶端入 account 聯盟伺服器 proxy,周邊 DNS 包含有限的 corp.fabrikam.com DNS 區域 fs (fs.fabrikam.com) 的單一主機 (A) 資源記錄與 account 聯盟伺服器 proxy 周邊網路上的 IP 位址。So that it can forward clients on to the account federation server proxy when they attempt to resolve fs.fabrikam.com, perimeter DNS contains a limited corp.fabrikam.com DNS zone with a single host (A) resource record for fs (fs.fabrikam.com) and the IP address of the account federation server proxy on the perimeter network.

如需有關如何修改主機聯盟 proxy 伺服器的檔案及設定 DNS 周邊網路中的資訊,請查看設定為聯盟伺服器 Proxy 做周邊網路 DNS 區域中的名稱解析For more information about how to modify the hosts file of the federation server proxy and configure DNS in the perimeter network, see Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Only the Perimeter Network.

波周邊網路和網際網路戶端 DNS 區域DNS zone serving both the perimeter network and Internet clients

在本案例中,您的組織控制 DNS 區域周邊網路和網際網路上的至少一個 DNS 區域。In this scenario, your organization controls the DNS zone in the perimeter network and at least one DNS zone on the Internet. 本案例中聯盟伺服器 proxy 成功的名稱解析而定下列條件:Successful name resolution for a federation server proxy in this scenario depends on the following conditions:

  • DNS account 協力廠商的網際網路區域必須使 FQDN 聯盟伺服器主機名稱解析為 IP 位址聯盟伺服器 proxy 周邊網路中的設定。DNS in the Internet zone of the account partner must be configured so that the FQDN of the federation server host name resolves to the IP address of the federation server proxy in the perimeter network.

  • Account 協力廠商周邊網路的 DNS 必須使 FQDN 聯盟伺服器主機名稱解析為聯盟公司網路中伺服器的 IP 位址設定。DNS in the perimeter network of the account partner must be configured so that the FQDN of the federation server host name resolves to the IP address of the federation server in the corporate network.

下圖和對應步驟顯示如何針對特定範例實現每個條件。The following illustration and corresponding steps show how each of these conditions is achieved for a given example.

名稱需求

1.周邊 DNS 設定1. Configure perimeter DNS

本案例中,因為它假設您將會設定網際網路 DNS 區域您控制解析要求的針對特定端點 URL \ (也就是 fs.fabrikam.com) 聯盟伺服器周邊網路 proxy,您還必須設定區域 DNS 伺服器聯盟公司網路中的這些要求轉送給周邊設備中。For this scenario, because it is assumed that you will configure the Internet DNS zone that you control to resolve requests that are made for a specific endpoint URL (that is, fs.fabrikam.com) to the federation server proxy in the perimeter network, you must also configure the zone in the perimeter DNS to forward these requests to the federation server in the corporate network.

這樣可以戶端轉送 account 聯盟伺服器嘗試解析 fs.fabrikam.com 時,周邊 DNS fs (fs.fabrikam.com) 和伺服器的 IP 位址 account 聯盟公司網路上的單一主機 (A) 資源記錄設定。So that clients can be forwarded to the account federation server when they attempt to resolve fs.fabrikam.com, perimeter DNS is configured with a single host (A) resource record for fs (fs.fabrikam.com) and the IP address of the account federation server on the corporate network. 這樣可以 account 聯盟伺服器 proxy 解析主機名稱 fs.fabrikam.com account 聯盟伺服器,而對其本身 — 如果您嘗試使用網際網路 DNS fs.fabrikam.com 上看起來就會發生在以便聯盟 proxy 伺服器可以與聯盟伺服器通訊。This makes it possible for the account federation server proxy to resolve the host name fs.fabrikam.com to the account federation server rather than to itself—as would occur if it attempted to look up fs.fabrikam.com using Internet DNS—so that the federation server proxy can communicate with the federation server.

2.設定網際網路 DNS2. Configure Internet DNS

名稱解析為成功在本案例中,針對所有要求 fs.fabrikam.com 從網際網路上的 client 電腦必須都解析網際網路 DNS 區域,您可以控制。For name resolution to be successful in this scenario, all requests from client computers on the Internet to fs.fabrikam.com must be resolved by the Internet DNS zone that you control. 因此,您必須設定您的網際網路 DNS 區域轉送 client 要求 fs.fabrikam.com account 聯盟伺服器 proxy 周邊網路的 IP 位址。Consequently, you must configure your Internet DNS zone to forward client requests for fs.fabrikam.com to the IP address of the account federation server proxy in the perimeter network.

如需如何修改周邊網路和網際網路 DNS 區域的相關資訊,請查看的 DNS 區域,提供同時周邊網路和網際網路戶端聯盟伺服器 Proxy 設定名稱解析For more information about how to modify the perimeter network and Internet DNS zones, see Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Both the Perimeter Network and Internet Clients.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012